wazuh and Kaspersky events
159 views
Skip to first unread message
Ivan Sergeevich
Oct 21, 2025, 1:18:13 PM10/21/25
to Wazuh | Mailing List
Hi everyone, I'm trying to learn wazuh how to process Kaspersky events.
The events look like this
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="avp" />
<EventID Qualifiers="49154">302</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-21T15:48:17.7936887Z" />
<EventRecordID>82181</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Kaspersky Endpoint Security</Channel>
<Computer>comp.my.domain</Computer>
<Security />
</System>
- <EventData>
<Data>Тип события: Обнаружен вредоносный объект Название: chrome.exe Путь к приложению: C:\Program Files\Google\Chrome\Application ID процесса: 11368 Пользователь: domain\user.name (Инициатор) Компонент: Защита от веб-угроз Описание результата: Обнаружено Тип: Вирус Название: EICAR-Test-File Степень угрозы: Точно Точность: Высокая Тип объекта: Файл Путь к объекту: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip// Название объекта: eicar.com Причина: Экспертный анализ Дата выпуска баз: 21.10.2025 14:07:00 SHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F MD5: 44D88612FEA8A8F36DE82E1278ABB02F</Data>
</EventData>
</Event>
They arrive at the wa server in this format
cat /var/ossec/logs/archives/archives.log | grep "KES|"
на сервере wazuh
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: domain\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: domain\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
The decoders are like this
<decoder name="kes-syslog">
<prematch>KES|</prematch>
</decoder>
<decoder name="kes-event-code">
<parent>kes-syslog</parent>
<regex>et="([^"]+)"</regex>
<order>kes.event_code</order>
</decoder>
<decoder name="kes-hostname">
<parent>kes-syslog</parent>
<regex>hdn="([^"]+)"</regex>
<order>kes.hostname</order>
</decoder>
<decoder name="kes-event-description">
<parent>kes-syslog</parent>
<regex>etdn="([^"]+)"</regex>
<order>kes.event_description</order>
</decoder>
<decoder name="kes-malware-name">
<parent>kes-syslog</parent>
<regex>p5="([^"]+)"</regex>
<order>kes.malware_name</order>
</decoder>
<decoder name="kes-object">
<parent>kes-syslog</parent>
<regex>p2="([^"]+)"</regex>
<order>kes.object</order>
</decoder>
<decoder name="kes-user">
<parent>kes-syslog</parent>
<regex>p7="([^"]+)"</regex>
<order>kes.user</order>
</decoder>
<decoder name="kes-sha256">
<parent>kes-syslog</parent>
<regex>p1="([^"]+)"</regex>
<order>kes.sha256</order>
</decoder>
The rules are like this
<group name="kaspersky,kes">
<rule id="100300" level="0">
<decoded_as>kes-syslog</decoded_as>
<description>Kaspersky: KES event received</description>
</rule>
<rule id="100398" level="3">
<if_sid>100300</if_sid>
<description>KES DEBUG: Code=$(kes.event_code) Host=$(kes.hostname) Desc=$(kes.event_description) Malware=$(kes.malware_name) Object=$(kes.object) User=$(kes.user) SHA256=$(kes.sha2>
<group>kaspersky_debug</group>
</rule>
<rule id="100324" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_VIRUS_FOUND</field>
<description>KES Critical: Malware $(kes.malware_name) detected on $(kes.hostname) by $(kes.user). Object: $(kes.object) SHA256: $(kes.sha256)</description>
<group>kaspersky_critical,virus_detected</group>
</rule>
<rule id="100325" level="7">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_OBJECT_BLOCKED</field>
<description>KES Warning: Object blocked on $(kes.hostname) by $(kes.user) - $(kes.malware_name). Object: $(kes.object)</description>
<group>kaspersky_warning,object_blocked</group>
</rule>
<rule id="100399" level="3">
<if_sid>100300</if_sid>
<description>KES: Event $(kes.event_description) on $(kes.hostname) [$(kes.event_code)]</description>
<group>kaspersky_info</group>
</rule>
</group>
But the decoders aren't working (they don't extract fields, and all my events are under 3)
Here's the test output.
