Wazuh Sysmon Installation Detection
13 views
Skip to first unread message
Yogi Valentino
Jan 21, 2026, 3:06:41 AM (yesterday) Jan 21
to Wazuh | Mailing List
I'm trying to Install app and make Wazuh detect what i did
This is the rules
This is the rules
<rule id="101101" level="5">
<if_sid>61603</if_sid>
<field name="win.eventdata.RuleName"></field>
<options>no_full_log</options>
<description>Sysmon - Event 1: File Opened $(win.eventdata.description).</description>
</rule>
<rule id="100502" level="5">
<if_sid>101101</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1204,technique_name=User Execution$</field>
<field name="win.eventdata.image">(?i)\.exe$</field>
<field name="win.eventdata.parentImage">(?i)\\explorer\.exe$</field>
<options>no_full_log</options>
<description>Application Installed $(win.eventdata.product) $(win.eventdata.fileVersion) by User.</description>
</rule>
But it only keep generated the first rule. Any ideas?
Here i put the screenshoot and the full JSON about the log rule.
<if_sid>61603</if_sid>
<field name="win.eventdata.RuleName"></field>
<options>no_full_log</options>
<description>Sysmon - Event 1: File Opened $(win.eventdata.description).</description>
</rule>
<rule id="100502" level="5">
<if_sid>101101</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1204,technique_name=User Execution$</field>
<field name="win.eventdata.image">(?i)\.exe$</field>
<field name="win.eventdata.parentImage">(?i)\\explorer\.exe$</field>
<options>no_full_log</options>
<description>Application Installed $(win.eventdata.product) $(win.eventdata.fileVersion) by User.</description>
</rule>
But it only keep generated the first rule. Any ideas?
Here i put the screenshoot and the full JSON about the log rule.
hasitha.u...@wazuh.com
Jan 21, 2026, 3:31:14 AM (yesterday) Jan 21
to Wazuh | Mailing List
Hi Yogi,
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Message has been deleted
hasitha.u...@wazuh.com
Jan 21, 2026, 3:56:57 AM (yesterday) Jan 21
to Wazuh | Mailing List
Hi Yogi,
I've tested this rule and identified the problem. The regex type isn't defined in the field tags section. You're using PCRE2 regex syntax, but you need to explicitly declare the regex type for it to work properly.
You needto modify them like below.
Custom rule path: /var/ossec/etc/rules/
After modifying the rule, make sure to restart the manager to apply the changes.
systemctl restart wazuh-manager
Further references:
Let me know if you need further assistance on this.
I've tested this rule and identified the problem. The regex type isn't defined in the field tags section. You're using PCRE2 regex syntax, but you need to explicitly declare the regex type for it to work properly.
- <field name="win.eventdata.image">(?i)\.exe$</field>
- <field name="win.eventdata.parentImage">(?i)\\explorer\.exe$</field>
- <field name="win.eventdata.image" type="pcre2">(?i)\.exe$</field>
- <field name="win.eventdata.parentImage" type="pcre2">(?i)\\explorer\.exe$</field>
Custom rule path: /var/ossec/etc/rules/
- <group name="sysmon_custom">
- <rule id="101101" level="5">
- <if_sid>61603</if_sid>
- <field name="win.eventdata.RuleName"></field>
- <options>no_full_log</options>
- <description>Sysmon - Event 1: File Opened $(win.eventdata.description).</description>
- </rule>
- <rule id="100502" level="5">
- <if_sid>101101</if_sid>
- <field name="win.eventdata.RuleName">^technique_id=T1204,technique_name=User Execution$</field>
- <field name="win.eventdata.image" type="pcre2">(?i)\.exe$</field>
- <field name="win.eventdata.parentImage" type="pcre2">(?i)\\explorer\.exe$</field>
- <options>no_full_log</options>
- <description>Application Installed $(win.eventdata.product) $(win.eventdata.fileVersion) by User.</description>
- </rule>
- </group>
After modifying the rule, make sure to restart the manager to apply the changes.
systemctl restart wazuh-manager
Further references:
Let me know if you need further assistance on this.
Reply all
Reply to author
Forward
0 new messages