Using syscollector data in rules

[hitman28594]

Wazuh version	Component	Install type	Install method	Platform
X.Y.Z-rev	Wazuh component	Manager/Agent	Packages/Sources	OS version

Wazuh rules don’t have an option to use the collected system inventory data of the agent.

We can trigger alerts on the syscollector logs themselves like documented in: https://documentation.wazuh.com/3.13/user-manual/capabilities/syscollector.html#using-syscollector-information-to-trigger-alerts

However, Currently there is no option to use the collected/stored syscollector information In a rule.

Use case: I want to have a rule that alerts when things are installed on a system... but I would only care about logs which are collected from windows servers

Use case: I want a rule to trigger when example.exe is run, but only want to be alerted when the agent does NOT have a “required” Security software installed.

[Lopuiz]

Hello,

Exist some methods to obtains events correlation (using frequency tag, accumulate tag, or cdb lists). However, they don't work for the cases you describe.

Event correlation is a needed feature that we have in our roadmap. I'll tag this issue to take your request into account for the development.

We consider multiples alternatives for this development:

• Do that Analysisd access the DB and create new tags for rules.
• Use agent labels for rules matching
• Use elastic for it

Regards, Eva

[hitman28594]

Hi Team,

Just wondering if this has feature request has been considered for development since 2 years ago?

Using agent labels is a painstaking task to configure, especially for large evolving environments.

Using elastic for this use case isn’t really an option for us because that would mean indexing ALOT of logs, we would only want the useful alerts to go into elastic/Opensearch.

I really believe this feature would have some great potential and would essentially set wazuh apart from a lot of other SIEM products.

Being able to incorporate system metadata into detections would be great!!