pulling my hair out with rule exceptions

[Dirk Westenhaus]

Hello List,

please excuse my noobish questions. I have been able to override rules and their notifications before, but I do not seem to be able to sush a specific alarm that is flooding mailboxes.

A problem in my understanding might come from the fact that the alarm is about “Multiple System error events” (Rule 61110), and I have no real strategy how to handle that.

My normal strategy is that from https://groups.google.com/g/wazuh/c/spLEtj109iQ/m/o-vnchdRAgAJ.

A copy of the problematic notification is attached as “notification.txt”. A json log of an exemplatory event is attached as “alert.json”; a json log of the “multiple error” event is attached as “notification.json”.

Here is my last unsuccessful trial:

```xml
  <rule id="100015" level="4">
    <if_matched_sid>61102</if_matched_sid>
    <field name="data.win.system.eventID">36876</field>
    <description>(Avast-)Zertifikatsprobleme, Regel Nr.2</description>
    <options>no_full_log</options>
  </rule>

```

Please: What am I doing wrong?

Thank you for every hint.

[Luis González Romero]

Hello dirk.westenhaus, I hope you’re doing well.

I have conducted some research on your issue, but I have been unable to replicate the case you described. When using the full_log field in your alert.json, it results in a bug under the json decoder and a syslog group rule that should not match.

To assist you further, could you please provide some logs that trigger those alerts for you? This will allow me to replicate your issue and provide you with the necessary help.

You can try using those logs with the /var/ossec/bin/wazuh-logtest command and verify if their behavior aligns with your expectations. In my case, when attempting to use them, they do not trigger the alert that appears in your alert.json.

Best regards,

Luis

​

[Dirk Westenhaus]

Hello Luis,

thank you for your attention. How would I gather some logs that trigger those alerts? I thought activating logall_json was the way to do it. Is there any kind of ID that I could grep the archives log for?

Best regards, Dirk

[Luis González Romero]

I apologize for the confusion. It seems there was a misunderstanding. Since I cannot view the actual alert you are working with, I might not have complete context on the exact issue you are facing.

Based on the log from the alert you provided, the alert with rule ID 1002 is triggered for me.

If you want to search the logs that will trigger an alert with <field name="data.win.system.eventID">36876</field> in the log, you can use grep or any other suitable method to search for that eventID in the logs. Additionally, you can use the archived logs for this purpose.

If you have any further updates, please feel free to let me know. I’m here to assist you further.

Best regards,
Luis.

​

[Dirk Westenhaus]

Hello Luis,

thank you, your feedback is appreciated very much. But I am still confused: Doesn't notification.json  that I posted earlier contain the event that is triggering the “multiple errors” alert?

Best regards, Dirk.

[Dirk Westenhaus]

Sorry; alert.json is the one containing the single event, doesn't it?

I am trying to handle this for days.

Best regards, Dirk

[Luis González Romero]

I apologize if I had for confusion in my previous responses. Let me clarify: What I understand is that you have those alerts but you want make them change so when your event contains the 36876 ID under the data.win.system.eventID field it triggers the custom rule you shared.

The problem here, is that using the full_log that appear in your JSON files, I do not obtain the same rule triggered that you shared. In order to help you, I need to know how are you able to obtain that alert triggered (61110) when receiving that full_log. You can find that log in the JSON files you shared. I mean, the JSON files you shared are not the events that trigger an alert, they are the alerts’ json themself. The log event that triggers the alert are the full_log field that they contain. So, you should be able to obtain more logs for that eventID within your archives: /var/ossec/logs/archives.

Then, you can check which alert your logs trigger by pasting them in /var/ossec/bin/wazuh-logtest. This tool allows you to verify if a log matches with a decoder, which fields are gathered and if an alert is triggered.

In my case, this happens:

root@manager44:/home/vagrant# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.4 Type one log per line {"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-18T07:25:47.169985200Z","eventRecordID":"514059","processID":"656","threadID":"2308","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\""},"eventdata":{"errorCode":"0x80092013","binary":"AAA"}}} **Phase 1: Completed pre-decoding. full event: '{"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-18T07:25:47.169985200Z","eventRecordID":"514059","processID":"656","threadID":"2308","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\""},"eventdata":{"errorCode":"0x80092013","binary":"AAA"}}}' **Phase 2: Completed decoding. name: 'json' **Phase 3: Completed filtering (rules). id: '1002' level: '2' description: 'Unknown problem somewhere in the system.' groups: '['syslog', 'errors']' firedtimes: '1' gpg13: '['4.3']' mail: 'False'

So, I need to know how what I a missing to obtain the 61110 rule triggered for your log, instead of 1002. So I can continue the research.

Thanks,
Luis

​

[Dirk Westenhaus]

Hello Luis,

I want to apologize for the confusion. There seems to be a great misunderstanding on my part.

The rule with ID 61110 is for “Multiple System error events”. I do not want to silence that for all thos events, but I need to filter out events with event ID 36876 that lead to it, so they do not get registered, counted and alterted.

