Custom Alerts passing ruleset test but failing to reach the Wazuh alerts file
24 views
Skip to first unread message
Omar Hassan
Feb 8, 2026, 4:36:57 PM (3 days ago) Feb 8
to Wazuh | Mailing List
The issue is that the alert is not even being written to /var/ossec/logs/alerts.json for this specific log. All other logs are coming through and showing on the dashboard just fine.
Here’s some context:
We’re collecting sysmon evenst on the windows machine.
Other logs from the same agent are working normally, so the collection itself seems fine.
I wanted to create a simple rule just for test to trigger event with ID 1 just as a test.
Here is my rule its working with logtest but not appearing in alerts :
<group name="Sysmon EventID 1"> <rule id="100500" level="8"> <field name="win.system.eventID">^1$</field> <description>Process Created detected</description> </rule> </group>
and here is my full log (I got it from wazuh dashboard in the archive index, it was a field inside the table) :
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-02-08T10:38:08.0345494Z","eventRecordID":"42669","processID":"3036","threadID":"4520","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-HB5LVK4","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1204,technique_name=User Execution\r\nUtcTime: 2026-02-08 10:38:08.029\r\nProcessGuid: {a92090f4-6790-6988-e102-000000001100}\r\nProcessId: 9504\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nFileVersion: 10.0.19041.5794 (WinBuild.160101.0800)\r\nDescription: Notepad\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: NOTEPAD.EXE\r\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\" \r\nCurrentDirectory: C:\\Users\\Omar\\\r\nUser: DESKTOP-HB5LVK4\\Omar\r\nLogonGuid: {a92090f4-2842-6988-5baf-070000000000}\r\nLogonId: 0x7AF5B\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E\r\nParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100}\r\nParentProcessId: 5236\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: DESKTOP-HB5LVK4\\Omar\""},"eventdata":{"ruleName":"technique_id=T1204,technique_name=User Execution","utcTime":"2026-02-08 10:38:08.029","processGuid":"{a92090f4-6790-6988-e102-000000001100}","processId":"9504","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","fileVersion":"10.0.19041.5794 (WinBuild.160101.0800)","description":"Notepad","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"NOTEPAD.EXE","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"","currentDirectory":"C:\\\\Users\\\\Omar\\\\","user":"DESKTOP-HB5LVK4\\\\Omar","logonGuid":"{a92090f4-2842-6988-5baf-070000000000}","logonId":"0x7af5b","terminalSessionId":"1","integrityLevel":"Medium","hashes":"SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E","parentProcessGuid":"{a92090f4-287b-6988-bc00-000000001100}","parentProcessId":"5236","parentImage":"C:\\\\Windows\\\\explorer.exe","parentCommandLine":"C:\\\\Windows\\\\Explorer.EXE","parentUser":"DESKTOP-HB5LVK4\\\\Omar"}}}
and here is the result from ruleset test:
**Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' win.eventdata.commandLine: '\"C:\\Windows\\system32\\notepad.exe\"' win.eventdata.company: 'Microsoft Corporation' win.eventdata.currentDirectory: 'C:\\Users\\Omar\\' win.eventdata.description: 'Notepad' win.eventdata.fileVersion: '10.0.19041.5794 (WinBuild.160101.0800)' win.eventdata.hashes: 'SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E' win.eventdata.image: 'C:\\Windows\\System32\\notepad.exe' win.eventdata.integrityLevel: 'Medium' win.eventdata.logonGuid: '{a92090f4-2842-6988-5baf-070000000000}' win.eventdata.logonId: '0x7af5b' win.eventdata.originalFileName: 'NOTEPAD.EXE' win.eventdata.parentCommandLine: 'C:\\Windows\\Explorer.EXE' win.eventdata.parentImage: 'C:\\Windows\\explorer.exe' win.eventdata.parentProcessGuid: '{a92090f4-287b-6988-bc00-000000001100}' win.eventdata.parentProcessId: '5236' win.eventdata.parentUser: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.processGuid: '{a92090f4-6790-6988-e102-000000001100}' win.eventdata.processId: '9504' win.eventdata.product: 'Microsoft® Windows® Operating System' win.eventdata.ruleName: 'technique_id=T1204,technique_name=User Execution' win.eventdata.terminalSessionId: '1' win.eventdata.user: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.utcTime: '2026-02-08 10:38:08.029' win.system.channel: 'Microsoft-Windows-Sysmon/Operational' win.system.computer: 'DESKTOP-HB5LVK4' win.system.eventID: '1' win.system.eventRecordID: '42669' win.system.keywords: '0x8000000000000000' win.system.level: '4' win.system.message: '"Process Create: RuleName: technique_id=T1204,technique_name=User Execution UtcTime: 2026-02-08 10:38:08.029 ProcessGuid: {a92090f4-6790-6988-e102-000000001100} ProcessId: 9504 Image: C:\Windows\System32\notepad.exe FileVersion: 10.0.19041.5794 (WinBuild.160101.0800) Description: Notepad Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: NOTEPAD.EXE CommandLine: "C:\Windows\system32\notepad.exe" CurrentDirectory: C:\Users\Omar\ User: DESKTOP-HB5LVK4\Omar LogonGuid: {a92090f4-2842-6988-5baf-070000000000} LogonId: 0x7AF5B TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E ParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100} ParentProcessId: 5236 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE ParentUser: DESKTOP-HB5LVK4\Omar"' win.system.opcode: '0' win.system.processID: '3036' win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' win.system.providerName: 'Microsoft-Windows-Sysmon' win.system.severityValue: 'INFORMATION' win.system.systemTime: '2026-02-08T10:38:08.0345494Z' win.system.task: '1' win.system.threadID: '4520' win.system.version: '5' **Phase 3: Completed filtering (rules). id: '61603' level: '0' description: 'Sysmon - Event 1: Process creation Notepad' groups: '["windows","sysmon","sysmon_event1"]' firedtimes: '2' mail: 'false'
I also tried :
adding <if_sid>600000</if_sid> it passes ruleset but still doesnt appear in alerts and the same with <decoded_as>json</decoded_as> , I actually edited the /var/ossec/ruleset/rules/0575-win-base_rules.xml and removed the category and changed the decoded as option to JSON
Here’s some context:
We’re collecting sysmon evenst on the windows machine.
Other logs from the same agent are working normally, so the collection itself seems fine.
I wanted to create a simple rule just for test to trigger event with ID 1 just as a test.
Here is my rule its working with logtest but not appearing in alerts :
<group name="Sysmon EventID 1"> <rule id="100500" level="8"> <field name="win.system.eventID">^1$</field> <description>Process Created detected</description> </rule> </group>
and here is my full log (I got it from wazuh dashboard in the archive index, it was a field inside the table) :
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-02-08T10:38:08.0345494Z","eventRecordID":"42669","processID":"3036","threadID":"4520","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-HB5LVK4","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1204,technique_name=User Execution\r\nUtcTime: 2026-02-08 10:38:08.029\r\nProcessGuid: {a92090f4-6790-6988-e102-000000001100}\r\nProcessId: 9504\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nFileVersion: 10.0.19041.5794 (WinBuild.160101.0800)\r\nDescription: Notepad\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: NOTEPAD.EXE\r\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\" \r\nCurrentDirectory: C:\\Users\\Omar\\\r\nUser: DESKTOP-HB5LVK4\\Omar\r\nLogonGuid: {a92090f4-2842-6988-5baf-070000000000}\r\nLogonId: 0x7AF5B\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E\r\nParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100}\r\nParentProcessId: 5236\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: DESKTOP-HB5LVK4\\Omar\""},"eventdata":{"ruleName":"technique_id=T1204,technique_name=User Execution","utcTime":"2026-02-08 10:38:08.029","processGuid":"{a92090f4-6790-6988-e102-000000001100}","processId":"9504","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","fileVersion":"10.0.19041.5794 (WinBuild.160101.0800)","description":"Notepad","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"NOTEPAD.EXE","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"","currentDirectory":"C:\\\\Users\\\\Omar\\\\","user":"DESKTOP-HB5LVK4\\\\Omar","logonGuid":"{a92090f4-2842-6988-5baf-070000000000}","logonId":"0x7af5b","terminalSessionId":"1","integrityLevel":"Medium","hashes":"SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E","parentProcessGuid":"{a92090f4-287b-6988-bc00-000000001100}","parentProcessId":"5236","parentImage":"C:\\\\Windows\\\\explorer.exe","parentCommandLine":"C:\\\\Windows\\\\Explorer.EXE","parentUser":"DESKTOP-HB5LVK4\\\\Omar"}}}
and here is the result from ruleset test:
**Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' win.eventdata.commandLine: '\"C:\\Windows\\system32\\notepad.exe\"' win.eventdata.company: 'Microsoft Corporation' win.eventdata.currentDirectory: 'C:\\Users\\Omar\\' win.eventdata.description: 'Notepad' win.eventdata.fileVersion: '10.0.19041.5794 (WinBuild.160101.0800)' win.eventdata.hashes: 'SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E' win.eventdata.image: 'C:\\Windows\\System32\\notepad.exe' win.eventdata.integrityLevel: 'Medium' win.eventdata.logonGuid: '{a92090f4-2842-6988-5baf-070000000000}' win.eventdata.logonId: '0x7af5b' win.eventdata.originalFileName: 'NOTEPAD.EXE' win.eventdata.parentCommandLine: 'C:\\Windows\\Explorer.EXE' win.eventdata.parentImage: 'C:\\Windows\\explorer.exe' win.eventdata.parentProcessGuid: '{a92090f4-287b-6988-bc00-000000001100}' win.eventdata.parentProcessId: '5236' win.eventdata.parentUser: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.processGuid: '{a92090f4-6790-6988-e102-000000001100}' win.eventdata.processId: '9504' win.eventdata.product: 'Microsoft® Windows® Operating System' win.eventdata.ruleName: 'technique_id=T1204,technique_name=User Execution' win.eventdata.terminalSessionId: '1' win.eventdata.user: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.utcTime: '2026-02-08 10:38:08.029' win.system.channel: 'Microsoft-Windows-Sysmon/Operational' win.system.computer: 'DESKTOP-HB5LVK4' win.system.eventID: '1' win.system.eventRecordID: '42669' win.system.keywords: '0x8000000000000000' win.system.level: '4' win.system.message: '"Process Create: RuleName: technique_id=T1204,technique_name=User Execution UtcTime: 2026-02-08 10:38:08.029 ProcessGuid: {a92090f4-6790-6988-e102-000000001100} ProcessId: 9504 Image: C:\Windows\System32\notepad.exe FileVersion: 10.0.19041.5794 (WinBuild.160101.0800) Description: Notepad Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: NOTEPAD.EXE CommandLine: "C:\Windows\system32\notepad.exe" CurrentDirectory: C:\Users\Omar\ User: DESKTOP-HB5LVK4\Omar LogonGuid: {a92090f4-2842-6988-5baf-070000000000} LogonId: 0x7AF5B TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E ParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100} ParentProcessId: 5236 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE ParentUser: DESKTOP-HB5LVK4\Omar"' win.system.opcode: '0' win.system.processID: '3036' win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' win.system.providerName: 'Microsoft-Windows-Sysmon' win.system.severityValue: 'INFORMATION' win.system.systemTime: '2026-02-08T10:38:08.0345494Z' win.system.task: '1' win.system.threadID: '4520' win.system.version: '5' **Phase 3: Completed filtering (rules). id: '61603' level: '0' description: 'Sysmon - Event 1: Process creation Notepad' groups: '["windows","sysmon","sysmon_event1"]' firedtimes: '2' mail: 'false'
I also tried :
adding <if_sid>600000</if_sid> it passes ruleset but still doesnt appear in alerts and the same with <decoded_as>json</decoded_as> , I actually edited the /var/ossec/ruleset/rules/0575-win-base_rules.xml and removed the category and changed the decoded as option to JSON
ismail....@wazuh.com
Feb 8, 2026, 11:03:56 PM (3 days ago) Feb 8
to Wazuh | Mailing List
Hi,
Thank you for sharing the details, as per the sample rule and the sample full log provided, the custom rule is triggering as expected.
