Custom Rules

122 views
Skip to first unread message

Abd ElRahman Khalid

unread,
May 28, 2023, 9:17:37 AM5/28/23
to Wazuh mailing list

Hello peeps


for the last week I have been struggling with creating a custom ruls for Hyper v events on Wazuh

Samples:


<group name="win\_evt\_channel,windows,local,syslog,sshd,system\_error,">

<rule id="100100" level="10">

<field name="win.system.eventID">^15268$|^19070$|^19090$</field>

<options>no_full_log</options>

<description>From Test4.</description>

</rule>

<rule id="100200" level="13">

<field name="win.system.severityValue">^INFORMATION$</field>

<options>no_full_log</options>

<description>From test4.</description>

</rule>

<rule id="100300" level="10">

<field name="win.eventdata.workstationName" type="pcre2">.+</field>

<description>Test4</description>

</rule>

<rule id="100400" level="10">

<field name="win.system.eventID" type="pcre2">^15268$|^19070$|^19090$</field>

<description>Test4</description>

</rule>

<rule id="100500" level="10">

<match>^15268$|^19070$|^19090$</match>

<description>Test4</description>

</rule>

<rule id="100600" level="10">

<match>^19090</match>

<description>Test4</description>

</rule>

<rule id="100700" level="10">

<match>19090</match>

<description>Test4</description>

</rule>

<rule id="100800" level="10">

<field name="win.system.severityValue">^INFORMATION$</field>

<description>Test4</description>

</rule>

<rule id="100900" level="10">

<field name="win.system.severityValue">^ERROR$</field>

<description>Test4</description>

</rule>

<rule id="101000" level="10">

<field name="win.system.providerName">^Hyper-V-VMMS$</field>

<field name="win.system.eventID">^19070$|^19090$</field>

<description>Test4</description>

</rule>

</group>



Idk why any of the rules above is giving any alert even though I choose a very frequent event like 19090.


hope any1 can help pls

thanks in advance.

Devender Rao

unread,
May 29, 2023, 3:14:41 AM5/29/23
to Wazuh mailing list
Hi ,

Thanks for using Wazuh! 

The group name is not valid,  which is the cause for no alerts. 

<group name="win\_evt\_channel,windows,local,syslog,sshd,system\_error,">


I suggest changing the group name as <group name="windows,"> 

The documentation for creating the custom rules is below : 
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Blog for step by step process 
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

I hope this helps! 

Regards,
Devender

Abd ElRahman Khalid

unread,
May 29, 2023, 7:49:09 AM5/29/23
to Wazuh mailing list
I just wanted to make sure that this  step is right which is if the wazuh agent is reading the hyper v logs correctly 
from this specific channel.
path.pngag.png

Devender Rao

unread,
May 30, 2023, 1:57:53 AM5/30/23
to Wazuh mailing list
Hi ,

The location for the above eventchannel should be like below:- 

Microsoft-Windows-Hyper-V-VMMS/Admin

Note: If the channel name contains a % it is necessary to replace it with /. For example, replace Microsoft-Windows-PrintService%Operational with Microsoft-Windows-PrintService/Operational

Here is the reference for more details on the Windows event channel and logs collection. 
Reference:- 
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#monitor-the-windows-event-channel-with-wazuh 

Regards,
Devender
Reply all
Reply to author
Forward
0 new messages