But when I grep both /var/ossec/logs/archives/archives.json or …/archives.log for that event id, I do not get anything else than the data I provided.

See:
# tac archives.log | grep 36876 | head -n1
2023 Jul 20 15:47:55 (hostname) any->EventChannel {"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-20T13:47:54.255103600Z","eventRecordID":"521752","processID":"656","threadID":"3732","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\""},"eventdata":{"errorCode":"0x80092013","binary":"[…]"}}}

And:

# tac archives.json | grep 36876 | head -n1
{"timestamp":"2023-07-20T15:51:08.254+0200","rule":{"level":10,"description":"Multiple System error events","id":"61110","frequency":8,"firedtimes":12,"mail":true,"groups":["windows","windows_system"]},"agent":{"id":"011","name":"hostname","ip":"10.11.15.33"},"manager":{"name":"wazuhhost"},"id":"1689861068.4984221278","previous_output":"{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:50:49.930153500Z\",\"eventRecordID\":\"521758\",\"processID\":\"656\",\"threadID\":\"2100\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:50:19.862587700Z\",\"eventRecordID\":\"521757\",\"processID\":\"656\",\"threadID\":\"6540\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:49:49.777747100Z\",\"eventRecordID\":\"521756\",\"processID\":\"656\",\"threadID\":\"6540\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:49:22.194479200Z\",\"eventRecordID\":\"521755\",\"processID\":\"656\",\"threadID\":\"6540\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:48:52.131186100Z\",\"eventRecordID\":\"521754\",\"processID\":\"656\",\"threadID\":\"1548\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:48:22.049736900Z\",\"eventRecordID\":\"521753\",\"processID\":\"656\",\"threadID\":\"3732\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}\n{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:47:54.255103600Z\",\"eventRecordID\":\"521752\",\"processID\":\"656\",\"threadID\":\"3732\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]4\"}}}","full_log":"{\"win\":{\"system\":{\"providerName\":\"Schannel\",\"providerGuid\":\"{1F678132-5938-4686-9FDC-C8FF68F15C85}\",\"eventID\":\"36876\",\"version\":\"0\",\"level\":\"2\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-20T13:51:07.257479200Z\",\"eventRecordID\":\"521759\",\"processID\":\"656\",\"threadID\":\"2100\",\"channel\":\"System\",\"computer\":\"hostname.domainname\",\"severityValue\":\"ERROR\",\"message\":\"\\\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\\\"\"},\"eventdata\":{\"errorCode\":\"0x80092013\",\"binary\":\"[…]\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-20T13:51:07.257479200Z","eventRecordID":"521759","processID":"656","threadID":"2100","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\""},"eventdata":{"errorCode":"0x80092013","binary":"[…]"}}},"location":"EventChannel"}

Host names and domain names have been changed to protect the innocent (and binary data removed for a little better readability), but apart from that, this is the verbatim content of the logs.

When I feed the full_log contents to wazuh-logtest I get the same results as you. But where could I possibly find “better” alerts?

Best regards, Dirk.

[Luis González Romero]

Hello again.

I have been working on a possible workaround for this. Allow me to explain the approach I’ve taken.

First, before making any changes, I recommend creating a backup of the /var/ossec/ruleset/rules/0575-win-base_rules.xml file. This way, you can easily revert to the original settings if needed.

Next, we need to remove the category field and replace <decoded_as>windows_eventchannel</decoded_as> with <decoded_as>json</decoded_as>:

<rule id="60000" level="0"> <decoded_as>json</decoded_as> <field name="win.system.providerName">\.+</field> <options>no_full_log</options> <description>Group of windows rules.</description> </rule>

By enabling the use of JSON decoding, your JSON events should trigger the Windows alerts as expected.

root@manager44:/home/vagrant# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.4 Type one log per line {"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-20T13:47:54.255103600Z","eventRecordID":"521752","processID":"656","threadID":"3732","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\""},"eventdata":{"errorCode":"0x80092013","binary":"[…]"}}} **Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' win.eventdata.binary: '[…]' win.eventdata.errorCode: '0x80092013' win.system.channel: 'System' win.system.computer: 'hostname.domainname' win.system.eventID: '36876' win.system.eventRecordID: '521752' win.system.keywords: '0x8000000000000000' win.system.level: '2' win.system.message: '"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat."' win.system.opcode: '0' win.system.processID: '656' win.system.providerGuid: '{1F678132-5938-4686-9FDC-C8FF68F15C85}' win.system.providerName: 'Schannel' win.system.severityValue: 'ERROR' win.system.systemTime: '2023-07-20T13:47:54.255103600Z' win.system.task: '0' win.system.threadID: '3732' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '61102' level: '5' description: 'Windows System error event' groups: '['windows', 'windows_system', 'system_error']' firedtimes: '1' gdpr: '['IV_35.7.d']' gpg13: '['4.3']' mail: 'False' **Alert to be generated.

