Always invalid parent
31 views
Skip to first unread message
Bayu Sangkaya (bayusky.labs)
Jan 22, 2026, 4:48:39 AMJan 22
to Wazuh | Mailing List
I try to create decoder from trendmicro alerts, the data from trendmicro alerts is in nested json, so itry to combine json and regex decoder.
This is the decoder i try to create.
This is the decoder i try to create.
<decoder name="trendmicro">
<parent>json</parent>
<use_own_name>true</use_own_name>
<prematch>xdr.trendmicro.com</prematch>
</decoder>
<decoder name="trendmicro-malware">
<parent>trendmicro</parent>
<regex>"field":"malName","value":"(\.+)"</regex>
<order>tm.malware</order>
</decoder>
<decoder name="trendmicro-filehash">
<parent>trendmicro</parent>
<regex>"field":"fileHash","value":"(\.+)"</regex>
<order>tm.file_sha1</order>
</decoder>
<decoder name="trendmicro-filename">
<parent>trendmicro</parent>
<regex>"field":"fileName","value":"(\.+)"</regex>
<order>tm.file_name</order>
</decoder>
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Where did I do wrong?
Stuti Gupta
Jan 22, 2026, 5:30:02 AMJan 22
to Wazuh | Mailing List
Hi Bayu Sangkaya,
It looks like the issue may be related to the sub-child decoder. Wazuh supports child and sibling decoders, but sub-child behavior may not work as expected in some cases.
Additionally, the last decoder you shared doesn't seemappropriate:
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder> <
</decoder>
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder> <
</decoder>
The built-in JSON decoder already processes any log in JSON format. If the log matches the JSON decoder (parent), there’s generally no need for a plugin decoder again, as it won’t add value
Could you please share a sample of the log you’re trying to decode? This will help confirm the exact issue.
If possible, please share the log from the archives.json.use:
cat /var/ossec/logs/archives/archives.json | grep <keyword_from_log>
To enable the archives. Please refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#archiving-event.
Note: Enabling archives significantly increases disk usage and is not recommended for large-scale/production deployments unless you have adequate storage.
To know more about decoders, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html.
Bayu Sangkaya
Jan 22, 2026, 5:34:05 AMJan 22
to Stuti Gupta, Wazuh | Mailing List
Hi Stuti,
this is the log
{"schemaVersion": "1.21", "id": "WB-18012-20260122-00571", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", "alertProvider": "SAE", "modelId": "16981bac-9cf1-4d0d-969b-d01a5d2580e6", "model": "Unknown Threat Detection via Predictive Machine Learning", "modelType": "preset", "score": 36, "severity": "medium", "createdDateTime": "2026-01-22T08:18:04Z", "updatedDateTime": "2026-01-22T08:18:04Z", "ownerIds": [], "impactScope": {"desktopCount": 1, "serverCount": 0, "accountCount": 0, "emailAddressCount": 0, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0, "entities": [{"entityType": "host", "entityValue": {"guid": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "name": "g005_dc_12", "ips": ["192.168.47.202"]}, "entityId": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "relatedEntities": [], "relatedIndicatorIds": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18], "provenance": ["Alert"], "managementScopeGroupId": "9ac2fc55-e42d-6234-034d-e60d9697ec22", "managementScopeInstanceId": "7e2a0b79-ba9e-0659-e7f1-42c0313cc270", "managementScopePartitionKey": "f7415844-9019-afc8-9cb8-1e602332faa2"}]}, "description": "An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.", "matchedRules": [{"id": "3da5246f-6a41-42e3-95e4-d63862083093", "name": "Predictive Machine Learning Detection", "matchedFilters": [{"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:57:12.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "96942013-14df-4026-a35d-a4e00511f7d2", "matchedDateTime": "2026-01-22T07:57:12.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:58:34.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "56fd75d9-39b8-41b9-a8f9-cfc37ae673e2", "matchedDateTime": "2026-01-22T07:58:34.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T08:01:43.