Always invalid parent
10 views
Skip to first unread message
Bayu Sangkaya (bayusky.labs)
4:48 AM (5 hours ago) 4:48 AM
to Wazuh | Mailing List
I try to create decoder from trendmicro alerts, the data from trendmicro alerts is in nested json, so itry to combine json and regex decoder.
This is the decoder i try to create.
This is the decoder i try to create.
<decoder name="trendmicro">
<parent>json</parent>
<use_own_name>true</use_own_name>
<prematch>xdr.trendmicro.com</prematch>
</decoder>
<decoder name="trendmicro-malware">
<parent>trendmicro</parent>
<regex>"field":"malName","value":"(\.+)"</regex>
<order>tm.malware</order>
</decoder>
<decoder name="trendmicro-filehash">
<parent>trendmicro</parent>
<regex>"field":"fileHash","value":"(\.+)"</regex>
<order>tm.file_sha1</order>
</decoder>
<decoder name="trendmicro-filename">
<parent>trendmicro</parent>
<regex>"field":"fileName","value":"(\.+)"</regex>
<order>tm.file_name</order>
</decoder>
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Where did I do wrong?
Stuti Gupta
5:30 AM (4 hours ago) 5:30 AM
to Wazuh | Mailing List
Hi Bayu Sangkaya,
It looks like the issue may be related to the sub-child decoder. Wazuh supports child and sibling decoders, but sub-child behavior may not work as expected in some cases.
Additionally, the last decoder you shared doesn't seemappropriate:
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder> <
</decoder>
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder> <
</decoder>
The built-in JSON decoder already processes any log in JSON format. If the log matches the JSON decoder (parent), there’s generally no need for a plugin decoder again, as it won’t add value
Could you please share a sample of the log you’re trying to decode? This will help confirm the exact issue.
If possible, please share the log from the archives.json.use:
cat /var/ossec/logs/archives/archives.json | grep <keyword_from_log>
To enable the archives. Please refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#archiving-event.
Note: Enabling archives significantly increases disk usage and is not recommended for large-scale/production deployments unless you have adequate storage.
To know more about decoders, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html.
Bayu Sangkaya
5:34 AM (4 hours ago) 5:34 AM
to Stuti Gupta, Wazuh | Mailing List
Hi Stuti,
this is the log
{"schemaVersion": "1.21", "id": "WB-18012-20260122-00571", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", "alertProvider": "SAE", "modelId": "16981bac-9cf1-4d0d-969b-d01a5d2580e6", "model": "Unknown Threat Detection via Predictive Machine Learning", "modelType": "preset", "score": 36, "severity": "medium", "createdDateTime": "2026-01-22T08:18:04Z", "updatedDateTime": "2026-01-22T08:18:04Z", "ownerIds": [], "impactScope": {"desktopCount": 1, "serverCount": 0, "accountCount": 0, "emailAddressCount": 0, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0, "entities": [{"entityType": "host", "entityValue": {"guid": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "name": "g005_dc_12", "ips": ["192.168.47.202"]}, "entityId": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "relatedEntities": [], "relatedIndicatorIds": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18], "provenance": ["Alert"], "managementScopeGroupId": "9ac2fc55-e42d-6234-034d-e60d9697ec22", "managementScopeInstanceId": "7e2a0b79-ba9e-0659-e7f1-42c0313cc270", "managementScopePartitionKey": "f7415844-9019-afc8-9cb8-1e602332faa2"}]}, "description": "An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.", "matchedRules": [{"id": "3da5246f-6a41-42e3-95e4-d63862083093", "name": "Predictive Machine Learning Detection", "matchedFilters": [{"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:57:12.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "96942013-14df-4026-a35d-a4e00511f7d2", "matchedDateTime": "2026-01-22T07:57:12.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:58:34.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "56fd75d9-39b8-41b9-a8f9-cfc37ae673e2", "matchedDateTime": "2026-01-22T07:58:34.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T08:01:43.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "8fa2c81a-3a88-42f9-9cf4-de27d163b9da", "matchedDateTime": "2026-01-22T08:01:43.000Z", "type": "PRODUCT_EVENT_LOG"}]}]}], "indicators": [{"id": 1, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 2, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 3, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 4, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 5, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 6, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 7, "type": "filename", "field": "fileName", "value": "hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 8, "type": "filename", "field": "fileName", "value": "ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 9, "type": "filename", "field": "fileName", "value": "gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 10, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 11, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 12, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 13, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 14, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 15, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 16, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 17, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 18, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}]}
with default json decoder, it looks like this:
I want to extract data under nested json. Thanks for the helpthis is the log
