Wazuh Correlation for EventID 4104 (Powershell ScriptBlock)
37 views
Skip to first unread message
никита какдела
May 14, 2026, 5:45:31 AM (3 days ago) May 14
to Wazuh | Mailing List
Hello Team!
I'm trying to set up correlation for EventID 4104 events, but I'm faced with the fact that not all fields from the event come to Wazuh. Firstly, there is no Security UserID field, which is the main field by which the initiator can be identified. But I thought it was possible to correlate with event 4103 using the Correlation ActivityId field, but it's not there either! Tell me, what is the reason for the restriction? What should I do about it? 4104 is an integral part of monitoring, you just need to have a complete picture of what is happening. Thank you for your understanding, I hope for a prompt response and a solution to the problem. Attaching an XML Event.
I'm trying to set up correlation for EventID 4104 events, but I'm faced with the fact that not all fields from the event come to Wazuh. Firstly, there is no Security UserID field, which is the main field by which the initiator can be identified. But I thought it was possible to correlate with event 4103 using the Correlation ActivityId field, but it's not there either! Tell me, what is the reason for the restriction? What should I do about it? 4104 is an integral part of monitoring, you just need to have a complete picture of what is happening. Thank you for your understanding, I hope for a prompt response and a solution to the problem. Attaching an XML Event.
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2026-05-13T13:18:58.2095785Z" />
<EventRecordID>148395</EventRecordID>
<Correlation ActivityID="{af95a756-e0c0-0003-8fd5-98afc0e0dc01}" />
<Execution ProcessID="8124" ThreadID="9668" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>tespc1.local</Computer>
<Security UserID="S-1-5-21-1574252229-270539701-1819828000-35576" />
</System>
- <EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">prompt</Data>
<Data Name="ScriptBlockId">3bae71cb-1ccf-4748-a337-acc883458b27</Data>
<Data Name="Path" />
</EventData>
</Event>
Carlos Anguita López
May 14, 2026, 11:52:29 AM (3 days ago) May 14
to Wazuh | Mailing List
Hello,
What you see is actually a known bug in the current 4.x Windows event decoder implementation. Some fields from the original XML event are not parsed and exposed by Wazuh.
There is already an issue tracking this behavior: wazuh/wazuh#4439
Wazuh 5.0 introduces a completely new event processing engine that converts Windows XML events directly into JSON. This new approach gives Wazuh more flexibility for field mapping and transformations.
Right now there's no clean workaround to reliably obtain those missing fields.
Possible alternatives are:
- Using Sysmon or additional telemetry sources for user/processes correlation.
- Wait until Wazuh 5.0 version is officially released and fixes these bugs.
никита какдела
May 15, 2026, 8:06:00 AM (2 days ago) May 15
to Wazuh | Mailing List
Can you send a roadmap? When will 5.0 released?
четверг, 14 мая 2026 г. в 18:52:29 UTC+3, Carlos Anguita López:
Carlos Anguita López
May 15, 2026, 11:40:37 AM (2 days ago) May 15
to Wazuh | Mailing List
Hello,
We don't have a official roadmap, nor a date of release.
You can check the GitHub Project that is public to see how the project is going.
Reply all
Reply to author
Forward
0 new messages