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "8fa2c81a-3a88-42f9-9cf4-de27d163b9da", "matchedDateTime": "2026-01-22T08:01:43.000Z", "type": "PRODUCT_EVENT_LOG"}]}]}], "indicators": [{"id": 1, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 2, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 3, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 4, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 5, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 6, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 7, "type": "filename", "field": "fileName", "value": "hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 8, "type": "filename", "field": "fileName", "value": "ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 9, "type": "filename", "field": "fileName", "value": "gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 10, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 11, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 12, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 13, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 14, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 15, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 16, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 17, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 18, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}]}
with default json decoder, it looks like this:
I want to extract data under nested json. Thanks for the helpthis is the log
{"schemaVersion": "1.21", "id": "WB-18012-20260122-00571", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", "alertProvider": "SAE", "modelId": "16981bac-9cf1-4d0d-969b-d01a5d2580e6", "model": "Unknown Threat Detection via Predictive Machine Learning", "modelType": "preset", "score": 36, "severity": "medium", "createdDateTime": "2026-01-22T08:18:04Z", "updatedDateTime": "2026-01-22T08:18:04Z", "ownerIds": [], "impactScope": {"desktopCount": 1, "serverCount": 0, "accountCount": 0, "emailAddressCount": 0, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0, "entities": [{"entityType": "host", "entityValue": {"guid": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "name": "g005_dc_12", "ips": ["192.168.47.202"]}, "entityId": "6995AB29-7993-B410-EBAD-B1A51AFD9853", "relatedEntities": [], "relatedIndicatorIds": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18], "provenance": ["Alert"], "managementScopeGroupId": "9ac2fc55-e42d-6234-034d-e60d9697ec22", "managementScopeInstanceId": "7e2a0b79-ba9e-0659-e7f1-42c0313cc270", "managementScopePartitionKey": "f7415844-9019-afc8-9cb8-1e602332faa2"}]}, "description": "An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.", "matchedRules": [{"id": "3da5246f-6a41-42e3-95e4-d63862083093", "name": "Predictive Machine Learning Detection", "matchedFilters": [{"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:57:12.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "96942013-14df-4026-a35d-a4e00511f7d2", "matchedDateTime": "2026-01-22T07:57:12.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T07:58:34.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "56fd75d9-39b8-41b9-a8f9-cfc37ae673e2", "matchedDateTime": "2026-01-22T07:58:34.000Z", "type": "PRODUCT_EVENT_LOG"}]}, {"id": "38bba32c-6775-4a88-b86e-2987e57991bb", "name": "Predictive Machine Learning Detection", "matchedDateTime": "2026-01-22T08:01:43.000Z", "mitreTechniqueIds": [], "matchedEvents": [{"uuid": "8fa2c81a-3a88-42f9-9cf4-de27d163b9da", "matchedDateTime": "2026-01-22T08:01:43.000Z", "type": "PRODUCT_EVENT_LOG"}]}]}], "indicators": [{"id": 1, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 2, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 3, "type": "detection_name", "field": "malName", "value": "TROJ.Win32.TRX.XXPE50FFF101", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 4, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 5, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 6, "type": "file_sha1", "field": "fileHash", "value": "BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 7, "type": "filename", "field": "fileName", "value": "hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 8, "type": "filename", "field": "fileName", "value": "ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 9, "type": "filename", "field": "fileName", "value": "gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 10, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 11, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 12, "type": "fullpath", "field": "filePathName", "value": "E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 13, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 14, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 15, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 16, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 17, "type": "text", "field": "actResult", "value": "Quarantined", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}, {"id": 18, "type": "text", "field": "scanType", "value": "REALTIME", "relatedEntities": ["6995AB29-7993-B410-EBAD-B1A51AFD9853"], "filterIds": ["38bba32c-6775-4a88-b86e-2987e57991bb"], "provenance": ["Alert"]}]}
with default json decoder, it looks like this:
**Phase 2: Completed decoding.
name: 'json'
alertProvider: 'SAE'
createdDateTime: '2026-01-22T08:18:04Z'
description: 'An unknown threat was detected on an endpoint by Trend Micro Predictive Machine Learning.'
