custom Wazuh rule
12 views
Skip to first unread message
mohammed sekkouri
Mar 10, 2026, 8:26:39 AM (6 days ago) Mar 10
to Wazuh | Mailing List
Dear Support Team,
I hope you are doing well.
I am currently trying to create a custom Wazuh rule, but I am encountering an issue where the alert never triggers my custom rule. Instead, Wazuh always generates the default alert from the built-in rule, and my rule is never matched.
My goal is to detect a specific event and generate a custom alert with my own rule ID and description, but despite several attempts, Wazuh continues to trigger only the original rule.
<rule id="670280" level="9" overwrite="yes">
<if_sid>60103</if_sid>
Match sulla stringa JSON privilegeList
<field name="win.eventdata.targetUserName" type="pcre2">^(?!.*(\$|SYSTEM|DWM|UMFD)).*$</field>
<field name="win.eventdata.subjectUserName" type="pcre2">^(?!.*(SYSTEM|DWM-|UMFD-)).*$</field>
<field name="win.system.eventID">^4672$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
<description>Special privileges assigned to new logon - User: $(win.eventdata.subjectUserName)</description>
<mitre>
<id>T1484</id>
</mitre>
</rule>
Thank you in advance for your assistance.
I look forward to your reply.
Kind regards,
Mohammed
Olamilekan Abdullateef Ajani
Mar 10, 2026, 9:05:11 AM (6 days ago) Mar 10
to Wazuh | Mailing List
Hello Medpro524,
<rule id="670280" level="9">
<rule id=" 670280" level="9">
<field name="win.eventdata.targetUserName" type="pcre2">^(?!.*(\$|SYSTEM|DWM|UMFD)).*$</field>
<field name="win.eventdata.subjectUserName" type="pcre2">^(?!.*(SYSTEM|DWM-|UMFD-)).*$</field>
After reviewing your rule logic, I found some issues even though they are mostly correct.
<rule id="670280" level="9" overwrite="yes"> Overwrite only replaces a rule with the same ID, and I am guessing 670280 is the only custom rule created, so overwrite is not applicable here.
If your intention was to replace the original rule, then you can use this instead: <rule id="60103" level="9" overwrite="yes">
You can find more information about changing existing rules here
Or rewrite the rule as shown below:
<rule id="670280" level="9">
<if_sid>60103</if_sid>
Also this has to be commented on: Match sulla stringa JSON privilegeList
Which, in the end, your rule can look like this:
Which, in the end, your rule can look like this:
<rule id=" 670280" level="9">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4672</field>
<field name="win.system.eventID">4672</field>
<field name="win.eventdata.targetUserName" type="pcre2">^(?!.*(\$|SYSTEM|DWM|UMFD)).*$</field>
<field name="win.eventdata.subjectUserName" type="pcre2">^(?!.*(SYSTEM|DWM-|UMFD-)).*$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
<description>Special privileges assigned to new logon - User: $(win.eventdata.subjectUserName)</description>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<description>Special privileges assigned to new logon - User: $(win.eventdata.subjectUserName)</description>
<mitre>
<id>T1484</id>
</mitre>
</rule>
Lastly, please note for rule 670280 to trigger, the fields below must match in rule 60103 when captured, because those are the criteria listed.
<field name="win.eventdata.targetUserName" type="pcre2">^(?!.*(\$|SYSTEM|DWM|UMFD)).*$</field>
<field name="win.eventdata.subjectUserName" type="pcre2">^(?!.*(SYSTEM|DWM-|UMFD-)).*$</field>
<field name="win.system.eventID">^4672$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
<field name="win.eventdata.subjectUserName" type="pcre2">^(?!.*(SYSTEM|DWM-|UMFD-)).*$</field>
<field name="win.system.eventID">^4672$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
If you require further assistance on this, kindly share a sample log from the archives.json file for further testing. You can learn more about enabling archives here.
Reply all
Reply to author
Forward
0 new messages