**Phase 1: Completed pre-decoding.
full event: 'KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
**Phase 1: Completed pre-decoding.
full event: '2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
timestamp: '2025 Oct 21 18:48:22'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '2'
mail: 'False'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
timestamp: '2025 Oct 21 18:48:22'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '3'
mail: 'False'
**Alert to be generated.
Please help me understand the syntax.
The events look like this
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="avp" />
<EventID Qualifiers="49154">302</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-21T15:48:17.7936887Z" />
<EventRecordID>82181</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Kaspersky Endpoint Security</Channel>
<Computer>comp.my.domain</Computer>
<Security />
</System>
- <EventData>
<Data>Тип события: Обнаружен вредоносный объект Название: chrome.exe Путь к приложению: C:\Program Files\Google\Chrome\Application ID процесса: 11368 Пользователь: domain\user.name (Инициатор) Компонент: Защита от веб-угроз Описание результата: Обнаружено Тип: Вирус Название: EICAR-Test-File Степень угрозы: Точно Точность: Высокая Тип объекта: Файл Путь к объекту: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip// Название объекта: eicar.com Причина: Экспертный анализ Дата выпуска баз: 21.10.2025 14:07:00 SHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F MD5: 44D88612FEA8A8F36DE82E1278ABB02F</Data>
</EventData>
</Event>
They arrive at the wa server in this format
cat /var/ossec/logs/archives/archives.log | grep "KES|"
на сервере wazuh
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: domain\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: domain\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
The decoders are like this
<decoder name="kes-syslog">
<prematch>KES|</prematch>
</decoder>
<decoder name="kes-event-code">
<parent>kes-syslog</parent>
<regex>et="([^"]+)"</regex>
<order>kes.event_code</order>
</decoder>
<decoder name="kes-hostname">
<parent>kes-syslog</parent>
<regex>hdn="([^"]+)"</regex>
<order>kes.hostname</order>
</decoder>
<decoder name="kes-event-description">
<parent>kes-syslog</parent>
<regex>etdn="([^"]+)"</regex>
<order>kes.event_description</order>
</decoder>
<decoder name="kes-malware-name">
<parent>kes-syslog</parent>
<regex>p5="([^"]+)"</regex>
<order>kes.malware_name</order>
</decoder>
<decoder name="kes-object">
<parent>kes-syslog</parent>
<regex>p2="([^"]+)"</regex>
<order>kes.object</order>
</decoder>
<decoder name="kes-user">
<parent>kes-syslog</parent>
<regex>p7="([^"]+)"</regex>
<order>kes.user</order>
</decoder>
<decoder name="kes-sha256">
<parent>kes-syslog</parent>
<regex>p1="([^"]+)"</regex>
<order>kes.sha256</order>
</decoder>
The rules are like this
<group name="kaspersky,kes">
<rule id="100300" level="0">
<decoded_as>kes-syslog</decoded_as>
<description>Kaspersky: KES event received</description>
</rule>
<rule id="100398" level="3">
<if_sid>100300</if_sid>
<description>KES DEBUG: Code=$(kes.event_code) Host=$(kes.hostname) Desc=$(kes.event_description) Malware=$(kes.malware_name) Object=$(kes.object) User=$(kes.user) SHA256=$(kes.sha2>
<group>kaspersky_debug</group>
</rule>
<rule id="100324" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_VIRUS_FOUND</field>
<description>KES Critical: Malware $(kes.malware_name) detected on $(kes.hostname) by $(kes.user). Object: $(kes.object) SHA256: $(kes.sha256)</description>
<group>kaspersky_critical,virus_detected</group>
</rule>
<rule id="100325" level="7">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_OBJECT_BLOCKED</field>
<description>KES Warning: Object blocked on $(kes.hostname) by $(kes.user) - $(kes.malware_name). Object: $(kes.object)</description>
<group>kaspersky_warning,object_blocked</group>
</rule>
<rule id="100399" level="3">
<if_sid>100300</if_sid>
<description>KES: Event $(kes.event_description) on $(kes.hostname) [$(kes.event_code)]</description>
<group>kaspersky_info</group>
</rule>
</group>
But the decoders aren't working (they don't extract fields, and all my events are under 3)
Here's the test output.