However, based on the event details, the log is currently matching the existing built-in rule ID 61603 with rule level 0 during Phase 3: Completed filtering (rules). The matched rule details are shown below:
Rule ID: 61603
Level: 0
Description: Sysmon - Event 1: Process creation Notepad
Groups: windows, sysmon, sysmon_event1
Fired times: 2
This behavior is expected because Wazuh already includes a default rule for Sysmon Event ID 1 (Process Creation) in the file 0595-win-sysmon_rules.xml, as shown below:
Note:
By default, it only triggers alerts with a severity level of 3 or higher. Therefore, if the rule is set to level=0, no alert will be generated, and the log will not be stored in /var/ossec/logs/alerts/alerts.json. Refer to this document https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#alert-threshold
<rule id="61603" level="0">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^1$</field>
<description>Sysmon - Event 1: Process creation $(win.eventdata.description)</description>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
If you want to change the alert level for this existing rule, you should override it instead of creating a new rule. Wazuh supports modifying built-in rules using the changing existing rules mechanism, as documented https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Wazuh allows you to modify its out-of-the-box rules. To do so, you have to copy the rules to a file under the /var/ossec/etc/rules/ directory on the Wazuh server, make the necessary changes, and add the overwrite="yes" tag to the modified rules. These steps guarantee that your changes won't be lost during upgrades.
Below is an example of overriding rule 61603 and increasing the alert level to 8:
Perform the steps below on the Wazuh server:
1. Paste the copied rule definition into /var/ossec/etc/rules/local_rules.xml. Modify the level value, and add overwrite="yes" to indicate that this rule overwrites an already defined rule:
<group name="windows,sysmon,">
<rule id="61603" level="8" overwrite="yes">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^1$</field>
<description>Sysmon - Event 1: Process creation $(win.eventdata.description)</description>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
</group>
2. Restart the Wazuh manager to load the updated rules:
systemctl restart wazuh-manager
This approach ensures the existing rule logic is reused while adjusting the alert severity as required.
Thank you for sharing the details, as per the sample rule and the sample full log provided, the custom rule is triggering as expected.
However, based on the event details, the log is currently matching the existing built-in rule ID 61603 with rule level 0 during Phase 3: Completed filtering (rules). The matched rule details are shown below:
Rule ID: 61603
Level: 0
Description: Sysmon - Event 1: Process creation Notepad
Groups: windows, sysmon, sysmon_event1
Fired times: 2
This behavior is expected because Wazuh already includes a default rule for Sysmon Event ID 1 (Process Creation) in the file 0595-win-sysmon_rules.xml, as shown below:
Note:
By default, it only triggers alerts with a severity level of 3 or higher. Therefore, if the rule is set to level=0, no alert will be generated, and the log will not be stored in /var/ossec/logs/alerts/alerts.json. Refer to this document https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#alert-threshold
<rule id="61603" level="0">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^1$</field>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
If you want to change the alert level for this existing rule, you should override it instead of creating a new rule. Wazuh supports modifying built-in rules using the changing existing rules mechanism, as documented https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Wazuh allows you to modify its out-of-the-box rules. To do so, you have to copy the rules to a file under the /var/ossec/etc/rules/ directory on the Wazuh server, make the necessary changes, and add the overwrite="yes" tag to the modified rules. These steps guarantee that your changes won't be lost during upgrades.
Below is an example of overriding rule 61603 and increasing the alert level to 8:
Perform the steps below on the Wazuh server:
1. Paste the copied rule definition into /var/ossec/etc/rules/local_rules.xml. Modify the level value, and add overwrite="yes" to indicate that this rule overwrites an already defined rule:
<group name="windows,sysmon,">
<rule id="61603" level="8" overwrite="yes">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^1$</field>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
</group>
2. Restart the Wazuh manager to load the updated rules:
systemctl restart wazuh-manager
This approach ensures the existing rule logic is reused while adjusting the alert severity as required.
I hope it helps. Please let us know if you have any further questions or concerns.
