Wazuh Use Case – Detecting Long-Duration TeamViewer Sessions
44 views
Skip to first unread message
Mithun Haridas
Nov 5, 2025, 4:40:01 AM (6 days ago) Nov 5
to Wazuh | Mailing List
Hi team,
I am currently working on TeamViewer event use cases, and one of my objectives is to trigger an alert for remote sessions lasting more than 45 minutes, which I classify as long-duration sessions.
Below are the rules I created for this use case:
<rule id="104501" level="4">
<decoded_as>teamviewer</decoded_as>
<description>TeamViewer: Messages grouped.</description>
</rule>
<rule id="104502" level="4">
<if_sid>104501</if_sid>
<field name="EventType">^Session$</field>
<description>TeamViewer: Session events grouped.</description>
</rule>
<rule id="104520" level="5">
<if_sid>104502</if_sid>
<field name="EventName">^Started session$</field>
<description>TeamViewer: Initiated a remote session.</description>
</rule>
<rule id="104521" level="10">
<if_sid>104502</if_sid>
<field name="EventName">^Ended session$</field>
<description>TeamViewer: Closed a long-duration remote session.</description>
</rule>
<rule id="104524" level="5" timeframe="2700">
<if_matched_sid>104520</if_matched_sid>
<if_sid>104521</if_sid>
<same_field>Author</same_field>
<description>TeamViewer: Closed a remote session.</description>
</rule>
Concept
The idea is that when an “Ended session” event occurs, it first matches rule 104521, which represents a long-duration session. From there, it should move to its child rule 104524, which checks whether there was a “Started session” event for the same author within the last 45 minutes (2700 seconds).
Issue
However, this logic isn’t working as intended. The rules are not correctly distinguishing between normal sessions (≤45 minutes) and long-duration sessions (>45 minutes).
I’m looking for help to correct this logic or identify an alternative method to achieve the same use case—specifically, triggering an alert only when a TeamViewer session exceeds 45 minutes.
I am currently working on TeamViewer event use cases, and one of my objectives is to trigger an alert for remote sessions lasting more than 45 minutes, which I classify as long-duration sessions.
Below are the rules I created for this use case:
<rule id="104501" level="4">
<decoded_as>teamviewer</decoded_as>
<description>TeamViewer: Messages grouped.</description>
</rule>
<rule id="104502" level="4">
<if_sid>104501</if_sid>
<field name="EventType">^Session$</field>
<description>TeamViewer: Session events grouped.</description>
</rule>
<rule id="104520" level="5">
<if_sid>104502</if_sid>
<field name="EventName">^Started session$</field>
<description>TeamViewer: Initiated a remote session.</description>
</rule>
<rule id="104521" level="10">
<if_sid>104502</if_sid>
<field name="EventName">^Ended session$</field>
<description>TeamViewer: Closed a long-duration remote session.</description>
</rule>
<rule id="104524" level="5" timeframe="2700">
<if_matched_sid>104520</if_matched_sid>
<if_sid>104521</if_sid>
<same_field>Author</same_field>
<description>TeamViewer: Closed a remote session.</description>
</rule>
Concept
The idea is that when an “Ended session” event occurs, it first matches rule 104521, which represents a long-duration session. From there, it should move to its child rule 104524, which checks whether there was a “Started session” event for the same author within the last 45 minutes (2700 seconds).
- If a matching “Started session” event is found within that timeframe, the event should trigger rule 104524 (Closed a remote session).
- If no session start event is found within 45 minutes, the alert should remain at the parent rule 104521 (Closed a long-duration remote session).
Issue
However, this logic isn’t working as intended. The rules are not correctly distinguishing between normal sessions (≤45 minutes) and long-duration sessions (>45 minutes).
I’m looking for help to correct this logic or identify an alternative method to achieve the same use case—specifically, triggering an alert only when a TeamViewer session exceeds 45 minutes.