**Phase 1: Completed pre-decoding.
full event: 'KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F
**Phase 1: Completed pre-decoding.
full event: '2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_VIRUS_FOUND [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":3,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_VIRUS_FOUND" tdn="Защита от веб-угроз" etdn="Обнаружен вредоносный объект" hdn="comp" hip="191.128.210.159" gn="Laptops" engine="3" method="3" kscfqdn="kesl"] Описание результата: Обнаружено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nПричина: Экспертный анализ\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
timestamp: '2025 Oct 21 18:48:22'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '2'
mail: 'False'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '2025 Oct 21 18:48:22 wzh->192.168.100.21 1 2025-10-21T15:48:17.000Z comp.my.domain KES|11.0.0.0 - GNRL_EV_OBJECT_BLOCKED [event@23668 p1="275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" p2="https://secure.eicar.org/eicarcom2.zip//eicar_com.zip///eicar.com" p5="EICAR-Test-File" p7="domain\\user.name" p8="60" p9="{\"engine\":3,\"method\":0,\"blacklist\":false,\"cloud_sb\":false,\"md5\":\"44D88612FEA8A8F36DE82E1278ABB02F\"}" et="GNRL_EV_OBJECT_BLOCKED" tdn="Защита от веб-угроз" etdn="Загрузка объекта запрещена" hdn="comp" hip="191.128.210.159" gn="Laptops" kscfqdn="kesl"] Описание результата: Запрещено\r\nТип: Вирус\r\nНазвание: EICAR-Test-File\r\nПользователь: DOMAIN\user.name (Инициатор)\r\nОбъект: https://secure.eicar.org/eicarcom2.zip//eicar_com.zip//eicar.com\r\nДата выпуска баз: 21.10.2025 14:07:00\r\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\r\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F'
timestamp: '2025 Oct 21 18:48:22'
**Phase 2: Completed decoding.
name: 'kes-syslog'
**Phase 3: Completed filtering (rules).
id: '100398'
level: '3'
description: 'KES DEBUG: Code= Host= Desc= Malware= Object= User= SHA256='
groups: '['kaspersky', 'keskaspersky_debug']'
firedtimes: '3'
mail: 'False'
**Alert to be generated.
Please help me understand the syntax.
Olamilekan Abdullateef Ajani
Oct 21, 2025, 2:59:03 PM10/21/25
to Wazuh | Mailing List
Hello Ivan,
From what you shared, the issue seem to be you making use of pcre2 syntax without declaring it, please see example below:
<decoder name="kes-event-code">
<parent>kes-syslog</parent>
<parent>kes-syslog</parent>
<regex type="pcre2">et="([^"]+)"</regex>
<order>kes.event_code</order>
</decoder>
<order>kes.event_code</order>
</decoder>
It should look like the above. I took some liberty of extracting some fields in the log, you can also make use of this as reference if you need to.
<prematch>event@23668</prematch>
</decoder>
<decoder name="Kaspersky-field">
<parent>Kaspersky</parent>
<regex type="pcre2">\[event@(\d+)\s+p1="([^"]+)"\s+p2="([^"]+)"\s+p5="([^"]+)".* et="([^"]+)"\s+tdn="([^"]+)"\s+etdn="([^"]+)"</regex>
<order>KES.event-code,kes.sha256,kes.object,kes.malware_name,kes.event_code,kes.event2,kes.event_description</order>
</decoder>
Please see attached result.
Please leverage on the documentation for syntax check where necessary.
Please let me know if you need further clarification
Ivan Sergeevich
Oct 23, 2025, 4:06:47 AM10/23/25
to Wazuh | Mailing List
Thanks, it all worked!
Just in case, I'll leave the working decoders and rules for Kaspersky Security Center here; maybe they'll be useful to someone.
<group name="kaspersky,kes">
<!-- ========== БАЗОВЫЕ ПРАВИЛА ========== -->
<rule id="100300" level="0">
<decoded_as>Kaspersky</decoded_as>
<description>Kaspersky: KES event received</description>
</rule>
<rule id="100398" level="3">
<if_sid>100300</if_sid>
<description>KES DEBUG: Code=$(kes.event_code) Host=$(kes.hostname) Desc=$(kes.event_description) Malware=$(kes.malware_name) Object=$(kes.object) User=$(kes.user) SHA256=$(kes.sha256)</description>
<group>kaspersky_debug</group>
</rule>
<!-- ========== КРИТИЧЕСКИЕ СОБЫТИЯ ========== -->
<!-- Обнаружение вредоносного ПО -->
<rule id="100324" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_VIRUS_FOUND</field>
<description>KES Critical: Malware $(kes.malware_name) detected on $(kes.hostname) by $(kes.user). Object: $(kes.object) SHA256: $(kes.sha256)</description>
<group>kaspersky_critical,virus_detected</group>
</rule>
<!-- Ошибка взаимодействия с KSC -->
<rule id="100326" level="6">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fb</field>
<description>KES Critical: KSC connection error on $(kes.hostname) by $(kes.user) - $(kes.event_description)</description>
<group>kaspersky_critical,ksc_connection_error</group>
</rule>
<!-- Ошибки обновления компонентов -->
<rule id="100329" level="8">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fd</field>
<description>KES Critical: Update failed on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_critical,update_failed</group>
</rule>
<!-- Критические события безопасности -->
<rule id="100330" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fa</field>
<description>KES Critical: Security event on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_critical,security_event</group>
</rule>
<!-- Критический статус устройства -->
<rule id="100331" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">KLSRV_HOST_STATUS_CRITICAL</field>
<description>KES Critical: Host status critical for $(kes.hostname)</description>
<group>kaspersky_critical,host_status_critical</group>
</rule>
<!-- Неопознанные критические события -->
<rule id="100332" level="9">
<if_sid>100300</if_sid>
<field name="kes.event_code">00000039</field>
<description>KES Critical: Unknown critical event $(kes.event_code) on $(kes.hostname)</description>
<group>kaspersky_critical,unknown_event</group>
</rule>
<!-- ========== WARNING СОБЫТИЯ ========== -->
<!-- Объект заблокирован -->
<rule id="100325" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_OBJECT_BLOCKED</field>
<description>KES Warning: Object blocked on $(kes.hostname) by $(kes.user) - $(kes.malware_name). Object: $(kes.object)</description>
<group>kaspersky_warning,object_blocked</group>
</rule>
<!-- Задача остановлена -->
<rule id="100340" level="5">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000de</field>
<description>KES Warning: Task stopped on $(kes.hostname) by $(kes.user) - $(kes.event_description)</description>
<group>kaspersky_warning,task_stopped</group>
</rule>
<!-- Соединение заблокировано (сетевой контроль) -->
<rule id="100341" level="6">
<if_sid>100300</if_sid>
<field name="kes.event_code">00000abe</field>
<description>KES Warning: Network connection blocked on $(kes.hostname) by $(kes.user) - $(kes.object)</description>
<group>kaspersky_warning,network_blocked</group>
</rule>
<!-- Самозащита приложения выключена -->
<rule id="100342" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000d3</field>
<description>KES Warning: Self-protection disabled on $(kes.hostname) by $(kes.user)</description>
<group>kaspersky_warning,self_protection_disabled</group>
</rule>
<!-- Базы устарели -->
<rule id="100343" level="7">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000d0</field>
<description>KES Warning: Outdated databases on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_warning,outdated_databases</group>
</rule>
<!-- Warning статус устройства -->
<rule id="100344" level="5">
<if_sid>100300</if_sid>
<field name="kes.event_code">KLSRV_HOST_STATUS_WARNING</field>
<description>KES Warning: Host status warning for $(kes.hostname)</description>
<group>kaspersky_warning,host_status_warning</group>
</rule>
<!-- Прочие предупреждения -->
<rule id="100345" level="4">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000e2</field>
<description>KES Warning: Minor event on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_warning,minor_event</group>
</rule>
<!-- ========== КОРРЕЛЯЦИЯ ПО HOSTNAME: КРИТИЧЕСКИЕ СОБЫТИЯ ========== -->
<!-- Множественные обнаружения вредоносного ПО на одном хосте -->
<rule id="100391" level="14" frequency="3" timeframe="600">
<if_matched_sid>100324</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple malware detections (3+) on $(kes.hostname) in 10 minutes - OUTBREAK ALERT</description>