Regards,
Omar Hassan
Feb 9, 2026, 11:10:07 PM (2 days ago) Feb 9
to Wazuh | Mailing List
So I tried what you told me and it stops at phase 2 decoding part and only succeeds when I change the <decoded_as> field and remove <category> field in the
0575-win-base_rules.xml but even when it succeeds the logtest it doesn't appear in JSON alert file or dashboard:
**Messages: INFO: (7202): Session initialized with token '533c5d4d'
**Messages: INFO: (7202): Session initialized with token '533c5d4d'
**Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-02-08T10:38:08.0345494Z","eventRecordID":"42669","processID":"3036","threadID":"4520","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-HB5LVK4","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1204,technique_name=User Execution\r\nUtcTime: 2026-02-08 10:38:08.029\r\nProcessGuid: {a92090f4-6790-6988-e102-000000001100}\r\nProcessId: 9504\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nFileVersion: 10.0.19041.5794 (WinBuild.160101.0800)\r\nDescription: Notepad\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: NOTEPAD.EXE\r\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\" \r\nCurrentDirectory: C:\\Users\\Omar\\\r\nUser: DESKTOP-HB5LVK4\\Omar\r\nLogonGuid: {a92090f4-2842-6988-5baf-070000000000}\r\nLogonId: 0x7AF5B\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E\r\nParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100}\r\nParentProcessId: 5236\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: DESKTOP-HB5LVK4\\Omar\""},"eventdata":{"ruleName":"technique_id=T1204,technique_name=User Execution","utcTime":"2026-02-08 10:38:08.029","processGuid":"{a92090f4-6790-6988-e102-000000001100}","processId":"9504","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","fileVersion":"10.0.19041.5794 (WinBuild.160101.0800)","description":"Notepad","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"NOTEPAD.EXE","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"","currentDirectory":"C:\\\\Users\\\\Omar\\\\","user":"DESKTOP-HB5LVK4\\\\Omar","logonGuid":"{a92090f4-2842-6988-5baf-070000000000}","logonId":"0x7af5b","terminalSessionId":"1","integrityLevel":"Medium","hashes":"SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E","parentProcessGuid":"{a92090f4-287b-6988-bc00-000000001100}","parentProcessId":"5236","parentImage":"C:\\\\Windows\\\\explorer.exe","parentCommandLine":"C:\\\\Windows\\\\Explorer.EXE","parentUser":"DESKTOP-HB5LVK4\\\\Omar"}}}'
**Phase 2: Completed decoding.
name: 'json' win.eventdata.commandLine: '\"C:\\Windows\\system32\\notepad.exe\"' win.eventdata.company: 'Microsoft Corporation' win.eventdata.currentDirectory: 'C:\\Users\\Omar\\' win.eventdata.description: 'Notepad' win.eventdata.fileVersion: '10.0.19041.5794 (WinBuild.160101.0800)' win.eventdata.hashes: 'SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E' win.eventdata.image: 'C:\\Windows\\System32\\notepad.exe' win.eventdata.integrityLevel: 'Medium' win.eventdata.logonGuid: '{a92090f4-2842-6988-5baf-070000000000}' win.eventdata.logonId: '0x7af5b' win.eventdata.originalFileName: 'NOTEPAD.EXE' win.eventdata.parentCommandLine: 'C:\\Windows\\Explorer.EXE' win.eventdata.parentImage: 'C:\\Windows\\explorer.exe' win.eventdata.parentProcessGuid: '{a92090f4-287b-6988-bc00-000000001100}' win.eventdata.parentProcessId: '5236' win.eventdata.parentUser: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.processGuid: '{a92090f4-6790-6988-e102-000000001100}' win.eventdata.processId: '9504' win.eventdata.product: 'Microsoft® Windows® Operating System' win.eventdata.ruleName: 'technique_id=T1204,technique_name=User Execution' win.eventdata.terminalSessionId: '1' win.eventdata.user: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.utcTime: '2026-02-08 10:38:08.029' win.system.channel: 'Microsoft-Windows-Sysmon/Operational' win.system.computer: 'DESKTOP-HB5LVK4' win.system.eventID: '1' win.system.eventRecordID: '42669' win.system.keywords: '0x8000000000000000' win.system.level: '4' win.system.message: '"Process Create: RuleName: technique_id=T1204,technique_name=User Execution UtcTime: 2026-02-08 10:38:08.029 ProcessGuid: {a92090f4-6790-6988-e102-000000001100} ProcessId: 9504 Image: C:\Windows\System32\notepad.exe FileVersion: 10.0.19041.5794 (WinBuild.160101.0800) Description: Notepad Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: NOTEPAD.EXE CommandLine: "C:\Windows\system32\notepad.exe" CurrentDirectory: C:\Users\Omar\ User: DESKTOP-HB5LVK4\Omar LogonGuid: {a92090f4-2842-6988-5baf-070000000000} LogonId: 0x7AF5B TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E ParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100} ParentProcessId: 5236 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE ParentUser: DESKTOP-HB5LVK4\Omar"' win.system.opcode: '0' win.system.processID: '3036' win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' win.system.providerName: 'Microsoft-Windows-Sysmon' win.system.severityValue: 'INFORMATION' win.system.systemTime: '2026-02-08T10:38:08.0345494Z' win.system.task: '1' win.system.threadID: '4520' win.system.version: '5'
and here is when I change those fields :
**Messages: WARNING: (7003): '533c5d4d' token expires INFO: (7202): Session initialized with token 'c1ae53df'
**Messages: WARNING: (7003): '533c5d4d' token expires INFO: (7202): Session initialized with token 'c1ae53df'
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding. name: 'json' win.eventdata.commandLine: '\"C:\\Windows\\system32\\notepad.exe\"' win.eventdata.company: 'Microsoft Corporation' win.eventdata.currentDirectory: 'C:\\Users\\Omar\\' win.eventdata.description: 'Notepad' win.eventdata.fileVersion: '10.0.19041.5794 (WinBuild.160101.0800)' win.eventdata.hashes: 'SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E' win.eventdata.image: 'C:\\Windows\\System32\\notepad.exe' win.eventdata.integrityLevel: 'Medium' win.eventdata.logonGuid: '{a92090f4-2842-6988-5baf-070000000000}' win.eventdata.logonId: '0x7af5b' win.eventdata.originalFileName: 'NOTEPAD.EXE' win.eventdata.parentCommandLine: 'C:\\Windows\\Explorer.EXE' win.eventdata.parentImage: 'C:\\Windows\\explorer.exe' win.eventdata.parentProcessGuid: '{a92090f4-287b-6988-bc00-000000001100}' win.eventdata.parentProcessId: '5236' win.eventdata.parentUser: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.processGuid: '{a92090f4-6790-6988-e102-000000001100}' win.eventdata.processId: '9504' win.eventdata.product: 'Microsoft® Windows® Operating System' win.eventdata.ruleName: 'technique_id=T1204,technique_name=User Execution' win.eventdata.terminalSessionId: '1' win.eventdata.user: 'DESKTOP-HB5LVK4\\Omar' win.eventdata.utcTime: '2026-02-08 10:38:08.029' win.system.channel: 'Microsoft-Windows-Sysmon/Operational' win.system.computer: 'DESKTOP-HB5LVK4' win.system.eventID: '1' win.system.eventRecordID: '42669' win.system.keywords: '0x8000000000000000' win.system.level: '4' win.system.message: '"Process Create: RuleName: technique_id=T1204,technique_name=User Execution UtcTime: 2026-02-08 10:38:08.029 ProcessGuid: {a92090f4-6790-6988-e102-000000001100} ProcessId: 9504 Image: C:\Windows\System32\notepad.exe FileVersion: 10.0.19041.5794 (WinBuild.160101.0800) Description: Notepad Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: NOTEPAD.EXE CommandLine: "C:\Windows\system32\notepad.exe" CurrentDirectory: C:\Users\Omar\ User: DESKTOP-HB5LVK4\Omar LogonGuid: {a92090f4-2842-6988-5baf-070000000000} LogonId: 0x7AF5B TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=F3A517B07528CEE3A7399386C58A9C7A59AA96B3,MD5=6F51BCABF1B2B34AD7E670AEE6DA451F,SHA256=DA5807BB0997CC6B5132950EC87EDA2B33B1AC4533CF1F7A22A6F3B576ED7C5B,IMPHASH=09ED737A03DB7295BF734A9953F6EB5E ParentProcessGuid: {a92090f4-287b-6988-bc00-000000001100} ParentProcessId: 5236 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE ParentUser: DESKTOP-HB5LVK4\Omar"' win.system.opcode: '0' win.system.processID: '3036' win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' win.system.providerName: 'Microsoft-Windows-Sysmon' win.system.severityValue: 'INFORMATION' win.system.systemTime: '2026-02-08T10:38:08.0345494Z' win.system.task: '1' win.system.threadID: '4520' win.system.version: '5'
**Phase 3: Completed filtering (rules). id: '61603' level: '8' description: 'Sysmon - Event 1: Process creation Notepad' groups: '["windows","sysmon","sysmon_event1"]' firedtimes: '1' mail: 'false' **Alert to be generated.
I got the idea from this thread : https://github.com/wazuh/wazuh/issues/25510#issuecomment-2324768387
I got the idea from this thread : https://github.com/wazuh/wazuh/issues/25510#issuecomment-2324768387
Reply all
Reply to author
Forward
0 new messages