Wazuh Blog Fix: Missing <group> Tag in Active Response Rule #8767
Description
📌 Request Details
Required Information
- Target version: 4.2
-
Request type
- Fixes or corrections
-
Affected Documentation
- Documentation section(s): Creating rule for active response log
- Specific page URLs: https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response/
Description
In the referenced blog post, the last set of active response rules (IDs 100004 and 100005) are not inside the <group name="------">
In the community, we have noticed users copying the existing rule block to their servers from the blog without adding it inside <group> results in a rule syntax error, as expected. It would be better if we updated the rules by adding it inside the <group> block to prevent issues for users.
Current rule syntax:
<rule id="100004" level="7">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
<rule id="100005" level="7">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>Correct rule syntax:
<group name="local,malware,active-response,">
<rule id="100004" level="7">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
<rule id="100005" level="7">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
</group>Additional examples/references (screenshots, code samples, links)
Reference GitHub issue: https://github.com/wazuh/community/issues/54741
Updating this syntax will ensure the rules load correctly and prevent user confusion when following the blog’s instructions.