<group>kaspersky_critical,correlation,malware_outbreak</group>
</rule>
<!-- Множественные ошибки подключения к KSC на одном хосте -->
<rule id="100380" level="12" frequency="10" timeframe="1800">
<if_matched_sid>100326</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple KSC connection errors (10+) on $(kes.hostname) in 30 minutes</description>
<group>kaspersky_critical,correlation,ksc_connection_multiple</group>
</rule>
<!-- Множественные ошибки обновления на одном хосте -->
<rule id="100383" level="11" frequency="5" timeframe="3600">
<if_matched_sid>100329</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple update failures (5+) on $(kes.hostname) in 1 hour</description>
<group>kaspersky_critical,correlation,update_failed_multiple</group>
</rule>
<!-- Критические события разных типов на одном хосте -->
<rule id="100387" level="13" frequency="5" timeframe="900">
<if_matched_group>kaspersky_critical</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple critical events (5+) on $(kes.hostname) in 15 minutes - HOST IN DANGER</description>
<group>kaspersky_critical,correlation,multiple_critical_types</group>
</rule>
<!-- ========== КОРРЕЛЯЦИЯ ПО HOSTNAME: WARNING СОБЫТИЯ ========== -->
<!-- Частые блокировки объектов на одном хосте -->
<rule id="100392" level="10" frequency="9" timeframe="900">
<if_matched_sid>100325</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent object blocks (9+) on $(kes.hostname) in 15 minutes</description>
<group>kaspersky_warning,correlation,object_blocked_frequent</group>
</rule>
<!-- Частые остановки задач на одном хосте -->
<rule id="100390" level="8" frequency="9" timeframe="600">
<if_matched_sid>100340</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent task stops (9+) on $(kes.hostname) in 10 minutes</description>
<group>kaspersky_warning,correlation,task_stopped_frequent</group>
</rule>
<!-- Частые блокировки сетевых соединений на одном хосте -->
<rule id="100384" level="9" frequency="15" timeframe="600">
<if_matched_sid>100341</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent network blocks (10+) on $(kes.hostname) in 10 minutes</description>
<group>kaspersky_warning,correlation,network_blocked_frequent</group>
</rule>
<!-- Повторное отключение самозащиты на одном хосте -->
<rule id="100385" level="11" frequency="5" timeframe="3600">
<if_matched_sid>100342</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Self-protection repeatedly disabled on $(kes.hostname) - SECURITY RISK</description>
<group>kaspersky_warning,correlation,self_protection_disabled_multiple</group>
</rule>
<!-- Проблемы со статусом хоста (warning/critical) -->
<rule id="100389" level="10" frequency="3" timeframe="3600">
<if_matched_sid>100331,100344</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Host status issues (warning/critical) on $(kes.hostname)</description>
<group>kaspersky_warning,correlation,host_status_issues</group>
</rule>
<!-- Эскалация: множественные warning на одном хосте -->
<rule id="100388" level="12" frequency="10" timeframe="1800">
<if_matched_group>kaspersky_warning</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Warning events escalation (10+) on $(kes.hostname) in 30 minutes - POTENTIAL CRITICAL SITUATION</description>
<group>kaspersky_warning,correlation,escalation_potential</group>
</rule>
<!-- ========== FALLBACK ПРАВИЛО ========== -->
<rule id="100399" level="3">
<if_sid>100300</if_sid>
<description>KES: Event $(kes.event_description) on $(kes.hostname) [$(kes.event_code)]</description>
<group>kaspersky_info</group>
</rule>
<!-- Цепочка: отключение защиты -> обнаружение угрозы -->
<rule id="100382" level="13" frequency="2" timeframe="1800">
<if_matched_sid>100331</if_matched_sid>
<if_matched_group>kaspersky_critical,virus_detected,rootkit_detected,ransomware_detected</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KSC Correlation CRITICAL: Protection disabled before threat detection on $(kes.hostname) - possible targeted attack</description>
<group>kaspersky_critical,correlation,protection_disabled_attack</group>
</rule>
<!-- Цепочка EDR событий на хосте -->
<rule id="100383" level="14" frequency="3" timeframe="1200">
<if_matched_sid>100338</if_matched_sid>
<if_matched_sid>100339</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KSC Correlation CRITICAL: EDR attack chain on $(kes.hostname) - suspicious process followed by lateral movement</description>
<group>kaspersky_critical,correlation,edr_attack_chain</group>
</rule>
</group>
Just in case, I'll leave the working decoders and rules for Kaspersky Security Center here; maybe they'll be useful to someone.
