False Positive

183 views
Skip to first unread message

Furkan İzci

unread,
Dec 2, 2024, 2:44:52 AM12/2/24
to Wazuh | Mailing List
  I have an alert that I believe is a false positive, and I want to block this false positive alert through scriptBlockText. I wrote the following rule, but it didn't work. Do you have any suggestions?

Screenshot_1.png

<group name="sysmon_whitelisting,">
   <rule id="100126" level="3">
      <if_sid>91823</if_sid>
      <field name="win.eventdata.scriptBlockText">^# Caller validation to ensure we are calling from and actual script, and not from a malicious command line function Test-Caller\.*$</field>
      <description>Exclude false positive Test-Caller</description>
   </rule>
</group>

hasitha.u...@wazuh.com

unread,
Dec 2, 2024, 3:07:57 AM12/2/24
to Wazuh | Mailing List
Hi  Furkan,

By default Wazuh alerts receiving only level 3 or above.
I believe it will work with match syntax and making the level to 0.

<group name="sysmon_whitelisting,">
   <rule id="100126" level="0">
      <if_sid>91823</if_sid>
      <match>Caller validation to ensure we are calling from and actual script, and not from a malicious command line function Test-Caller</match>

      <description>Exclude false positive Test-Caller</description>
   </rule>
</group>


Make sure to restart wazuh manager after adding the rule.
systemctl restart wazuh-manager

Ref:https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Let me know if this works for you.

Regards,
Hasitha Upekshitha

Furkan İzci

unread,
Dec 3, 2024, 2:26:41 AM12/3/24
to Wazuh | Mailing List
Hi,  

It didn't work  

2 Aralık 2024 Pazartesi tarihinde saat 11:07:57 UTC+3 itibarıyla hasitha.u...@wazuh.com şunları yazdı:

hasitha.u...@wazuh.com

unread,
Dec 9, 2024, 10:30:00 PM12/9/24
to Wazuh | Mailing List
Hi Furkan İzci,

Could you please share the full log from the archive logs to replicate this issue on my end?
You can enable archive logs for testing and check your logs reaching to the Wazuh manager first by editing this file /var/ossec/etc/ossec.conf file.

<ossec_config>
  <global>
    ----
    <logall>no</logall>
    <logall_json>yes</logall_json>

   -----
  </global>

  -----
</ossec_config>

Then check if you receive any logs from that log source to archive the log.
cat /var/ossec/logs/archives/archives.log | grep -i -E "part of your log"

Remember to disable the archive log, after the testing.

Regards,
Hasitha Upekshitha

Brummbär

unread,
Jun 16, 2026, 11:07:15 AM (12 days ago) Jun 16
to Wazuh | Mailing List
Hi,
I'm getting the same warning message as OP in Wazuh with rule 91823 and level 14 on several Windows servers. The alert states that a PowerShell script using “invoke-command” was launched. I don't know which PowerShell script this could be. What is triggering this warning message?

Md. Nazmur Sakib

unread,
Jun 25, 2026, 1:34:24 AM (3 days ago) Jun 25
to Wazuh | Mailing List

Brummbär, This rule is triggered if you have a log from Microsoft-Windows-PowerShell Operational event channel that has a field name ScriptBlockId and another field name scriptBlockText with value Invoke-Command and ComputerName or CN.


Check the related rules for reference.

  <rule id="91801" level="0">

    <if_sid>60000, 60010</if_sid>

    <field name="win.system.channel">^Microsoft-Windows-PowerShell/Operational$</field>

    <options>no_full_log</options>

    <description>Group of Windows rules for the Powershell/Operational channel.</description>

  </rule>



  <rule id="91802" level="0">

    <if_sid>91801</if_sid>

    <field name="win.eventdata.ScriptBlockId" type="pcre2">.+</field>

    <options>no_full_log</options>

    <description>Group of Windows rules for the Powershell/Operational channel.</description>

  </rule>

  <rule id="91822" level="12">

    <if_sid>91802</if_sid>

    <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)Invoke-Command</field>

    <options>no_full_log</options>

    <description>Powershell script used "Invoke-command" cmdlet to execute sub script</description>

    <mitre>

      <id>T1059.001</id>

    </mitre>

  </rule>

<rule id="91823" level="14">

    <if_sid>91822</if_sid>

    <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)(ComputerName|Cn)</field>

    <options>no_full_log</options>

    <description>Powershell script used "Invoke-command" cmdlet to execute code on remote computer</description>

    <mitre>

      <id>T1059.001</id>

      <id>T1021.006</id>

    </mitre>

  </rule>


So I will suggest that you review your logs from Event Viewer on your Windows endpoint to see more details about this alert.


Applications and services log > Microsoft > Windows > Powershell > Operational
 2026-06-25 11 29 26.png

Let me know if you need any further information.

Reply all
Reply to author
Forward
0 new messages