RDP Login
12 views
Skip to first unread message
Brenno Garcia
Jan 16, 2026, 10:25:56 AM (2 days ago) Jan 16
to Wazuh | Mailing List
My custom rdp login rule isn't triggering
The default rule 92653
<rule id="92653" level="3">
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
My custom
<rule id="100095" level="6">
<if_sid>92653</if_sid>
<description>RDP Login Successful</description>
</rule>
<if_sid>92653</if_sid>
<description>RDP Login Successful</description>
</rule>
When I trigger just 92653 works
josue....@wazuh.com
Jan 16, 2026, 4:44:37 PM (2 days ago) Jan 16
to Wazuh | Mailing List
Hi,
To help us better understand the issue, could you please share a bit more information?
-
Which Wazuh version are you running?
-
Did this custom rule work before, or is this a new setup you’re testing?
-
Could you provide sanitized samples from archives.json and alerts.json for a successful RDP login event?
-
If possible, please also share any relevant manager logs (/var/ossec/logs/ossec.log).
-
Have you tested the rule using wazuh-logtest? If so, sharing the output would be helpful.
This information will help us confirm how the rule is being evaluated and why the custom rule may not be triggering.
Reply all
Reply to author
Forward
0 new messages