<group name="kaspersky,kes">
<!-- ========== БАЗОВЫЕ ПРАВИЛА ========== -->
<rule id="100300" level="0">
<description>Kaspersky: KES event received</description>
</rule>
<rule id="100398" level="3">
<if_sid>100300</if_sid>
<group>kaspersky_debug</group>
</rule>
<!-- ========== КРИТИЧЕСКИЕ СОБЫТИЯ ========== -->
<!-- Обнаружение вредоносного ПО -->
<rule id="100324" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_VIRUS_FOUND</field>
<description>KES Critical: Malware $(kes.malware_name) detected on $(kes.hostname) by $(kes.user). Object: $(kes.object) SHA256: $(kes.sha256)</description>
<group>kaspersky_critical,virus_detected</group>
</rule>
<rule id="100326" level="6">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fb</field>
<description>KES Critical: KSC connection error on $(kes.hostname) by $(kes.user) - $(kes.event_description)</description>
<group>kaspersky_critical,ksc_connection_error</group>
</rule>
<!-- Ошибки обновления компонентов -->
<rule id="100329" level="8">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fd</field>
<description>KES Critical: Update failed on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_critical,update_failed</group>
</rule>
<!-- Критические события безопасности -->
<rule id="100330" level="12">
<if_sid>100300</if_sid>
<field name="kes.event_code">000003fa</field>
<description>KES Critical: Security event on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_critical,security_event</group>
</rule>
<!-- Критический статус устройства -->
<rule id="100331" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">KLSRV_HOST_STATUS_CRITICAL</field>
<description>KES Critical: Host status critical for $(kes.hostname)</description>
<group>kaspersky_critical,host_status_critical</group>
</rule>
<!-- Неопознанные критические события -->
<rule id="100332" level="9">
<if_sid>100300</if_sid>
<field name="kes.event_code">00000039</field>
<description>KES Critical: Unknown critical event $(kes.event_code) on $(kes.hostname)</description>
<group>kaspersky_critical,unknown_event</group>
</rule>
<!-- ========== WARNING СОБЫТИЯ ========== -->
<!-- Объект заблокирован -->
<rule id="100325" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">GNRL_EV_OBJECT_BLOCKED</field>
<description>KES Warning: Object blocked on $(kes.hostname) by $(kes.user) - $(kes.malware_name). Object: $(kes.object)</description>
<group>kaspersky_warning,object_blocked</group>
</rule>
<rule id="100340" level="5">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000de</field>
<description>KES Warning: Task stopped on $(kes.hostname) by $(kes.user) - $(kes.event_description)</description>
<group>kaspersky_warning,task_stopped</group>
</rule>
<!-- Соединение заблокировано (сетевой контроль) -->
<rule id="100341" level="6">
<if_sid>100300</if_sid>
<field name="kes.event_code">00000abe</field>
<description>KES Warning: Network connection blocked on $(kes.hostname) by $(kes.user) - $(kes.object)</description>
<group>kaspersky_warning,network_blocked</group>
</rule>
<!-- Самозащита приложения выключена -->
<rule id="100342" level="11">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000d3</field>
<description>KES Warning: Self-protection disabled on $(kes.hostname) by $(kes.user)</description>
<group>kaspersky_warning,self_protection_disabled</group>
</rule>
<!-- Базы устарели -->
<rule id="100343" level="7">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000d0</field>
<description>KES Warning: Outdated databases on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_warning,outdated_databases</group>
</rule>
<!-- Warning статус устройства -->
<rule id="100344" level="5">
<if_sid>100300</if_sid>
<field name="kes.event_code">KLSRV_HOST_STATUS_WARNING</field>
<description>KES Warning: Host status warning for $(kes.hostname)</description>
