Wazuh-Custom-rules/3cx_Rules.xml

<!-- Toute erreur CallFlow -->
<group name="3cx,">
 <rule id="100200" level="8">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <field name="level">Erro</field>
  <description>3CX CallFlow error</description>
  <group>3cx,callflow,error,</group>
 </rule>
</group>

<!-- “Route failed” explicite -->
<group name="3cx,">
 <rule id="100201" level="10">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <match>Route failed</match>
  <description>3CX routing failure - Appel sortant impossible</description>
  <group>3cx,callflow,routing,</group>
 </rule>
</group>

<!-- Regroupement : >=5 échecs en 60s = route failed -->
<group name="3cx,">
 <rule id="100205" level="12" frequency="5" timeframe="60">
  <if_matched_sid>100201</if_matched_sid>
  <description>3CX Route failed  — communication externe impossible</description>
  <group>3cx,callflow,outage,provider,</group>
 </rule>
</group>

<!-- ParentConnectionTerminated (fort signal opérateur/trunk) -->
<group name="3cx,">
 <rule id="100202" level="10">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <field name="result">ParentConnectionTerminated</field>
  <description>3CX: parent connection terminated (likely trunk/provider issue)</description>
  <group>3cx,callflow,trunk,provider,outage,</group>
 </rule>
</group>


<!-- Regroupement : >=5 échecs en 60s = panne possible -->
<group name="3cx,">
 <rule id="100203" level="12" frequency="5" timeframe="60">
  <if_matched_sid>100202</if_matched_sid>
  <description>3CX widespread routing failures  — probable provider outage</description>
  <group>3cx,callflow,outage,provider,</group>
 </rule>
</group>


<!-- 100207 : FCM unauthorized (unitaire) -->
<group name="3cx,">
  <rule id="100207" level="7">
    <decoded_as>3cx-parent-datetime</decoded_as>
    <match>Got Unauthorized from FCM</match>
    <description>3CX Push: FCM unauthorized (apps mobile non fonctionnel)</description>
    <group>3cx,push,notification,fcm,</group>
  </rule>
</group>

<!-- 100208 : FCM unauthorized répété = incident -->
<group name="3cx,">
  <rule id="100208" level="10" frequency="3" timeframe="900">
    <if_matched_sid>100207</if_matched_sid>
    <description>3CX Push: multiples FCM unauthorized (probable panne notifications mobiles)</description>
    <group>3cx,push,notification,fcm,outage,</group>
  </rule>
</group>

<!-- 100209 : (CRM) Erreur HTTP client (unitaire) -->
<group name="3cx,">
  <rule id="100209" level="8">
    <if_sid>100200</if_sid>
    <match>_3CX.HttpClient</match>
    <field name="message">failed</field>
    <description>3CX Integration: requête HTTP échouée (CRM)</description>
    <group>3cx,integration,http,</group>
  </rule>
</group>

<!-- 100210 : Rafale d'échecs HTTP = panne d’intégration -->
<group name="3cx,">
  <rule id="100210" level="9" frequency="5" timeframe="600">
    <if_matched_sid>100209</if_matched_sid>
    <description>3CX Integration: multiples requêtes HTTP échouées (panne probable du service tiers)</description>
    <group>3cx,integration,http,outage,</group>
  </rule>
</group>

<!-- 100211 : DBProvPostgress erreur (unitaire) -->
<group name="3cx,">
  <rule id="100211" level="9">
    <if_sid>100200</if_sid>
    <match>DBProvPostgress</match>
    <regex type="pcre2">(BatchUpdate|INSERT FAILED)</regex>
    <description>3CX DB: erreur critique PostgreSQL (BatchUpdate/INSERT)</description>
    <group>3cx,db,postgres,error,</group>
  </rule>
</group>

<!-- 100212 : DB erreurs répétées = incident majeur -->
<group name="3cx,">
  <rule id="100212" level="12" frequency="3" timeframe="300">
    <if_matched_sid>100211</if_matched_sid>
    <description>3CX DB: erreurs PostgreSQL répétées (instabilité probable)</description>
    <group>3cx,db,postgres,outage,</group>
  </rule>
</group>