Skip to content

Wazuh Blog Fix: Missing <group> Tag in Active Response Rule #8767

New issue
New issue
Open
Open
Wazuh Blog Fix: Missing <group> Tag in Active Response Rule#8767
Labels
Documentation improvementsDocumentation improvementsreporter/team/community
@bonyjohn05

Description

@bonyjohn05
bonyjohn05
opened on Aug 13, 2025

📌 Request Details

Required Information

  • Target version: 4.2

Description

In the referenced blog post, the last set of active response rules (IDs 100004 and 100005) are not inside the <group name="------">

In the community, we have noticed users copying the existing rule block to their servers from the blog without adding it inside <group> results in a rule syntax error, as expected. It would be better if we updated the rules by adding it inside the <group> block to prevent issues for users.

Current rule syntax:

<rule id="100004" level="7">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
  </rule>
  <rule id="100005" level="7">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>

Correct rule syntax:

<group name="local,malware,active-response,">
  <rule id="100004" level="7">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
  </rule>
  <rule id="100005" level="7">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
  </rule>
</group>

Additional examples/references (screenshots, code samples, links)

Reference GitHub issue: https://github.com/wazuh/community/issues/54741

Updating this syntax will ensure the rules load correctly and prevent user confusion when following the blog’s instructions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Documentation improvementsDocumentation improvementsreporter/team/community

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions