Wazuh decoders and rules for Kaspersky KES logs
Junior Gonçalves
Hi everyone
I’m looking for help creating Wazuh decoders and rules for Kaspersky KES logs. I’ve already tried a few approaches, but I’m currently stuck and not able to move forward.
The log is arriving correctly at the Wazuh Manager, for example:
Jan 5 17:29:47 ti04.teste.brasil KES|11.0.0.0 Event type: Object deleted\r\nName: SearchProtocolHost.exe\r\nApplication path: C:\Windows\System32\r\nProcess ID: 21056\r\nResult description: Deleted\r\nType: Virus\r\nName: EICAR-Test-File\r\nUser: BRASILSP\TI04$ (Initiator)\r\nObject: C:\Users\user.teste\Desktop\eicar_com (3).zip//eicar.com\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
I already tried creating some basic decoders, like these:
<decoder name="kaspersky-kes-base">
<prematch>KES\|</prematch>
</decoder>
<decoder name="kaspersky-kes-object-deleted">
<prematch>KES\|11\.0\.0\.0 Event type: Object deleted</prematch>
<regex>Event type:\s(Object deleted)</regex>
<order>event_type</order>
</decoder>
<decoder name="kaspersky-kes-sha256">
<prematch>SHA256:</prematch>
<regex>SHA256:\s([A-Fa-f0-9]{64})</regex>
<order>sha256</order>
</decoder>
However, I’m still struggling to properly structure:
-
The decoders (regex, order, multiline handling, correct prematch)
-
The rules (severity level, groups, correlation, descriptions)
My goal is to generate clear Wazuh alerts, such as:
-
Malware detection (virus / quarantined / deleted)
-
Extracting user, affected file, and hash values
-
Proper severity classification
If anyone has experience with Kaspersky KES + Wazuh or can share examples or best practices for decoders and rules, any help or guidance would be greatly appreciated 🙏
Thanks in advance!
Olamilekan Abdullateef Ajani
<prematch type="pcre2">^KES\|</prematch>
</decoder>
<decoder name="kes-object-detection">
<parent>kes-parent</parent>
<regex type="pcre2">KES\|[0-9.]+\s+Event type:\s*([^\r\n]+)\\r\\nName:\s*([^\r\n]+)\\r\\nApplication path:\s*([^\r\n]+)\\r\\nProcess ID:\s*([0-9]+)\\r\\nResult description:\s*([^\r\n]+)\\r\\nType:\s*([^\r\n]+)\\r\\nName:\s*([^\r\n]+)\\r\\nUser:\s*([^\r\n]+)\\r\\nObject:\s*([^\r\n]+)\\r\\nSHA256:\s*([A-F0-9]+)\\r\\nMD5:\s*([A-F0-9]+)</regex>
<order>event_type,process_name,app_path,pid,result,malware_type,malware_name,user,object,hash-sha256,hash-md5</order>
</decoder>
For rules: /var/ossec/etc/rules/local_rules.xml
<group name="KES-event">
<rule id="120100" level="10">
<decoded_as>kes-parent</decoded_as>
<description>KES Malware Deleted — $(malware_name) on $(object)</description>
</rule>
</group>
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
I also found a GitHub repository that has decoders and rules for Kaspersky Security Center:
https://github.com/tread-lightly/KSC_decoders_and_rules_for_Wazuh
Junior Gonçalves
Hello,
Thank you very much for your help and for sharing the decoders and rules. I tested them in my environment and they worked correctly — I was able to parse the fields and generate alerts as expected. This was extremely helpful.
I have one additional question:
Is it possible to create a generic rule to capture all Kaspersky (KES) alerts, regardless of the event type, while still keeping the main fields separated (such as event type, malware name, object, hashes, user, etc.)?
My idea would be to have:
-
one generic rule for visibility of all Kaspersky events, and
-
more specific rules (like malware detected/deleted) built on top of it.
If you have any recommendation or best practice for this approach, I would really appreciate it.
Thank you again for your time and support.
Best regards,
Junior