Rule
31 views
Skip to first unread message
PD
Oct 17, 2025, 3:26:35 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi Wazuh team, I ran into a problem, I didn't find the internal decoder, although it works, its name is windows_eventchannel. I also need to write a rule for it, the meaning of which is that the rule should be triggered only if there were 20 events in 3 seconds. I also attach the log itself. {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4662","version":"0","level":"0","task":"14080","opcode":"0","keywords":"0x8020000000000000","systemTime":"2025-10-17T02:59:01.808586200Z","eventRecordID":"393063","processID":"696","threadID":"832","channel":"Security","computer":"contosodc.contoso.local","severityValue":"AUDIT_SUCCESS","message":"\"Выполнена операция с объектом.\r\n\r\nСубъект:\r\n\tИД безопасности:\t\tS-1-5-21-2008328898-4181195621-1732258505-1345\r\n\tИмя учетной записи:\t\tKyrjevPavel\r\n\tДомен учетной записи:\t\tCONTOSO\r\n\tКод входа:\t\t0xDEC5A7E\r\n\r\nОбъект:\r\n\tСервер объекта:\t\tDS\r\n\tТип объекта:\t\t%{bf967aa5-0de6-11d0-a285-00aa003049e2}\r\n\tИмя объекта:\t\t%{c4fe4815-d3eb-42fb-a8cc-d1d10671f181}\r\n\tКод дескриптора:\t\t0x0\r\n\r\nОперация:\r\n\tТип операции:\t\tObject Access\r\n\tОперации доступа:\t\tПрочесть свойство\r\n\t\t\t\t\r\n\tМаска доступа:\t\t0x10\r\n\tСвойства:\t\tПрочесть свойство\r\n\t{bf967aa5-0de6-11d0-a285-00aa003049e2}\r\n\t\t{e48d0154-bcf8-11d1-8702-00c04fb96050}\r\n\t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679e4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679e7-0de6-11d0-a285-00aa003049e2}\r\n\t\t{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}\r\n\t\t\t{bf9679e8-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{3e0abfd0-126a-11d0-a060-00aa006c33ed}\r\n\t\t\t{6e7b626c-64f2-11d0-afd2-00c04fd930c9}\r\n\r\n\r\nДополнительные сведения:\r\n\tПараметр 1:\t\t-\r\n\tПараметр 2:\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-21-2008328898-4181195621-1732258505-1345","subjectUserName":"KyrjevPavel","subjectDomainName":"CONTOSO","subjectLogonId":"0xdec5a7e","objectServer":"DS","objectType":"%{bf967aa5-0de6-11d0-a285-00aa003049e2}","objectName":"%{c4fe4815-d3eb-42fb-a8cc-d1d10671f181}","operationType":"Object Access","handleId":"0x0","accessList":"%%7684","accessMask":"0x10","properties":"%%7684 {bf967aa5-0de6-11d0-a285-00aa003049e2} {e48d0154-bcf8-11d1-8702-00c04fb96050} {bf9679e5-0de6-11d0-a285-00aa003049e2} {bf9679e4-0de6-11d0-a285-00aa003049e2} {bf9679e7-0de6-11d0-a285-00aa003049e2} {59ba2f42-79a2-11d0-9020-00c04fc2d3cf} {bf9679e8-0de6-11d0-a285-00aa003049e2} {3e0abfd0-126a-11d0-a060-00aa006c33ed} {6e7b626c-64f2-11d0-afd2-00c04fd930c9}"}}}
Bony V John
Oct 17, 2025, 3:54:47 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi,
Please allow me some time — I’m working on this and will get back to you with an update as soon as possible.
Bony V John
Oct 17, 2025, 4:48:15 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi,
For Windows Event Channel logs, Wazuh uses a built-in decoder, which you won’t see in the decoder list. Because of that, you can’t test those rules with wazuh-logtest using the eventchannel decoder—the tool will parse them with the default JSON decoder instead.
How to test Windows Event Channel rules with wazuh-logtestYou can temporarily switch the rule to use the JSON decoder just for testing.
- Edit the default rule file on the Wazuh manager
vi /var/ossec/ruleset/rules/0575-win-base_rules.xml
- In the first rule (ID 60000), comment out these lines::
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<decoded_as>windows_eventchannel</decoded_as>
- Replace them like this (use JSON decoder temporarily):
<!--<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>-->
<decoded_as>json</decoded_as>
<decoded_as>windows_eventchannel</decoded_as>-->
<decoded_as>json</decoded_as>
- Save and exit.
Now you can run logtest to validate your custom rule. (See Wazuh docs for logtest usage.)
Important: After testing, revert the changes back to the original eventchannel settings. If you leave it on JSON, Windows event alerts won’t be generated correctly in the Wazuh dashboard.
Sample rules based on your shared log
I created sample rules from your log, and they work on my end. Note the frequency behavior:
<group name="windows, windows_security,">
<rule id="100201" level="3">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4662</field>
<field name="win.eventdata.objectServer">DS</field>
<description>AD DS: Object property read (4662)</description>
</rule>
<rule id="100202" level="3" timeframe="3" frequency="20">
<if_matched_sid>100201</if_matched_sid>
<description>Multiple AD DS: Object property read event with in 3 seconds</description>
</rule>
</group>
<rule id="100201" level="3">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4662</field>
<field name="win.eventdata.objectServer">DS</field>
<description>AD DS: Object property read (4662)</description>
</rule>
<rule id="100202" level="3" timeframe="3" frequency="20">
<if_matched_sid>100201</if_matched_sid>
<description>Multiple AD DS: Object property read event with in 3 seconds</description>
</rule>
</group>
Behavior explanation:
-
For the first 19 events within 3 seconds, rule 100201 fires (you’ll see those alerts).
-
On the 20th event within the 3-second window, rule 100202 fires (the “multiple events” alert).
Currently, you cannot suppress the earlier single-event alerts from 100201 purely with rule logic while still having 100202 trigger at 20/3s.
You can refer Wazuh rule syntax documentation for more details.
Reply all
Reply to author
Forward
0 new messages