<group>kaspersky_warning,host_status_warning</group>
</rule>
<!-- Прочие предупреждения -->
<rule id="100345" level="4">
<if_sid>100300</if_sid>
<field name="kes.event_code">000000e2</field>
<description>KES Warning: Minor event on $(kes.hostname) - $(kes.event_description)</description>
<group>kaspersky_warning,minor_event</group>
</rule>
<!-- ========== КОРРЕЛЯЦИЯ ПО HOSTNAME: КРИТИЧЕСКИЕ СОБЫТИЯ ========== -->
<!-- Множественные обнаружения вредоносного ПО на одном хосте -->
<rule id="100391" level="14" frequency="3" timeframe="600">
<if_matched_sid>100324</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple malware detections (3+) on $(kes.hostname) in 10 minutes - OUTBREAK ALERT</description>
<group>kaspersky_critical,correlation,malware_outbreak</group>
</rule>
<!-- Множественные ошибки подключения к KSC на одном хосте -->
<rule id="100380" level="12" frequency="10" timeframe="1800">
<if_matched_sid>100326</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple KSC connection errors (10+) on $(kes.hostname) in 30 minutes</description>
<group>kaspersky_critical,correlation,ksc_connection_multiple</group>
</rule>
<!-- Множественные ошибки обновления на одном хосте -->
<rule id="100383" level="11" frequency="5" timeframe="3600">
<if_matched_sid>100329</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple update failures (5+) on $(kes.hostname) in 1 hour</description>
<group>kaspersky_critical,correlation,update_failed_multiple</group>
</rule>
<!-- Критические события разных типов на одном хосте -->
<rule id="100387" level="13" frequency="5" timeframe="900">
<if_matched_group>kaspersky_critical</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Multiple critical events (5+) on $(kes.hostname) in 15 minutes - HOST IN DANGER</description>
<group>kaspersky_critical,correlation,multiple_critical_types</group>
</rule>
<!-- ========== КОРРЕЛЯЦИЯ ПО HOSTNAME: WARNING СОБЫТИЯ ========== -->
<!-- Частые блокировки объектов на одном хосте -->
<rule id="100392" level="10" frequency="9" timeframe="900">
<if_matched_sid>100325</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent object blocks (9+) on $(kes.hostname) in 15 minutes</description>
<group>kaspersky_warning,correlation,object_blocked_frequent</group>
</rule>
<!-- Частые остановки задач на одном хосте -->
<rule id="100390" level="8" frequency="9" timeframe="600">
<if_matched_sid>100340</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent task stops (9+) on $(kes.hostname) in 10 minutes</description>
<group>kaspersky_warning,correlation,task_stopped_frequent</group>
</rule>
<!-- Частые блокировки сетевых соединений на одном хосте -->
<rule id="100384" level="9" frequency="15" timeframe="600">
<if_matched_sid>100341</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Frequent network blocks (10+) on $(kes.hostname) in 10 minutes</description>
<group>kaspersky_warning,correlation,network_blocked_frequent</group>
</rule>
<!-- Повторное отключение самозащиты на одном хосте -->
<rule id="100385" level="11" frequency="5" timeframe="3600">
<if_matched_sid>100342</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Self-protection repeatedly disabled on $(kes.hostname) - SECURITY RISK</description>
<group>kaspersky_warning,correlation,self_protection_disabled_multiple</group>
</rule>
<!-- Проблемы со статусом хоста (warning/critical) -->
<rule id="100389" level="10" frequency="3" timeframe="3600">
<if_matched_sid>100331,100344</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Host status issues (warning/critical) on $(kes.hostname)</description>
<group>kaspersky_warning,correlation,host_status_issues</group>
</rule>
<!-- Эскалация: множественные warning на одном хосте -->
<rule id="100388" level="12" frequency="10" timeframe="1800">
<if_matched_group>kaspersky_warning</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KES Correlation: Warning events escalation (10+) on $(kes.hostname) in 30 minutes - POTENTIAL CRITICAL SITUATION</description>
<group>kaspersky_warning,correlation,escalation_potential</group>
</rule>
<!-- ========== FALLBACK ПРАВИЛО ========== -->
<rule id="100399" level="3">
<if_sid>100300</if_sid>
<description>KES: Event $(kes.event_description) on $(kes.hostname) [$(kes.event_code)]</description>
<group>kaspersky_info</group>
</rule>
<rule id="100382" level="13" frequency="2" timeframe="1800">
<if_matched_sid>100331</if_matched_sid>
<if_matched_group>kaspersky_critical,virus_detected,rootkit_detected,ransomware_detected</if_matched_group>
<same_field>kes.hostname</same_field>
<description>KSC Correlation CRITICAL: Protection disabled before threat detection on $(kes.hostname) - possible targeted attack</description>
<group>kaspersky_critical,correlation,protection_disabled_attack</group>
</rule>
<!-- Цепочка EDR событий на хосте -->
<rule id="100383" level="14" frequency="3" timeframe="1200">
<if_matched_sid>100338</if_matched_sid>
<if_matched_sid>100339</if_matched_sid>
<same_field>kes.hostname</same_field>
<description>KSC Correlation CRITICAL: EDR attack chain on $(kes.hostname) - suspicious process followed by lateral movement</description>
<group>kaspersky_critical,correlation,edr_attack_chain</group>
</rule>
</group>
вторник, 21 октября 2025 г. в 21:59:03 UTC+3, Olamilekan Abdullateef Ajani:
Ivan Sergeevich
Oct 23, 2025, 4:54:53 AM10/23/25
to Wazuh | Mailing List
decoders
<!-- Декодер для извлечения дополнительной информации -->
<decoder name="kes-additional-fields">
<parent>Kaspersky</parent>
<regex type="pcre2">tdn="([^"]+)"</regex>
<order>kes.task_name</order>
</decoder>
<decoder name="kes-timestamp">
<parent>Kaspersky</parent>
<regex type="pcre2">gn="([^"]+)"</regex>
<order>kes.group</order>
</decoder>
<decoder name="kes-ip">
<parent>Kaspersky</parent>
<regex type="pcre2">hip="([^"]+)"</regex>
<order>kes.host_ip</order>
</decoder>
<decoder name="Kaspersky">
<prematch>event@23668</prematch>
</decoder>
<decoder name="Kaspersky-field">
<parent>Kaspersky</parent>
<regex type="pcre2">\[event@(\d+)\s+p1="([^"]+)"\s+p2="([^"]+)"\s+p5="([^"]+)".* et="([^"]+)"\s+tdn="([^"]+)"\s+etdn="([^"]+)"\s+hdn="([^"]+)"</regex>
<order>kes.event_internal_id,kes.sha256,kes.object,kes.malware_name,kes.event_code,kes.task_description,kes.event_description,kes.hostname</order>
</decoder>
<decoder name="kes-user">
<parent>Kaspersky</parent>
<regex type="pcre2">p7="([^"]+)"</regex>
<order>kes.user</order>
</decoder>
<!-- Декодер для извлечения дополнительной информации -->
<decoder name="kes-additional-fields">
<parent>Kaspersky</parent>
<regex type="pcre2">tdn="([^"]+)"</regex>
<order>kes.task_name</order>
</decoder>
<decoder name="kes-timestamp">
<parent>Kaspersky</parent>
<regex type="pcre2">gn="([^"]+)"</regex>
<order>kes.group</order>
</decoder>
<decoder name="kes-ip">
<parent>Kaspersky</parent>
<regex type="pcre2">hip="([^"]+)"</regex>
<order>kes.host_ip</order>
</decoder>
<decoder name="Kaspersky">
<prematch>event@23668</prematch>
</decoder>
<decoder name="Kaspersky-field">
<parent>Kaspersky</parent>
<order>kes.event_internal_id,kes.sha256,kes.object,kes.malware_name,kes.event_code,kes.task_description,kes.event_description,kes.hostname</order>
</decoder>
<decoder name="kes-user">
<parent>Kaspersky</parent>
<regex type="pcre2">p7="([^"]+)"</regex>
<order>kes.user</order>
</decoder>
четверг, 23 октября 2025 г. в 11:06:47 UTC+3, Ivan Sergeevich:
RSSI C
Nov 16, 2025, 5:20:09 AM11/16/25
to Wazuh | Mailing List
Hello,
kindly share the steps and decoders to integrate KASPERSKY KSC with Wazuh
Reply all
Reply to author
Forward
0 new messages