Help in modifying rules.

13 views

Skip to first unread message

DIWAHAR RAHAWID

unread,

Dec 16, 2025, 5:49:22 AM (yesterday) Dec 16

to Wazuh | Mailing List

Hi Team,

I have a custom rule configured to monitor logon failures on the servers. Currently, the rule generates alerts for both user logon failures and system internal logon failures, where the system failures appear with the username WINDOWS$.

I would like to split this into two separate rules:

One rule to monitor only user logon failures
Another rule to monitor system internal logon failures

The existing rule is shown below for reference. Please share your suggestions or best practices to implement this effectively.

<if_sid>60122</if_sid>

<description> Windows logon failure by user $(win.eventdata.targetUserName) from source IP $(win.eventdata.ipAddress) (Workstation: $(win.eventdata.workstationName)) </description>

<mitre>

</mitre>

<group>windows, authentication, logon failure, remote</group>

</rule>

</group>

Your suggestions would be greatly appreciated.

Stuti Gupta

unread,

Dec 16, 2025, 7:34:08 AM (yesterday) Dec 16

to Wazuh | Mailing List

Hi,

You can split your existing custom rule into two separate rules using the win.eventdata.targetUserName field in Wazuh. This allows you to differentiate between user logon failures from system internal logon failures (machine accounts like WINDOWS$). You can custom rule for the system internal logon failures

<field name="win.eventdata.targetUserName">SYSTEM</field>
<description>Windows user logon failure: $(win.eventdata.targetUserName) from IP $(win.eventdata.ipAddress)</description>
</rule>
</group>

For the user logon failures, the default rule ID 60122 will trigger. To know more about custom rules: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Reply all

Reply to author

Forward

0 new messages