False Positive Rules is Not Working
28 views
Skip to first unread message
Ali Holmes
Nov 4, 2025, 6:29:37 AM (18 hours ago) Nov 4
to Wazuh | Mailing List
Hey,
I'm trying to develop a false positive rule in Wazuhta, but I can't seem to get it to work. The relevant rules continue to trigger. Even though I'm using the overwrite parameter, the rule isn't being overridden. I've attached the relevant logs and screenshots of the rules to the attachment section. I'm also writing my FP rules into my local_rules.xml file. There are no Rule ID conflicts either. Anyone help me pls?
Bony V John
Nov 4, 2025, 7:09:40 AM (17 hours ago) Nov 4
to Wazuh | Mailing List
Hi,
From the shared rule screenshot, it appears that you have used the overwrite option for your custom rules. Please note that the overwrite option is only required when modifying a default Wazuh rule. For custom rules, there is no need to use overwrite, since they are already treated as independent rules.
So, please remove the overwrite option from all three of the custom rules in the screenshot.
Also, make sure that the regex pattern inside your <field> tag correctly matches the log value. To confirm this, you can test your custom rule using the Wazuh logtest tool:
Wazuh Dashboard > Hamburger Menu (top-left) > Server Management > Ruleset Test
Paste your sample log there and run the test to verify whether your custom rule triggers.
If the rule does not fire, adjust your regex based on the decoded field values.
You can refer to the Wazuh documentation on:
If you need further assistance in building the correct rules, please share:
-
Your custom rules
-
A sample of the related log/event
We will test them on our end and help you refine the rules.
Ali Holmes
Nov 4, 2025, 7:28:20 AM (17 hours ago) Nov 4
to Wazuh | Mailing List
This is my rule
<rule id="198001" level="0">
<if_sid>92910</if_sid>
<field name="win.eventdata.sourceImage" type="pcre2">(?i)C:\\\\Program Files \(x86\)\\\\Microsoft\\\\Edge\\Application\\\\.*\\msedge\.exe</field>
<field name="win.eventdata.targetImage" type="pcre2">(?i)C:\\\\WINDOWS\\Explorer\.EXE</field>
<description>FP: Legitimate process access by Microsoft Edge on Explorer.EXE.</description>
<options>no_full_log</options>
</rule>
<if_sid>92910</if_sid>
<field name="win.eventdata.sourceImage" type="pcre2">(?i)C:\\\\Program Files \(x86\)\\\\Microsoft\\\\Edge\\Application\\\\.*\\msedge\.exe</field>
<field name="win.eventdata.targetImage" type="pcre2">(?i)C:\\\\WINDOWS\\Explorer\.EXE</field>
<description>FP: Legitimate process access by Microsoft Edge on Explorer.EXE.</description>
<options>no_full_log</options>
</rule>
and this is my log
{
"_index": "wazuh-alerts-4.x-2025.11.04",
"_id": "HwzTTpoBdKXjt4rIfVTP",
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"ip": "192.168.1.165",
"name": "AGENT-01",
"id": "090"
},
"manager": {
"name": "wazuhubuntu"
},
"data": {
"win": {
"eventdata": {
"grantedAccess": "0x1410",
"targetProcessId": "12524",
"sourceUser": "Wazuh\\\\test.user",
"targetImage": "C:\\\\WINDOWS\\\\Explorer.EXE",
"sourceProcessGUID": "{e71c8428-d6aa-6909-e74e-000000000800}",
"callTrace": "C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+15fcb4|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+c8536|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+7d45b5b|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ee0c4|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8edef8|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ed7f4|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ed522|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+23436b|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+281068|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+2a4908|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+2e8d7|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+bbf6c",
"sourceThreadId": "3624",
"targetProcessGUID": "{e71c8428-d693-6909-9f4e-000000000800}",
"utcTime": "2025-11-04 12:24:16.228",
"ruleName": "technique_id=T1036,technique_name=Masquerading",
"sourceProcessId": "13752",
"sourceImage": "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe",
"targetUser": "Wazuh\\\\test.user"
},
"system": {
"eventID": "10",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process accessed:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-11-04 12:24:16.228\r\nSourceProcessGUID: {e71c8428-d6aa-6909-e74e-000000000800}\r\nSourceProcessId: 13752\r\nSourceThreadId: 3624\r\nSourceImage: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\nTargetProcessGUID: {e71c8428-d693-6909-9f4e-000000000800}\r\nTargetProcessId: 12524\r\nTargetImage: C:\\WINDOWS\\Explorer.EXE\r\nGrantedAccess: 0x1410\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+15fcb4|C:\\WINDOWS\\System32\\KERNELBASE.dll+c8536|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+7d45b5b|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ee0c4|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8edef8|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ed7f4|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ed522|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+23436b|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+281068|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+2a4908|C:\\WINDOWS\\System32\\KERNEL32.DLL+2e8d7|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+bbf6c\r\nSourceUser: Hizmetis\\rumeysa.gulpembe\r\nTargetUser: Hizmetis\\rumeysa.gulpembe\"",
"version": "3",
"systemTime": "2025-11-04T12:24:16.2303295Z",
"eventRecordID": "7264517",
"threadID": "7084",
"computer": "agent-01.test.local",
"task": "10",
"processID": "5088",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"rule": {
"firedtimes": 1,
"mail": true,
"level": 12,
"description": "Explorer process was accessed by C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe, possible process injection",
"groups": [
"sysmon",
"sysmon_eid10_detections",
"windows"
],
"mitre": {
"technique": [
"Process Injection"
],
"id": [
"T1055"
],
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
"id": "92910"
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1762259070.370314903",
"timestamp": "2025-11-04T15:24:30.692+0300"
},
"fields": {
"timestamp": [
"2025-11-04T12:24:30.692Z"
]
},
"sort": [
1762259070692
]
}
"_index": "wazuh-alerts-4.x-2025.11.04",
"_id": "HwzTTpoBdKXjt4rIfVTP",
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"ip": "192.168.1.165",
"name": "AGENT-01",
"id": "090"
},
"manager": {
"name": "wazuhubuntu"
},
"data": {
"win": {
"eventdata": {
"grantedAccess": "0x1410",
"targetProcessId": "12524",
"sourceUser": "Wazuh\\\\test.user",
"targetImage": "C:\\\\WINDOWS\\\\Explorer.EXE",
"sourceProcessGUID": "{e71c8428-d6aa-6909-e74e-000000000800}",
"callTrace": "C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+15fcb4|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+c8536|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+7d45b5b|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ee0c4|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8edef8|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ed7f4|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+8ed522|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+23436b|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+281068|C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\142.0.3595.53\\\\msedge.dll+2a4908|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+2e8d7|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+bbf6c",
"sourceThreadId": "3624",
"targetProcessGUID": "{e71c8428-d693-6909-9f4e-000000000800}",
"utcTime": "2025-11-04 12:24:16.228",
"ruleName": "technique_id=T1036,technique_name=Masquerading",
"sourceProcessId": "13752",
"sourceImage": "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe",
"targetUser": "Wazuh\\\\test.user"
},
"system": {
"eventID": "10",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process accessed:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-11-04 12:24:16.228\r\nSourceProcessGUID: {e71c8428-d6aa-6909-e74e-000000000800}\r\nSourceProcessId: 13752\r\nSourceThreadId: 3624\r\nSourceImage: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\nTargetProcessGUID: {e71c8428-d693-6909-9f4e-000000000800}\r\nTargetProcessId: 12524\r\nTargetImage: C:\\WINDOWS\\Explorer.EXE\r\nGrantedAccess: 0x1410\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+15fcb4|C:\\WINDOWS\\System32\\KERNELBASE.dll+c8536|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+7d45b5b|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ee0c4|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8edef8|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ed7f4|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+8ed522|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+23436b|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+281068|C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\142.0.3595.53\\msedge.dll+2a4908|C:\\WINDOWS\\System32\\KERNEL32.DLL+2e8d7|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+bbf6c\r\nSourceUser: Hizmetis\\rumeysa.gulpembe\r\nTargetUser: Hizmetis\\rumeysa.gulpembe\"",
"version": "3",
"systemTime": "2025-11-04T12:24:16.2303295Z",
"eventRecordID": "7264517",
"threadID": "7084",
"computer": "agent-01.test.local",
"task": "10",
"processID": "5088",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"rule": {
"firedtimes": 1,
"mail": true,
"level": 12,
"description": "Explorer process was accessed by C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe, possible process injection",
"groups": [
"sysmon",
"sysmon_eid10_detections",
"windows"
],
"mitre": {
"technique": [
"Process Injection"
],
"id": [
"T1055"
],
"tactic": [
"Defense Evasion",
"Privilege Escalation"
]
},
"id": "92910"
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1762259070.370314903",
"timestamp": "2025-11-04T15:24:30.692+0300"
},
"fields": {
"timestamp": [
"2025-11-04T12:24:30.692Z"
]
},
"sort": [
1762259070692
]
}
4 Kasım 2025 Salı tarihinde saat 15:09:40 UTC+3 itibarıyla Bony V John şunları yazdı:
Ali Holmes
Nov 4, 2025, 9:29:35 AM (15 hours ago) Nov 4
to Wazuh | Mailing List
Any update?
4 Kasım 2025 Salı tarihinde saat 15:28:20 UTC+3 itibarıyla Ali Holmes şunları yazdı:
Reply all
Reply to author
Forward
0 new messages