Hi Kevin,
Apologies for the long gap. Got caught up in few things.
I really appreciate you explained the issue here. You were right, it is being decoded as JSON. Now, I am not sure which SID to add, to make it decode as windows_eventchannel
I tried with SID 92652, but still not working.
Please find below the logs and logtest result.
Thanks.
Miran
WAZUH LOG TEST
**Messages:INFO: (7202): Session initialized with token '6803386a'**Phase 1: Completed pre-decoding.full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4648","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-07-11T16:21:48.4801358Z","eventRecordID":"8353251","processID":"732","threadID":"7948","channel":"Security","computer":"xxxx","severityValue":"AUDIT_SUCCESS","message":"\"A logon was attempted using explicit credentials.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\txxxx\r\n\tAccount Domain:\t\txx\r\n\tLogon ID:\t\t0x3E4\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\txxxx\r\n\tAccount Domain:\t\txx\r\n\tLogon GUID:\t\t{6b7dffd1-98ac-da92-3589-698f6c373a25}\r\n\r\nTarget Server:\r\n\tTarget Server Name:\tlocalhost\r\n\tAdditional Information:\tlocalhost\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x5e4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nNetwork Information:\r\n\tNetwork Address:\t-\r\n\tPort:\t\t\t-\r\n\r\nThis event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.\""},"eventdata":{"subjectUserSid":"S-1-5-20","subjectUserName":"xxxx","subjectDomainName":"xx","subjectLogonId":"0x3e4","logonGuid":"{00000000-0000-0000-0000-000000000000}","targetUserName":"xxxx","targetDomainName":"xx","targetLogonGuid":"{6b7dffd1-98ac-da92-3589-698f6c373a25}","targetServerName":"localhost","targetInfo":"localhost","processId":"0x5e4","processName":"C:\\\\Windows\\\\System32\\\\svchost.exe"}}}'**Phase 2: Completed decoding.name: 'json'win.eventdata.logonGuid: '{00000000-0000-0000-0000-000000000000}'win.eventdata.processId: '0x5e4'win.eventdata.processName: 'C:\\Windows\\System32\\svchost.exe'win.eventdata.subjectDomainName: 'xx'win.eventdata.subjectLogonId: '0x3e4'win.eventdata.subjectUserName: 'xxxx'win.eventdata.subjectUserSid: 'S-1-5-20'win.eventdata.targetDomainName: 'xx'win.eventdata.targetInfo: 'localhost'win.eventdata.targetLogonGuid: '{6b7dffd1-98ac-da92-3589-698f6c373a25}'win.eventdata.targetServerName: 'localhost'win.eventdata.targetUserName: 'xxxx'win.system.channel: 'Security'win.system.computer: 'xxxx'win.system.eventID: '4648'win.system.eventRecordID: '8353251'win.system.keywords: '0x8020000000000000'win.system.level: '0'win.system.message: '"A logon was attempted using explicit credentials.Subject:Security ID: S-1-5-20Account Name: xxxxAccount Domain: xxLogon ID: 0x3E4Logon GUID: {00000000-0000-0000-0000-000000000000}Account Whose Credentials Were Used:Account Name: xxxxAccount Domain: xxLogon GUID: {6b7dffd1-98ac-da92-3589-698f6c373a25}Target Server:Target Server Name: localhostAdditional Information: localhostProcess Information:Process ID: 0x5e4Process Name: C:\Windows\System32\svchost.exeNetwork Information:Network Address: -Port: -This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."'win.system.opcode: '0'win.system.processID: '732'win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'win.system.providerName: 'Microsoft-Windows-Security-Auditing'win.system.severityValue: 'AUDIT_SUCCESS'win.system.systemTime: '2024-07-11T16:21:48.4801358Z'win.system.task: '12544'win.system.threadID: '7948'win.system.version: '0'**Phase 3: Completed filtering (rules).id: '200001'level: '6'description: 'Testing for RDG to Host logs'groups: '["Test Group"]'firedtimes: '1'mail: 'false'**Alert to be generated.