Regards,
Federico Rodriguez
Nov 5, 2025, 7:57:19 AM (6 days ago) Nov 5
to Wazuh | Mailing List
Hi Mithun Haridas,
It would be useful to replicate your use case to better analyze how to generate the alert you need. Is it possible you share sample logs and the decoders used? Be mindful to obfuscate any sensitive information.
Mithun Haridas
Nov 10, 2025, 6:00:39 AM (18 hours ago) Nov 10
to Wazuh | Mailing List
Hi,
Logs are in JSON format, so I have not created any custom decoder currently.
Apologies for the late reply.
Logs:
Session started
{"EventDetails": [{"OldValue": "", "NewValue": "Remote Control", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Session type", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "Personal Password", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Used Authentication Method", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "477701249", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "abcd", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "765435746", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of participant", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "efgh", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of participant", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Connect and view my screen", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Control TeamViewer", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access VPN (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access disable input (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access control remote TeamViewer (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer widget (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Print on printer", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access change sides allowed (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Execute Scripts (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Chat (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Manage virtual monitors (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Remote terminal (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": null, "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Session Insights logging", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access view desktop (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access remote control (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access VPN (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access disable input (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access control remote TeamViewer (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer widget (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Print on printer", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Execute Scripts (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Chat (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Manage virtual monitors (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Remote terminal (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": null, "PropertyCategory": "PermissionOutgoingConnections"}], "EventName": "Started session", "EventType": "Session", "Timestamp": "2025-11-10T09:46:16Z", "Author": "abcd", "AuthorEmail": "ab...@yahoo.com", "AffectedItem": "f61f654f-dffd-4fw3c-a32da-7aebf758f65634"}
Session started
{"EventDetails": [{"OldValue": "", "NewValue": "Remote Control", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Session type", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "Personal Password", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Used Authentication Method", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "477701249", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "abcd", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "765435746", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of participant", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "efgh", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of participant", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Connect and view my screen", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Control TeamViewer", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access VPN (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access disable input (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access control remote TeamViewer (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer widget (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Print on printer", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access change sides allowed (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Execute Scripts (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Chat (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Manage virtual monitors (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Remote terminal (server)", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": null, "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Session Insights logging", "PropertyCategory": "PermissionIncomingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access view desktop (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access remote control (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access VPN (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access disable input (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access control remote TeamViewer (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Access file transfer widget (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Print on printer", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "After confirmation", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Execute Scripts (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Chat (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Manage virtual monitors (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Remote terminal (client)", "PropertyCategory": "PermissionOutgoingConnections"}, {"OldValue": "", "NewValue": "Allowed", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": null, "PropertyCategory": "PermissionOutgoingConnections"}], "EventName": "Started session", "EventType": "Session", "Timestamp": "2025-11-10T09:46:16Z", "Author": "abcd", "AuthorEmail": "ab...@yahoo.com", "AffectedItem": "f61f654f-dffd-4fw3c-a32da-7aebf758f65634"}
Session ended
{"EventDetails": [{"OldValue": "", "NewValue": "Remote Control", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Session type", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "Personal Password", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Used Authentication Method", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "477701249", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "abcd", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of presenter", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "765435746", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "ID of participant", "PropertyCategory": "SessionInfo"}, {"OldValue": "", "NewValue": "efgh", "PolicyEnforcementNewValue": null, "PolicyEnforcementOldValue": null, "PropertyName": "Name of participant", "PropertyCategory": "SessionInfo"}], "EventName": "Ended session", "EventType": "Session", "Timestamp": "2025-11-10T10:35:18Z", "Author": "abcd", "AuthorEmail": "ab...@yahoo.com", "AffectedItem": "f64gt0444-d5rfvfce-44fdsfc-a2da-7aefvdfge5634"}
Logs are in JSON format, so I have not created any custom decoder currently.
Regards,
Reply all
Reply to author
Forward
0 new messages