After verifying that the events are being decoded correctly, we can proceed to update the decoder in your /var/ossec/etc/rules/local_rules.xml file:

<group name="windows,"> <rule id="100015" level="4"> <if_sid>61102</if_sid> <field name="win.system.eventID">^36876$</field> <description>(Avast-)Zertifikatsprobleme, Regel Nr.2</description> <options>no_full_log</options> </rule> </group>

Please note that you can use any rule ID you prefer.

With these changes in place, the 36876 events should now trigger your custom alert.

root@manager44:/home/vagrant# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.4 Type one log per line {"win":{"system":{"providerName":"Schannel","providerGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","eventID":"36876","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-20T13:47:54.255103600Z","eventRecordID":"521752","processID":"656","threadID":"3732","channel":"System","computer":"hostname.domainname","severityValue":"ERROR","message":"\"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat.\""},"eventdata":{"errorCode":"0x80092013","binary":"[…]"}}} **Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' win.eventdata.binary: '[…]' win.eventdata.errorCode: '0x80092013' win.system.channel: 'System' win.system.computer: 'hostname.domainname' win.system.eventID: '36876' win.system.eventRecordID: '521752' win.system.keywords: '0x8000000000000000' win.system.level: '2' win.system.message: '"Das vom Remoteserver empfangene Zertifikat wurde nicht ordnungsgemäß bestätigt. Fehlercode: 0x80092013. Fehler bei der TLS-Verbindungsanforderung. Die angefügten Daten enthalten das Serverzertifikat."' win.system.opcode: '0' win.system.processID: '656' win.system.providerGuid: '{1F678132-5938-4686-9FDC-C8FF68F15C85}' win.system.providerName: 'Schannel' win.system.severityValue: 'ERROR' win.system.systemTime: '2023-07-20T13:47:54.255103600Z' win.system.task: '0' win.system.threadID: '3732' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '100015' level: '4' description: '(Avast-)Zertifikatsprobleme, Regel Nr.2' groups: '['windows']' firedtimes: '1' mail: 'False' **Alert to be generated.

Hope this helps you,
Luis

​

[Dirk Westenhaus]

Hello Luis,

thank you for your dedication to help! Please bear with me. I think I have an idea why the event is not being recorded as expected: The underlying error triggers two different alerts on different agents, and one type I had been able to silence with the following:

  <rule id="100022" level="0">
    <if_sid>18103</if_sid>
    <id>36876</id>
    <extra_data type="pcre2">^(Schannel|System)$</extra_data>
    <description>(Avast-)Zertifikatsprobleme, Regel Nr.1</description>
    <options>no_email_alert</options>
  </rule>

Maybe this is … “obfuscating” the event?

I have not tried applying your workaround – thanks – because I think it would be better to fix the underlying problem, if possible. But I will if you advise.

Best regards, Dirk.

[Dirk Westenhaus]

PS: I deactivated both rules before, recorded an event and fed it to the wazuh-logtester. Surprisingly, its response looked better BUT had a phase 3 section missing?

[Luis González Romero]

The best practice you can follow is to create child rules as I explained in my previous message. So, if the parent rule is triggered, then your custom error rule will be triggered as well.

Regarding the statement The underlying error triggers two different alerts on different agents, do you mean that in some agents, the log you provided triggers 18103, and in others, it triggers 61102? In that case, could you share the agent’s version for each case, the decoders you customized, etc.?

When you encounter any issues or have specific scenarios you’d like me to help with, please provide details on how to replicate them. For example, you can mention if you created a rule, which rule was triggered, and how you customized the decoders/rules.

Regarding silencing the Wazuh’s ruleset, it is not recommended. Instead, you can create custom rules that include that rule within its if_sid, as the workaround I shared. This way, you can have more control and customization without silencing the ruleset.

Best regards,
Luis

​

[Dirk Westenhaus]

ok, thank you, let me apply the suggested change and monitor the results. But isn't changing the core rules against best practice rules? Wouldn't those changes be lost with the next update?

Best regards, Dirk.

[Dirk Westenhaus]

Hello,

the suggested change in the core ruleset did succeed in so far that none of the problematic alarm notifications were fired. However, the amount of overall registered events have been dramatically reduced …

Best regards, Dirk.

[Luis González Romero]

isn’t changing the core rules against best practice rules?

Yes, it is not recommended. But in this case, there’s no other option but change the rules or duplicate the windows rules with the json and category changes.

Wouldn’t those changes be lost with the next update?

Yes, sorry for forgetting to tell you how to avoid that. Here you have the documentation section that explains it.

However, the amount of overall registered events have been dramatically reduced

Do you mean that some Windows alerts are not showing up? Which ones? It is strange since the Windows alerts were not being triggered with your logs. Could you share some alerts that were triggered before the changes and now they don’t (buth the json and the logs that trigger those alerts)?

If you have some logs that trigger the Windows rules without the changes, you may have to duplicate the Windows rules using the new parent we changed and duplicate the child rules using the modified rule as the parent.

I will be waiting for any updates.

Best regards,

Luis.

​