wazuh rule

[a mohan]

Dear team,

I am Rammohan , I don't have the knowledge regarding the writing rules and decoders, I have log is there with me,could you please give me the decoder and rule for the the log to visualize the alerts in wazuh dashboard.This usecase is unautherised configuration change.
sudo cat /var/ossec/logs/archives/archives.log | grep '"eventID":"13"'

2025 Jul 10 11:50:51 (windows-agent) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-07-10T11:50:50.3100414Z","eventRecordID":"833471","processID":"2916","threadID":"4600","channel":"Microsoft-Windows-Sysmon/Operational","computer":"windows-agent","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2025-07-10 11:50:50.309\r\nProcessGuid: {28e75253-fde8-686e-4900-000000002100}\r\nProcessId: 1944\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Config\\LastKnownGoodTime\r\nDetails: QWORD (0x01dbf190-0xe1c79063)\r\nUser: NT AUTHORITY\\LOCAL SERVICE\""},"eventdata":{"eventType":"SetValue","utcTime":"2025-07-10 11:50:50.309","processGuid":"{28e75253-fde8-686e-4900-000000002100}","processId":"1944","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\Config\\\\LastKnownGoodTime","details":"QWORD (0x01dbf190-0xe1c79063)","user":"NT AUTHORITY\\\\LOCAL SERVICE"}}}

is it posiible to write rules and decoder using this log, if it is possible give me the decoder and rule for this log,because sudo cat /var/ossec/logs/alerts/alerts.json | grep '"eventID":"13"' ,it doesn't give any response,
sudo cat /var/ossec/logs/archives/archives.json | grep '"eventID":"13"
{"timestamp":"2025-07-10T11:58:19.346+0000","agent":{"id":"003","name":"windows-agent","ip":"10.0.0.4"},"manager":{"name":"wazuh"},"id":"1752148699.4938705","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2025-07-10T11:58:18.3141731Z\",\"eventRecordID\":\"833615\",\"processID\":\"2916\",\"threadID\":\"4600\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"windows-agent\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: -\\r\\nEventType: SetValue\\r\\nUtcTime: 2025-07-10 11:58:18.314\\r\\nProcessGuid: {28e75253-fde8-686e-4900-000000002100}\\r\\nProcessId: 1944\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\Config\\\\Status\\\\LastGoodSampleInfo\\r\\nDetails: 133966222983140079;VM IC Time Synchronization Provider\\r\\nUser: NT AUTHORITY\\\\LOCAL SERVICE\\\"\"},\"eventdata\":{\"eventType\":\"SetValue\",\"utcTime\":\"2025-07-10 11:58:18.314\",\"processGuid\":\"{28e75253-fde8-686e-4900-000000002100}\",\"processId\":\"1944\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\Config\\\\\\\\Status\\\\\\\\LastGoodSampleInfo\",\"details\":\"133966222983140079;VM IC Time Synchronization Provider\",\"user\":\"NT AUTHORITY\\\\\\\\LOCAL SERVICE\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-07-10T11:58:18.3141731Z","eventRecordID":"833615","processID":"2916","threadID":"4600","channel":"Microsoft-Windows-Sysmon/Operational","computer":"windows-agent","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2025-07-10 11:58:18.314\r\nProcessGuid: {28e75253-fde8-686e-4900-000000002100}\r\nProcessId: 1944\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Config\\Status\\LastGoodSampleInfo\r\nDetails: 133966222983140079;VM IC Time Synchronization Provider\r\nUser: NT AUTHORITY\\LOCAL SERVICE\""},"eventdata":{"eventType":"SetValue","utcTime":"2025-07-10 11:58:18.314","processGuid":"{28e75253-fde8-686e-4900-000000002100}","processId":"1944","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\Config\\\\Status\\\\LastGoodSampleInfo","details":"133966222983140079;VM IC Time Synchronization Provider","user":"NT AUTHORITY\\\\LOCAL SERVICE"}}},"location":"EventChannel"}

could you please give me the deoder and rule for this and explain how can we write the rules and decoders,i have already reqused,but i can't able to understand how can we write the decoders and rules,if you people explain this use case, it is very helpfule for me for further usecases or any other i can handle.Thank you Team.

Regards,

Rammohan  

[Olamilekan Abdullateef Ajani]

Hello Rammohan,

I trust you are doing great. The logs you shared are windows event channel log which already have pre-defined decoders and rules to match them when they are ingested into wazuh. You can check the screenshot for more information on this.

You can try and query the alerts.json file with another parameter like: cat /var/ossec/logs/alerts/alerts.json | grep 13 or  cat /var/ossec/logs/alerts/alerts.json | grep 1944

Please let me know what you find.