Editing windows_eventchannel decoder

657 views
Skip to first unread message

Daniel D'Angeli

unread,
May 17, 2021, 5:35:16 AM5/17/21
to Wazuh mailing list
Hi,

i need to edit the windows_eventchannel to normalize data parsing.

Is there any way to do it?

Regards,
Daniel

Asunción Gómez Castro

unread,
May 17, 2021, 8:32:26 AM5/17/21
to Wazuh mailing list
Hi Daniel!

What changes would you like to make on the event channel decoder? Do you have any example of the data you want to normalize?

Daniel D'Angeli

unread,
May 18, 2021, 8:37:09 AM5/18/21
to Wazuh mailing list
Hi,

im looking to edit the data.subject.account_name to make it data.windows.eventdata.targetUserName

I made a decoder but this windows_eventchannel keeps getting in the way so i thought of editing it.

Regards,
Daniel

Asunción Gómez Castro

unread,
May 20, 2021, 10:20:52 AM5/20/21
to Wazuh mailing list
Hi Daniel,

The windows_eventchannel decoder is not written in a regular decoder XML specification, but embedded into Wazuh source code, so it is not recommended to edit it. If you wish to write a decoder to match a specific event, and currently that event is being matched by the windows_eventchannel, then I would recommend you to use a different matcher. You can read the full decoder syntax, including all matchers, in our documentation:


If you paste me an example log I can help you find a decoder that works for your use case.

Daniel D'Angeli

unread,
May 20, 2021, 10:27:37 AM5/20/21
to Wazuh mailing list
Hi,

please check out this discussion to better understand what im referring to.

Regards,
Daniel

Asunción Gómez Castro

unread,
May 20, 2021, 12:47:03 PM5/20/21
to Wazuh mailing list
Hi Daniel,

Thanks for the clarification! So, if I understood correctly, your log gets decoded by the windows_eventchannel decoder, but you would like to rename the data.subject.account_name field to make it data.windows.eventdata.targetUserName, right?

Usually, for a regular decoder, you could create a child decoder, but since windows_eventchannel is embedded into Wazuh's source code, the possibility of adding new child decoders there is still under development. You can track this issue to see the progress:


In the meantime, as a workaround, you could write your rules using the decoded fields from the windows_eventchannel decoder. If you need help with that custom rule, I can assist you.

Daniel D'Angeli

unread,
May 20, 2021, 12:49:37 PM5/20/21
to Asunción Gómez Castro, Wazuh mailing list
Hi, thanks for the quick response!

Thanks for your help, have a great day.

Daniel D.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/i4oOe19YqME/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f1edaa3-2c1e-422d-9c50-ee4efaaf70e8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages