Wazuh Rules for Active Response
7 views
Skip to first unread message
Yogi Valentino
5:21 AM (2 hours ago) 5:21 AM
to Wazuh | Mailing List
Hi Community,
I was trying to make a rule for Active Response, The Active Response works fine. This is what it looks like on log
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: === ACTIVE RESPONSE START ===
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: DEBUG RAW_JSON: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2025-12-01T16:43:48.046+0700","rule":{"level":10,"description":"Sysmon - Event 1: Process WPS Office started but not allowed by the software policy.","id":"100500","firedtimes":4,"mail":false,"groups":["ProcessCreationsysmon_event1","software_policy"]},"agent":{"id":"006","name":"IT-001-25-1379","ip":"192.168.101.249"},"manager":{"name":"ubuntu-wazuh"},"id":"1764582228.36294724","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2025-12-01T09:43:48.9139643Z\",\"eventRecordID\":\"1091946\",\"processID\":\"6568\",\"threadID\":\"6932\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"IT-001-25-1379.adapundi.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1036,technique_name=Masquerading\\r\\nUtcTime: 2025-12-01 09:43:48.886\\r\\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\\r\\nProcessId: 9664\\r\\nImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\r\\nFileVersion: 12,2,0,23155\\r\\nDescription: WPS Office\\r\\nProduct: WPS Office\\r\\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\\r\\nOriginalFileName: wps_host_xa.exe\\r\\nCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\\r\\nCurrentDirectory: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\\\r\\nUser: ADAPUNDI\\\\yogi\\r\\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\\r\\nLogonId: 0x2EA3E349\\r\\nTerminalSessionId: 3\\r\\nIntegrityLevel: Medium\\r\\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\\r\\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\\r\\nParentProcessId: 19708\\r\\nParentImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\r\\nParentCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\\r\\nParentUser: ADAPUNDI\\\\yogi\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1036,technique_name=Masquerading\",\"utcTime\":\"2025-12-01 09:43:48.886\",\"processGuid\":\"{3676ee9a-6354-692d-144d-000000002800}\",\"processId\":\"9664\",\"image\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\",\"fileVersion\":\"12,2,0,23155\",\"description\":\"WPS Office\",\"product\":\"WPS Office\",\"company\":\"Zhuhai Kingsoft Office Software Co.,Ltd\",\"originalFileName\":\"wps_host_xa.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\\\\\\\" Run -Entry=EntryPoint \\\\\\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\\\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\\",\"user\":\"ADAPUNDI\\\\\\\\yogi\",\"logonGuid\":\"{3676ee9a-f976-692c-49e3-a32e00000000}\",\"logonId\":\"0x2ea3e349\",\"terminalSessionId\":\"3\",\"integrityLevel\":\"Medium\",\"hashes\":\"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\",\"parentProcessGuid\":\"{3676ee9a-6353-692d-104d-000000002800}\",\"parentProcessId\":\"19708\",\"parentImage\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\\\\\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\",\"parentUser\":\"ADAPUNDI\\\\\\\\yogi\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-01T09:43:48.9139643Z","eventRecordID":"1091946","processID":"6568","threadID":"6932","channel":"Microsoft-Windows-Sysmon/Operational","computer":"IT-001-25-1379.adapundi.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-12-01 09:43:48.886\r\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\r\nProcessId: 9664\r\nImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\r\nFileVersion: 12,2,0,23155\r\nDescription: WPS Office\r\nProduct: WPS Office\r\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\r\nOriginalFileName: wps_host_xa.exe\r\nCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\" Run -Entry=EntryPoint \"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\r\nCurrentDirectory: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\\r\nUser: ADAPUNDI\\yogi\r\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\r\nLogonId: 0x2EA3E349\r\nTerminalSessionId: 3\r\nIntegrityLevel: Medium\r\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\r\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\r\nParentProcessId: 19708\r\nParentImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\r\nParentCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\r\nParentUser: ADAPUNDI\\yogi\""},"eventdata":{"ruleName":"technique_id=T1036,technique_name=Masquerading","utcTime":"2025-12-01 09:43:48.886","processGuid":"{3676ee9a-6354-692d-144d-000000002800}","processId":"9664","image":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe","fileVersion":"12,2,0,23155","description":"WPS Office","product":"WPS Office","company":"Zhuhai Kingsoft Office Software Co.,Ltd","originalFileName":"wps_host_xa.exe","commandLine":"\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing","currentDirectory":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\","user":"ADAPUNDI\\\\yogi","logonGuid":"{3676ee9a-f976-692c-49e3-a32e00000000}","logonId":"0x2ea3e349","terminalSessionId":"3","integrityLevel":"Medium","hashes":"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5","parentProcessGuid":"{3676ee9a-6353-692d-104d-000000002800}","parentProcessId":"19708","parentImage":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe","parentCommandLine":"\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval","parentUser":"ADAPUNDI\\\\yogi"}}},"location":"EventChannel"},"program":"active-response/bin/pssuspend.exe"}}
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: PROCESS TARGET: wps.exe
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: User Session (from Sysmon): 3
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: Searching for process: wps.exe
2025/12/01 16:43:56 active-response/bin/pssuspend.exe: Found 1 matching processes.
2025/12/01 16:43:56 active-response/bin/pssuspend.exe: PID 9664 detected, sending balloon notification...
2025/12/01 16:43:57 pssuspend: Balloon sent to Session 3
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: Suspending PID 9664...
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: Killing PID 9664...
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: {"version": 1, "origin": {"name": "active-response/bin/pssuspend.exe", "module": "active-response"}, "command": "ar_result", "parameters": {"status": "SUCCESS", "process": "wps.exe", "pid": 9664, "session_id": 3, "reason": null, "alert": {"timestamp": "2025-12-01T16:43:48.046+0700", "rule": {"level": 10, "description": "Sysmon - Event 1: Process WPS Office started but not allowed by the software policy.", "id": "100500", "firedtimes": 4, "mail": false, "groups": ["ProcessCreationsysmon_event1", "software_policy"]}, "agent": {"id": "006", "name": "IT-001-25-1379", "ip": "192.168.101.249"}, "manager": {"name": "ubuntu-wazuh"}, "id": "1764582228.36294724", "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2025-12-01T09:43:48.9139643Z\",\"eventRecordID\":\"1091946\",\"processID\":\"6568\",\"threadID\":\"6932\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"IT-001-25-1379.adapundi.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1036,technique_name=Masquerading\\r\\nUtcTime: 2025-12-01 09:43:48.886\\r\\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\\r\\nProcessId: 9664\\r\\nImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\r\\nFileVersion: 12,2,0,23155\\r\\nDescription: WPS Office\\r\\nProduct: WPS Office\\r\\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\\r\\nOriginalFileName: wps_host_xa.exe\\r\\nCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\\r\\nCurrentDirectory: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\\\r\\nUser: ADAPUNDI\\\\yogi\\r\\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\\r\\nLogonId: 0x2EA3E349\\r\\nTerminalSessionId: 3\\r\\nIntegrityLevel: Medium\\r\\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\\r\\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\\r\\nParentProcessId: 19708\\r\\nParentImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\r\\nParentCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\\r\\nParentUser: ADAPUNDI\\\\yogi\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1036,technique_name=Masquerading\",\"utcTime\":\"2025-12-01 09:43:48.886\",\"processGuid\":\"{3676ee9a-6354-692d-144d-000000002800}\",\"processId\":\"9664\",\"image\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\",\"fileVersion\":\"12,2,0,23155\",\"description\":\"WPS Office\",\"product\":\"WPS Office\",\"company\":\"Zhuhai Kingsoft Office Software Co.,Ltd\",\"originalFileName\":\"wps_host_xa.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\\\\\\\" Run -Entry=EntryPoint \\\\\\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\\\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\\",\"user\":\"ADAPUNDI\\\\\\\\yogi\",\"logonGuid\":\"{3676ee9a-f976-692c-49e3-a32e00000000}\",\"logonId\":\"0x2ea3e349\",\"terminalSessionId\":\"3\",\"integrityLevel\":\"Medium\",\"hashes\":\"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\",\"parentProcessGuid\":\"{3676ee9a-6353-692d-104d-000000002800}\",\"parentProcessId\":\"19708\",\"parentImage\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\\\\\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\",\"parentUser\":\"ADAPUNDI\\\\\\\\yogi\"}}}", "decoder": {"name": "windows_eventchannel"}, "data": {"win": {"system": {"providerName": "Microsoft-Windows-Sysmon", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "eventID": "1", "version": "5", "level": "4", "task": "1", "opcode": "0", "keywords": "0x8000000000000000", "systemTime": "2025-12-01T09:43:48.9139643Z", "eventRecordID": "1091946", "processID": "6568", "threadID": "6932", "channel": "Microsoft-Windows-Sysmon/Operational", "computer": "IT-001-25-1379.adapundi.local", "severityValue": "INFORMATION", "message": "\"Process Create:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-12-01 09:43:48.886\r\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\r\nProcessId: 9664\r\nImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\r\nFileVersion: 12,2,0,23155\r\nDescription: WPS Office\r\nProduct: WPS Office\r\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\r\nOriginalFileName: wps_host_xa.exe\r\nCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\" Run -Entry=EntryPoint \"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\r\nCurrentDirectory: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\\r\nUser: ADAPUNDI\\yogi\r\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\r\nLogonId: 0x2EA3E349\r\nTerminalSessionId: 3\r\nIntegrityLevel: Medium\r\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\r\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\r\nParentProcessId: 19708\r\nParentImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\r\nParentCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\r\nParentUser: ADAPUNDI\\yogi\""}, "eventdata": {"ruleName": "technique_id=T1036,technique_name=Masquerading", "utcTime": "2025-12-01 09:43:48.886", "processGuid": "{3676ee9a-6354-692d-144d-000000002800}", "processId": "9664", "image": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe", "fileVersion": "12,2,0,23155", "description": "WPS Office", "product": "WPS Office", "company": "Zhuhai Kingsoft Office Software Co.,Ltd", "originalFileName": "wps_host_xa.exe", "commandLine": "\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing", "currentDirectory": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\", "user": "ADAPUNDI\\\\yogi", "logonGuid": "{3676ee9a-f976-692c-49e3-a32e00000000}", "logonId": "0x2ea3e349", "terminalSessionId": "3", "integrityLevel": "Medium", "hashes": "SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5", "parentProcessGuid": "{3676ee9a-6353-692d-104d-000000002800}", "parentProcessId": "19708", "parentImage": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe", "parentCommandLine": "\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval", "parentUser": "ADAPUNDI\\\\yogi"}}}, "location": "EventChannel"}}}
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=wps.exe | pid=9664
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: === ACTIVE RESPONSE END ===
I make the rules for it, but it didn't work. Here it looks like:
<group name="wazuh,active_response"> <rule id="65300" level="5"> <if_sid>650</if_sid> <field name="parameters.program">pssuspend</field> <field name="command">add</field> <description>App blocked by $(script) Active Response</description> <group>active_response,</group> </rule> </group> it just doesn't work. I have tried it on logtest but this is the result i have 2025/12/01 13:41:30 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=steam.exe | pid=18592 **Phase 1: Completed pre-decoding. full event: '2025/12/01 13:41:30 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=steam.exe | pid=18592' **Phase 2: Completed decoding. name: 'ar_log_json' parent: 'ar_log_json' **Phase 3: Completed filtering (rules). id: '650' level: '0' description: 'Active Response JSON Messages Grouped' groups: '['ossec', 'active_response']' firedtimes: '1' mail: 'False'
can you give me an idea for this? I have no idea what should i do? Why didn't the Wazuh log my rules
I was trying to make a rule for Active Response, The Active Response works fine. This is what it looks like on log
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: === ACTIVE RESPONSE START ===
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: DEBUG RAW_JSON: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2025-12-01T16:43:48.046+0700","rule":{"level":10,"description":"Sysmon - Event 1: Process WPS Office started but not allowed by the software policy.","id":"100500","firedtimes":4,"mail":false,"groups":["ProcessCreationsysmon_event1","software_policy"]},"agent":{"id":"006","name":"IT-001-25-1379","ip":"192.168.101.249"},"manager":{"name":"ubuntu-wazuh"},"id":"1764582228.36294724","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2025-12-01T09:43:48.9139643Z\",\"eventRecordID\":\"1091946\",\"processID\":\"6568\",\"threadID\":\"6932\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"IT-001-25-1379.adapundi.