child decoder of windows_eventchannel

[Singh Satish]

I want to create child decoder of  windows_eventchannel which extract fields from win.eventdata.data

like below

<decoder name="db-mssql">

  <prematch>"providerName":"MSSQL\.*",</prematch>

  </decoder>

  <decoder name="db-mssql">

  <prematch>EventChannel.*"providerName":"MSSQL\$</prematch>

  <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>"providerName":"(\w+)\$\w+",</regex>

  <order>program_name</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>"providerName":"(\.*)",</regex>

  <order>providerName</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>"systemTime":"(\.*)",</regex>

  <order>systemTime</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>"computer":"(\.*)",</regex>

  <order>dbServer</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>"severityValue":"(\.*)",</regex>

  <order>severityValue</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\naction_id:(\w+)</regex>

  <order>action_id</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>session_id:(\d+)</regex>

  <order>session_id</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>client_ip:(\d+.\d+.\d+.\d+)</regex>

  <order>db_rhost</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>session_server_principal_name:(\w+)\\nserver_principal_name|session_server_principal_name:WIN\\\\(\.*)\\nserver_principal_name</regex>

  <order>db_user</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>database_name:(\.*)\\nschema_name</regex>

  <order>db_name</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\nstatement:(\w+)</regex>

  <order>db_action</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\sstatement:(\.*)\sadditional_information</regex>

  <order>db_statement</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\nduration_milliseconds:(\w+)</regex>

  <order>db_duration</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\naffected_rows:(\w+)</regex>

  <order>db_affected_rows</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\nsucceeded:(\w+)\\n</regex>

  <order>execution_status</order>

  </decoder>

  <decoder name="db-mssql-fields">

  <parent>db-mssql</parent>

  <regex>\\nobject_name:(\w+)\\n</regex>

  <order>object_name</order>

  </decoder>

[Md. Nazmur Sakib]

Hi Satish,

I am looking into your query. I will get back to you with my findings soon.

[Md. Nazmur Sakib]

Based on my findings at this moment, it is not possible to write sibling decoders for the Windows event channel decoder.

Check this discussion to learn more:
https://github.com/wazuh/wazuh/issues/7955


The problem is that the win.eventdata.data field from the event channel is included in the alert as a string directly. In order to decode the field correctly, we need this type of event to pass through the XML decoder (currently, only the Windows event channel C-code decoder is used).


You still use the values from the win.eventdata.data section as a condition to create rules with <match> or <regex>.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-match

Check this document to learn more:

To search for any values from the win.eventdata.data, you can use DQL wildcard.
https://docs.opensearch.org/2.19/dashboards/dql

Let me know if you need any further information.