MSSQL event ID 208 for SQL Job

[Ian Cabana]

Hi,

I'm trying to built a rules to catch event ID 208 for SQL Jobs. Warnings and Information. 

So first I built for warnings events to test. So here the XML from the event viewer and the json from archive.json 

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="SQLSERVERAGENT" />

  <EventID Qualifiers="16384">208</EventID>

  <Version>0</Version>

  <Level>3</Level>

  <Task>3</Task>

  <Opcode>0</Opcode>

  <Keywords>0x80000000000000</Keywords>

  <TimeCreated SystemTime="2025-04-29T18:51:39.3083169Z" />

  <EventRecordID>119996</EventRecordID>

  <Correlation />

  <Execution ProcessID="0" ThreadID="0" />

  <Channel>Application</Channel>

  <Computer>BMATDSQL02.bitumar.com</Computer>

  <Security />

  </System>

- <EventData>

  <Data>Job Failed Simulation</Data>

  <Data>0xE52892D2FE65EA478A3872966068993E</Data>

  <Data>Failed</Data>

  <Data>2025-04-29 14:51:39</Data>

  <Data>The job failed. The Job was invoked by User BITUMAR\paica. The last step to run was step 1 (Job Execution).</Data>

  </EventData>

  </Event>

{"timestamp":"2025-04-29T17:49:24.101+0000","agent":{"id":"023","name":"BMATDSQL02","ip":"10.8.128.124"},"manager":{"name":"wazuh-server"},"id":"1745948964.6760559261","full_log":"{\"win\":{\"system\":{\"providerName\":\"SQLSERVERAGENT\",\"eventID\":\"208\",\"version\":\"0\",\"level\":\"3\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2025-04-29T17:49:24.0714547Z\",\"eventRecordID\":\"119979\",\"processID\":\"0\",\"threadID\":\"0\",\"channel\":\"Application\",\"computer\":\"BMATDSQL02.bitumar.com\",\"severityValue\":\"WARNING\",\"message\":\"\\\"SQL Server Scheduled Job 'Job Failed Simulation' (0xE52892D2FE65EA478A3872966068993E) - Status: Failed - Invoked on: 2025-04-29 13:49:24 - Message: The job failed.  The Job was invoked by User BITUMAR\\\\paica.  The last step to run was step 1 (Job Execution).\\\"\"},\"eventdata\":{\"data\":\"Job Failed Simulation, 0xE52892D2FE65EA478A3872966068993E, Failed, 2025-04-29 13:49:24, The job failed.  The Job was invoked by User BITUMAR\\\\\\\\paica.  The last step to run was step 1 (Job Execution).

and here is the rules I tried... 

<group name="windows,sql_server,sqlserveragent,">
  <rule id="100301" level="0">
    <if_sid>60601</if_sid>
    <field name="win.system.providerName">^SQLSERVERAGENT$</field>
    <options>no_full_log</options>
    <description>Test - SQL Server Agent.</description>
    <group>sql_server,job_failed,job_step_failed,</group>
  </rule>
   
  <rule id="100302" level="3">
    <if_sid>60640</if_sid>
    <field name="win.system.eventID">^208$</field>
    <options>no_full_log</options>
    <description>Test - SQL JOB.</description>
    <group>sql_server,job_failed,job_step_failed,</group>
  </rule>
  </group>

Sorry Im still new in rule and decoders..

[Ian Cabana]

Still not working I had some copy/paste error in the rule

<group name="windows,sql_server,sqlserveragent,">
  <rule id="100301" level="0">
    <if_sid>60601</if_sid>
    <field name="win.system.providerName">^SQLSERVERAGENT$</field>
    <options>no_full_log</options>
    <description>Test - SQL Server Agent.</description>
    <group>sql_server,job_failed,job_step_failed,</group>
  </rule>
   
  <rule id="100302" level="3">

      <if_sid>100301</if_sid>

    <field name="win.system.eventID">^208$</field>
    <options>no_full_log</options>
    <description>Test - SQL JOB.</description>
    <group>sql_server,job_failed,job_step_failed,</group>
  </rule>
  </group>

[Ian Cabana]

Anyone Have an Idea of What im doing wrong... I dont want a rules already made by someone else.. but some indocation of what Im doing wrong or can do better Im pretty... and Yes I read the Documentation of custom rules !! :) 

Big thanks to any take time to take a look :)