id: 'WB-18012-20260122-00571'
impactScope.accountCount: '0'
impactScope.cloudIdentityCount: '0'
impactScope.cloudWorkloadCount: '0'
impactScope.containerCount: '0'
impactScope.desktopCount: '1'
impactScope.emailAddressCount: '0'
impactScope.entities: '[{"entityType":"host","entityValue":{"guid":"6995AB29-7993-B410-EBAD-B1A51AFD9853","name":"g005_dc_12","ips":["192.168.47.202"]},"entityId":"6995AB29-7993-B410-EBAD-B1A51AFD9853","relatedEntities":[],"relatedIndicatorIds":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18],"provenance":["Alert"],"managementScopeGroupId":"9ac2fc55-e42d-6234-034d-e60d9697ec22","managementScopeInstanceId":"7e2a0b79-ba9e-0659-e7f1-42c0313cc270","managementScopePartitionKey":"f7415844-9019-afc8-9cb8-1e602332faa2"}]'
impactScope.serverCount: '0'
indicators: '[{"id":1,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":2,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":3,"type":"detection_name","field":"malName","value":"TROJ.Win32.TRX.XXPE50FFF101","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":4,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":5,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":6,"type":"file_sha1","field":"fileHash","value":"BEBA1B12821483E6D8A5B3044E40FABD9DAE02E2","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":7,"type":"filename","field":"fileName","value":"hodowu.exe","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":8,"type":"filename","field":"fileName","value":"ulxq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":9,"type":"filename","field":"fileName","value":"gkuoiq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":10,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\hodowu.exe","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":11,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\ulxq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":12,"type":"fullpath","field":"filePathName","value":"E:\\NEW 2024\\PROJEK VOUCHER ZONA\\gkuoiq.pif","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":13,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":14,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":15,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":16,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":17,"type":"text","field":"actResult","value":"Quarantined","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]},{"id":18,"type":"text","field":"scanType","value":"REALTIME","relatedEntities":["6995AB29-7993-B410-EBAD-B1A51AFD9853"],"filterIds":["38bba32c-6775-4a88-b86e-2987e57991bb"],"provenance":["Alert"]}]'
investigationResult: 'No Findings'
investigationStatus: 'New'
matchedRules: '[{"id":"3da5246f-6a41-42e3-95e4-d63862083093","name":"Predictive Machine Learning Detection","matchedFilters":[{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T07:57:12.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"96942013-14df-4026-a35d-a4e00511f7d2","matchedDateTime":"2026-01-22T07:57:12.000Z","type":"PRODUCT_EVENT_LOG"}]},{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T07:58:34.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"56fd75d9-39b8-41b9-a8f9-cfc37ae673e2","matchedDateTime":"2026-01-22T07:58:34.000Z","type":"PRODUCT_EVENT_LOG"}]},{"id":"38bba32c-6775-4a88-b86e-2987e57991bb","name":"Predictive Machine Learning Detection","matchedDateTime":"2026-01-22T08:01:43.000Z","mitreTechniqueIds":[],"matchedEvents":[{"uuid":"8fa2c81a-3a88-42f9-9cf4-de27d163b9da","matchedDateTime":"2026-01-22T08:01:43.000Z","type":"PRODUCT_EVENT_LOG"}]}]}]'
model: 'Unknown Threat Detection via Predictive Machine Learning'
modelId: '16981bac-9cf1-4d0d-969b-d01a5d2580e6'
modelType: 'preset'
ownerIds: '[]'
schemaVersion: '1.21'
score: '36'
severity: 'medium'
status: 'Open'
updatedDateTime: '2026-01-22T08:18:04Z'
workbenchLink: 'https://portal.sg.xdr.trendmicro.com/index.html#/workbench/alerts/WB-18012-20260122-00571?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3'Regards,
Bayu Sangkaya
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/XS6D6TwWIGg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/517aaee5-18d1-4115-a6f5-b54f6663399en%40googlegroups.com.
Stuti Gupta
Jan 23, 2026, 3:28:51 AMJan 23
to Wazuh | Mailing List
Your decoder didn’t work because JSON_Decoder cannot automatically parse JSON arrays like "indicators":[ {...}, {...}, ... ]. It only processes JSON objects ({...}), not lists ([...]).
Since your event begins with a JSON array, the decoder matches the prematch but cannot extract any fields, so decoding completes with no results. To decode arrays, Wazuh requires additional decoders like:
<decoder name="json">
<parent>json</parent>
<regex>"indicators": [{"id": 1, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", {id": 2, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 3, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 4, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 5, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 6, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 7, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+{"id": 8, "type": "(\.+)", "field": "(\.+)", "value": "(\.+)", \.+</regex><order>type1, field1, value1, type2, field2, value2, type3, field3, value3, type4, field4, value4, type5, field5, value5, type6, field6, value6, type7, field7, value7, type8, field8, value8</order>
</decoder>
Modify this decoder according to your needs.
But if you add this decoder, it will only decode the indicator values. If you need to decode the rest of the value, you need to create/add a regex of that fields as well.
To know more about decoders, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html.
Reply all
Reply to author
Forward
0 new messages