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1036,technique_name=Masquerading\\r\\nUtcTime: 2025-12-01 09:43:48.886\\r\\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\\r\\nProcessId: 9664\\r\\nImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\r\\nFileVersion: 12,2,0,23155\\r\\nDescription: WPS Office\\r\\nProduct: WPS Office\\r\\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\\r\\nOriginalFileName: wps_host_xa.exe\\r\\nCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\\r\\nCurrentDirectory: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\\\r\\nUser: ADAPUNDI\\\\yogi\\r\\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\\r\\nLogonId: 0x2EA3E349\\r\\nTerminalSessionId: 3\\r\\nIntegrityLevel: Medium\\r\\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\\r\\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\\r\\nParentProcessId: 19708\\r\\nParentImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\r\\nParentCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\\r\\nParentUser: ADAPUNDI\\\\yogi\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1036,technique_name=Masquerading\",\"utcTime\":\"2025-12-01 09:43:48.886\",\"processGuid\":\"{3676ee9a-6354-692d-144d-000000002800}\",\"processId\":\"9664\",\"image\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\",\"fileVersion\":\"12,2,0,23155\",\"description\":\"WPS Office\",\"product\":\"WPS Office\",\"company\":\"Zhuhai Kingsoft Office Software Co.,Ltd\",\"originalFileName\":\"wps_host_xa.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\\\\\\\" Run -Entry=EntryPoint \\\\\\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\\\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\\",\"user\":\"ADAPUNDI\\\\\\\\yogi\",\"logonGuid\":\"{3676ee9a-f976-692c-49e3-a32e00000000}\",\"logonId\":\"0x2ea3e349\",\"terminalSessionId\":\"3\",\"integrityLevel\":\"Medium\",\"hashes\":\"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\",\"parentProcessGuid\":\"{3676ee9a-6353-692d-104d-000000002800}\",\"parentProcessId\":\"19708\",\"parentImage\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\\\\\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\",\"parentUser\":\"ADAPUNDI\\\\\\\\yogi\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-01T09:43:48.9139643Z","eventRecordID":"1091946","processID":"6568","threadID":"6932","channel":"Microsoft-Windows-Sysmon/Operational","computer":"IT-001-25-1379.adapundi.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-12-01 09:43:48.886\r\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\r\nProcessId: 9664\r\nImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\r\nFileVersion: 12,2,0,23155\r\nDescription: WPS Office\r\nProduct: WPS Office\r\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\r\nOriginalFileName: wps_host_xa.exe\r\nCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\" Run -Entry=EntryPoint \"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\r\nCurrentDirectory: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\\r\nUser: ADAPUNDI\\yogi\r\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\r\nLogonId: 0x2EA3E349\r\nTerminalSessionId: 3\r\nIntegrityLevel: Medium\r\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\r\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\r\nParentProcessId: 19708\r\nParentImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\r\nParentCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\r\nParentUser: ADAPUNDI\\yogi\""},"eventdata":{"ruleName":"technique_id=T1036,technique_name=Masquerading","utcTime":"2025-12-01 09:43:48.886","processGuid":"{3676ee9a-6354-692d-144d-000000002800}","processId":"9664","image":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe","fileVersion":"12,2,0,23155","description":"WPS Office","product":"WPS Office","company":"Zhuhai Kingsoft Office Software Co.,Ltd","originalFileName":"wps_host_xa.exe","commandLine":"\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing","currentDirectory":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\","user":"ADAPUNDI\\\\yogi","logonGuid":"{3676ee9a-f976-692c-49e3-a32e00000000}","logonId":"0x2ea3e349","terminalSessionId":"3","integrityLevel":"Medium","hashes":"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5","parentProcessGuid":"{3676ee9a-6353-692d-104d-000000002800}","parentProcessId":"19708","parentImage":"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe","parentCommandLine":"\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval","parentUser":"ADAPUNDI\\\\yogi"}}},"location":"EventChannel"},"program":"active-response/bin/pssuspend.exe"}}
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: PROCESS TARGET: wps.exe
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: User Session (from Sysmon): 3
2025/12/01 16:43:55 active-response/bin/pssuspend.exe: Searching for process: wps.exe
2025/12/01 16:43:56 active-response/bin/pssuspend.exe: Found 1 matching processes.
2025/12/01 16:43:56 active-response/bin/pssuspend.exe: PID 9664 detected, sending balloon notification...
2025/12/01 16:43:57 pssuspend: Balloon sent to Session 3
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: Suspending PID 9664...
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: Killing PID 9664...
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: {"version": 1, "origin": {"name": "active-response/bin/pssuspend.exe", "module": "active-response"}, "command": "ar_result", "parameters": {"status": "SUCCESS", "process": "wps.exe", "pid": 9664, "session_id": 3, "reason": null, "alert": {"timestamp": "2025-12-01T16:43:48.046+0700", "rule": {"level": 10, "description": "Sysmon - Event 1: Process WPS Office started but not allowed by the software policy.", "id": "100500", "firedtimes": 4, "mail": false, "groups": ["ProcessCreationsysmon_event1", "software_policy"]}, "agent": {"id": "006", "name": "IT-001-25-1379", "ip": "192.168.101.249"}, "manager": {"name": "ubuntu-wazuh"}, "id": "1764582228.36294724", "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2025-12-01T09:43:48.9139643Z\",\"eventRecordID\":\"1091946\",\"processID\":\"6568\",\"threadID\":\"6932\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"IT-001-25-1379.adapundi.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1036,technique_name=Masquerading\\r\\nUtcTime: 2025-12-01 09:43:48.886\\r\\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\\r\\nProcessId: 9664\\r\\nImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\r\\nFileVersion: 12,2,0,23155\\r\\nDescription: WPS Office\\r\\nProduct: WPS Office\\r\\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\\r\\nOriginalFileName: wps_host_xa.exe\\r\\nCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\\r\\nCurrentDirectory: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\\\r\\nUser: ADAPUNDI\\\\yogi\\r\\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\\r\\nLogonId: 0x2EA3E349\\r\\nTerminalSessionId: 3\\r\\nIntegrityLevel: Medium\\r\\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\\r\\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\\r\\nParentProcessId: 19708\\r\\nParentImage: C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\r\\nParentCommandLine: \\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\\r\\nParentUser: ADAPUNDI\\\\yogi\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1036,technique_name=Masquerading\",\"utcTime\":\"2025-12-01 09:43:48.886\",\"processGuid\":\"{3676ee9a-6354-692d-144d-000000002800}\",\"processId\":\"9664\",\"image\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\",\"fileVersion\":\"12,2,0,23155\",\"description\":\"WPS Office\",\"product\":\"WPS Office\",\"company\":\"Zhuhai Kingsoft Office Software Co.,Ltd\",\"originalFileName\":\"wps_host_xa.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wps.exe\\\\\\\" Run -Entry=EntryPoint \\\\\\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\\\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\\",\"user\":\"ADAPUNDI\\\\\\\\yogi\",\"logonGuid\":\"{3676ee9a-f976-692c-49e3-a32e00000000}\",\"logonId\":\"0x2ea3e349\",\"terminalSessionId\":\"3\",\"integrityLevel\":\"Medium\",\"hashes\":\"SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\",\"parentProcessGuid\":\"{3676ee9a-6353-692d-104d-000000002800}\",\"parentProcessId\":\"19708\",\"parentImage\":\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\yogi\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Kingsoft\\\\\\\\WPS Office\\\\\\\\12.2.0.23155\\\\\\\\office6\\\\\\\\wpscloudsvr.exe\\\\\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\",\"parentUser\":\"ADAPUNDI\\\\\\\\yogi\"}}}", "decoder": {"name": "windows_eventchannel"}, "data": {"win": {"system": {"providerName": "Microsoft-Windows-Sysmon", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "eventID": "1", "version": "5", "level": "4", "task": "1", "opcode": "0", "keywords": "0x8000000000000000", "systemTime": "2025-12-01T09:43:48.9139643Z", "eventRecordID": "1091946", "processID": "6568", "threadID": "6932", "channel": "Microsoft-Windows-Sysmon/Operational", "computer": "IT-001-25-1379.adapundi.local", "severityValue": "INFORMATION", "message": "\"Process Create:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-12-01 09:43:48.886\r\nProcessGuid: {3676ee9a-6354-692d-144d-000000002800}\r\nProcessId: 9664\r\nImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\r\nFileVersion: 12,2,0,23155\r\nDescription: WPS Office\r\nProduct: WPS Office\r\nCompany: Zhuhai Kingsoft Office Software Co.,Ltd\r\nOriginalFileName: wps_host_xa.exe\r\nCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wps.exe\" Run -Entry=EntryPoint \"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing\r\nCurrentDirectory: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\\r\nUser: ADAPUNDI\\yogi\r\nLogonGuid: {3676ee9a-f976-692c-49e3-a32e00000000}\r\nLogonId: 0x2EA3E349\r\nTerminalSessionId: 3\r\nIntegrityLevel: Medium\r\nHashes: SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5\r\nParentProcessGuid: {3676ee9a-6353-692d-104d-000000002800}\r\nParentProcessId: 19708\r\nParentImage: C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\r\nParentCommandLine: \"C:\\Users\\yogi\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.23155\\office6\\wpscloudsvr.exe\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval\r\nParentUser: ADAPUNDI\\yogi\""}, "eventdata": {"ruleName": "technique_id=T1036,technique_name=Masquerading", "utcTime": "2025-12-01 09:43:48.886", "processGuid": "{3676ee9a-6354-692d-144d-000000002800}", "processId": "9664", "image": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe", "fileVersion": "12,2,0,23155", "description": "WPS Office", "product": "WPS Office", "company": "Zhuhai Kingsoft Office Software Co.,Ltd", "originalFileName": "wps_host_xa.exe", "commandLine": "\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wps.exe\\\" Run -Entry=EntryPoint \\\"C:/Users/yogi/AppData/Local/Kingsoft/WPS Office/12.2.0.23155/office6/addons/kcef/jsapibrowser.dll\\\" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.23155.938e14c074c45c62.dpi1.5.pipe --rendererswitchflag=0 --from=qing", "currentDirectory": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\", "user": "ADAPUNDI\\\\yogi", "logonGuid": "{3676ee9a-f976-692c-49e3-a32e00000000}", "logonId": "0x2ea3e349", "terminalSessionId": "3", "integrityLevel": "Medium", "hashes": "SHA1=A9833807C3613AAB741987B4E67E387C0CA9D94E,MD5=FB53EB47F92D95AA21C15991B54C9C09,SHA256=EC0E8AA19E2A79C1BD4340FCD8361925FE37A8D48A138F60401B20B49D7B47C5", "parentProcessGuid": "{3676ee9a-6353-692d-104d-000000002800}", "parentProcessId": "19708", "parentImage": "C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe", "parentCommandLine": "\\\"C:\\\\Users\\\\yogi\\\\AppData\\\\Local\\\\Kingsoft\\\\WPS Office\\\\12.2.0.23155\\\\office6\\\\wpscloudsvr.exe\\\" /wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0 /start_from=task_external_interval", "parentUser": "ADAPUNDI\\\\yogi"}}}, "location": "EventChannel"}}}
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=wps.exe | pid=9664
2025/12/01 16:43:57 active-response/bin/pssuspend.exe: === ACTIVE RESPONSE END ===
I make the rules for it, but it didn't work. Here it looks like:
<group name="wazuh,active_response"> <rule id="65300" level="5"> <if_sid>650</if_sid> <field name="parameters.program">pssuspend</field> <field name="command">add</field> <description>App blocked by $(script) Active Response</description> <group>active_response,</group> </rule> </group> it just doesn't work. I have tried it on logtest but this is the result i have 2025/12/01 13:41:30 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=steam.exe | pid=18592 **Phase 1: Completed pre-decoding. full event: '2025/12/01 13:41:30 active-response/bin/pssuspend.exe: AR_RESULT: SUCCESS | process=steam.exe | pid=18592' **Phase 2: Completed decoding. name: 'ar_log_json' parent: 'ar_log_json' **Phase 3: Completed filtering (rules). id: '650' level: '0' description: 'Active Response JSON Messages Grouped' groups: '['ossec', 'active_response']' firedtimes: '1' mail: 'False'
can you give me an idea for this? I have no idea what should i do? Why didn't the Wazuh log my rules
Reply all
Reply to author
Forward
0 new messages