Deep Instinct decoder | Problem with "<" less-than sign in regexp

[Nicolae Sirbu]

Hello team, 
The decoder doesn't process the  "<" (less-than sign) correctly,
Wazuh v4.14.1

Running the cli command: /var/ossec/bin/wazuh-logtest works well, but when I'm trying to access decoders section in web version I get an error.

Log example: 1 2025-12-08T10:55:46.702Z 37.48.23.122 D-Appliance - 1790557 - CEF:0|Deep Instinct|D-Appliance|7.4.1.0|SecurityEvent_Prevented|Static Analysis - Brain|8|eventExternalId=1690517 act=Prevented dvchost=37.48.23.122 dhost=SRV-2019-new dst=192.168.2.35 dmac=00:1C:39:76:E2:9B dLoggedInUsers=ACME\\\\user-ad duser=ACME\\\\user-ad dGroup=company<WIN>:ACME LTD dclientVersion=5.2.0000.2 deviceExternalId=26162 policy=Windows Default Policy start=2025-12-08T10:55:46.702Z rt=2025-12-08T10:55:46.702Z externalSeverity=1 processChain=<System|4> <smss.exe|412> <smss.exe|8208> <winlogon.exe|3584> <userinit.exe|4648> <explorer.exe|5980> <7zG.exe|11676> occurrences=1 lastOccurrence=2025-12-08 10:55:46.702220 fileHash=e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397 filePath=C:\\\\Users\\\\user-ad\\\\Desktop\\\\eicar_com2_2\\\\eicar_com2.zip fileType=ZIP fname=eicar_com2.zip fileSize=68 cs1=Windows cs1label=OS Name cs2=142w cs2Label=EngineVersion cs3=Malware_dropper cs3label=Threat Type mitreId=TA0002.T1204.002 mitreTactic=Execution mitreTechnique=User Execution mitreSubTechnique=Malicious File cs4=owner:{5e57c16d-bce3-47c5-9e4d-ef9753f609d4} cs4Label=MSPName cs5=stage:prod cs5Label=TenantName cs6=Windows Server 2019 Standard cs6Label=osVersion

My custom decoder:
<decoder name="Deep Instinct">
        <prematch>^\d+ \d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\dZ</prematch>
        <type>syslog</type>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>eventExternalId=(\.+)\s+</regex>
        <order>deepId</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>act=(\.+)\s+</regex>
        <order>action</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>dhost=(\S+)\s+</regex>
        <order>hostname</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>dst=(\S+)\s+</regex>
        <order>dstip</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>dmac=(\S+)\s+</regex>
        <order>mac</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>duser=(\S+)\s+</regex>
        <order>dstuser</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>dGroup=company\<WIN>:(\.*)\s+dclientVersion=</regex>
        <order>company</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>dclientVersion=(\S+)\s+</regex>
        <order>deepVersion</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>policy=(\.*)\s+start=</regex>
        <order>deepPolicy</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>externalSeverity=(\S+)\s+</regex>
        <order>deepSeverity</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>fileHash=(\S+)\s+</regex>
        <order>fileHash</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>filePath=(\S+)\s+</regex>
        <order>filePath</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>fileType=(\S+)\s+</regex>
        <order>fileType</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>fname=(\S+)\s+</regex>
        <order>fileName</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>fileSize=(\S+)\s+</regex>
        <order>fileSize</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>cs2=(\S+)\s+</regex>
        <order>deepEngineVersion</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>cs3=(\S+)\s+</regex>
        <order>deepThreatType</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>mitreId=(\S+)\s+</regex>
        <order>deepMitreId</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>mitreTactic=(\S+)\s+</regex>
        <order>deepMitreTactic</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>mitreTechnique=(\.*)\s+mitreSubTechnique=</regex>
        <order>deepMitreTechnique</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>mitreSubTechnique=(\.*)\s+cs4=</regex>
        <order>deepMitreSubTechnique</order>
</decoder>
<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>cs4=(\.*)\s+cs4Label=</regex>
        <order>deepMSPName</order>
</decoder>

<decoder name="Deep Instinct">
        <parent>Deep Instinct</parent>
        <regex>cs6=(\.*)\s+cs6Label=</regex>
        <order>os</order>
</decoder>


The error I get:

RequestError: Error fetching items

API error: ERR_BAD_RESPONSE - Error reading decoders file: WAZUH_HOME/etc/decoders/MSP-Deep-Instinct.xml
AxiosError: Request failed with status code 500 at settle (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:15:28129) at XMLHttpRequest.onloadend (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:15:36868) at Axios_Axios.request (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:15:52342) at async request (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:1:173107) at async WzRequest.genericReq (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:1:500436) at async WzRequest.apiReq (https://siem/414102/bundles/plugin/wazuh/wazuh.plugin.js:1:502578) at async https://siem/414102/bundles/plugin/wazuh/wazuh.chunk.2.js:1:3375050 at async https://siem/414102/bundles/plugin/wazuh/wazuh.chunk.2.js:1:3365202

Results from cli and error from web version are attached to this mail
I discovered that problem with  "<" (less-than sign) in line:
<regex>dGroup=company\<WIN>:(\.*)\s+dclientVersion=</regex>

especially <WIN>


How I can resolve it?

[hasitha.u...@wazuh.com]

Hi  Nicolae

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

[hasitha.u...@wazuh.com]

Hi Nicolae

I found that one of the decoders contains a syntax error, which is why you are encountering this issue.

The issue appears to be caused by a regex value that contains <WIN>. Wazuh interprets this as an XML tag that is not properly closed. To avoid this, you need to use a proper regex pattern to handle the <> characters.

In this case, use \p instead of the literal <>.

For example:

<regex>dGroup=company\pWIN\p:(\.*)\s+dclientVersion=</regex>


Expression      Valid characters
\p                      ()*+,-.:;<=>?[]!"'#$%&|{}
Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Let me know if you need further assistance on this.

[Nicolae Sirbu]

Thank you for your reply!
All works!

понедельник, 15 декабря 2025 г. в 05:55:58 UTC+2, hasitha.u...@wazuh.com:

[hasitha.u...@wazuh.com]

Hi Nicolae

I am glad that your issue has been resolved.