{"schemaVersion": "1.21", "id": "WB-18012-20260122-00571", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", "alertProvider": "SAE", "modelId": "16981bac-9cf1-4d0d-969b-d01a5d2580e6", "model": "Unknown Threat Detection via Predictive Machine Learning", "modelType": "preset", "score": 36, "severity": "medium", "createdDateTime": "2026-01-22T08:18:04Z", "updatedDateTime": "2026-01-22T08:18:04Z", "ownerIds": [], "impactScope": {"desktopCount": 1, "serverCount": 0, "accountCount": 0, "emailAddressCount": 0, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0, "entities": [{"entityType": "host", "entityValue": {"guid": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "name": "g005_dc_12", "ips": ["192.168.47.202"]}, "entityId": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "relatedEntities": [], "relatedIndicatorIds": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18], "provenance": ["Alert"], "managementScopeGroupId": "9ac2fc55-e42d-6234-034d-e60d9697ec22", "managementScopeInstanceId": "7e2a0b79-ba9e-0659-e7f1-42c0313cc270", "managementScopePartitionKey": "f7415844-9019-afc8-9cb8-1e602332faa2"}]}, "description": "An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.", "matchedRules": [{"id": "3da5246f-6a41-42e3-95e4-d63862083093", "name": "Predictive Machine Learning Detection", "matchedFilters": [{"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:57:12.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "96942013-14df-4026-a35d-a4e00511f7d2", "matchedDateTime": "2026-01-22T07:57:12.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:58:34.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "56fd75d9-39b8-41b9-a8f9-cfc37ae673e2", "matchedDateTime": "2026-01-22T07:58:34.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T08:01:43.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "8fa2c81a-3a88-42f9-9cf4-de27d163b9da", "matchedDateTime": "2026-01-22T08:01:43.000Z", "type": "PRODUCT_EVENT_LOG"}]}]}], "indicators": [{"id": 1, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 2, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 3, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 4, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 5, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 6, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 7, "type": "filename", "field": "fileName", "value": "hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 8, "type": "filename", "field": "fileName", "value": "ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 9, "type": "filename", "field": "fileName", "value": "gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 10, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 11, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 12, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 13, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 14, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 15, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 16, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 17, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 18, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}]}
with default json decoder, it looks like this:
**Phase 2: Completed decoding.
name: 'json'
alertProvider: 'SAE'
createdDateTime: '2026-01-22T08:18:04Z'
description: 'An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.'
id: 'WB-18012-20260122-00571'
impactScope.accountCount: '0'
impactScope.cloudIdentityCount: '0'
impactScope.cloudWorkloadCount: '0'
impactScope.containerCount: '0'
impactScope.desktopCount: '1'
impactScope.emailAddressCount: '0'
impactScope.entities: '[{"entityType":"host","entityValue":{"guid":"6995AB29-7993-B410-EBAD-B1A51AFD9853","name":"g005_dc_12","ips":["192.168.47.202"]},"entityId":"6995AB29-7993-B410-EBAD-B1A51AFD9853","relatedEntities":[],"relatedIndicatorIds":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18],"provenance":["Alert"],"managementScopeGroupId":"9ac2fc55-e42d-6234-034d-e60d9697ec22","managementScopeInstanceId":"7e2a0b79-ba9e-0659-e7f1-42c0313cc270","managementScopePartitionKey":"f7415844-9019-afc8-9cb8-1e602332faa2"}]'
impactScope.serverCount: '0'
indicators: '[{"id":1,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":2,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":3,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":4,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":5,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":6,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":7,"type":"filename","field":"fileName","value":"hodowu.exe","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":8,"type":"filename","field":"fileName","value":"ulxq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":9,"type":"filename","field":"fileName","value":"gkuoiq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":10,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":11,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":12,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":13,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":14,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":15,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":16,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":17,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":18,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]}]'
investigationResult: 'No Findings'
investigationStatus: 'New'
matchedRules: '[{"id":"3da5246f-6a41-42e3-95e4-d63862083093","name":"Predictive Machine Learning Detection","matchedFilters":[{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T07:57:12.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"96942013-14df-4026-a35d-a4e00511f7d2","matchedDateTime":"2026-01-22T07:57:12.000Z","type":"PRODUCT_EVENT_LOG"}]},{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T07:58:34.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"56fd75d9-39b8-41b9-a8f9-cfc37ae673e2","matchedDateTime":"2026-01-22T07:58:34.000Z","type":"PRODUCT_EVENT_LOG"}]},{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T08:01:43.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"8fa2c81a-3a88-42f9-9cf4-de27d163b9da","matchedDateTime":"2026-01-22T08:01:43.000Z","type":"PRODUCT_EVENT_LOG"}]}]}]'
model: 'Unknown Threat Detection via Predictive Machine Learning'
modelId: '16981bac-9cf1-4d0d-969b-d01a5d2580e6'
modelType: 'preset'
ownerIds: '[]'
schemaVersion: '1.21'
score: '36'
severity: 'medium'
status: 'Open'
updatedDateTime: '2026-01-22T08:18:04Z'
workbenchLink: 'https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3'Regards,
Bayu Sangkaya
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/XS6D6TwWIGg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/517aaee5-18d1-4115-a6f5-b54f6663399en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages