Help with Segregating Machine Accounts vs Real User Accounts in Wazuh

10 views
Skip to first unread message

ARUN S

unread,
Dec 2, 2025, 1:54:42 PM (yesterday) Dec 2
to wa...@googlegroups.com, DIWAHAR RAHAWID

Hello Wazuh Team,

I am currently working on creating rules to segregate desktop logon events for real users and machine accounts in Wazuh.

Here is the scenario:

  • I have a base rule (ID: 100810) that successfully triggers on all 4624 desktop logon events.

  • From the events triggered by 100810, I receive two types of usernames:

    1. Machine accounts – usernames ending with $ (e.g., SERVER01$)

    2. Real user accounts – standard usernames (e.g., John.Doe or DOMAIN\Jane)

My goal is to create separate rules to identify:

  • Machine account logons

  • Real user logons

Base rule:
   <rule id="100810" level="16">
       <if_sid>92651</if_sid>
       <field name="win.system.eventID">^4624$</field>
       <description>successful desktop logon by $(win.eventdata.targetUserName) on $(win.eventdata.ipAddress) from domain $(win.eventdata.targetDomainName)</description>
   </rule> 

I have attempted the following rules:

<!-- REAL USER logon -->
<rule id="100813" level="16">
   <if_sid>100810</if_sid>
   <field name="win.eventdata.targetUserName">^(?!.*\$).+$</field>
   <description>Successful desktop logon by user $(win.eventdata.targetUserName) from $(win.eventdata.ipAddress)</description>
</rule>

<!-- MACHINE ACCOUNT logon -->
<rule id="100814" level="10">
   <if_sid>100810</if_sid>
   <field name="win.eventdata.targetUserName">.+\$$</field>
   <description>Machine account logon by $(win.eventdata.targetUserName) from $(win.eventdata.ipAddress)</description>
</rule>

However, these rules are not triggering separately, and I am unable to properly segregate machine accounts from real user accounts.

Could someone guide me on how to correctly implement rules to separate usernames ending with $ from regular usernames in Wazuh?

Thank you for your help!

Olamilekan Abdullateef Ajani

unread,
Dec 2, 2025, 2:24:20 PM (yesterday) Dec 2
to Wazuh | Mailing List
Hello,

I think one of the main issues experienced in your rule is the fact that you used PCRE2 syntax as regex but did not declare it, for example, <field type="pcre2"> something like that.

I also looked at the use case and rewrote the rule for you below. You could simply negate the machine account detection, which means everything else is captured, and the other rule strictly captures machine account logons.

<rule id="100813" level="15">
  <if_sid>100810</if_sid>
  <field name="win.eventdata.targetUserName" type="pcre2" negate="yes">\$$</field>
  <description>Successful desktop logon by real user $(win.eventdata.targetUserName) from $(win.eventdata.ipAddress)</description>
</rule>

<rule id="100814" level="10">
  <if_sid>100810</if_sid>
  <field name="win.eventdata.targetUserName" type="pcre2">\$$</field>
  <description>Machine account logon by $(win.eventdata.targetUserName) on $(win.eventdata.ipAddress)</description>
</rule>

You can find more references regarding rulesets below:


If you require further clarification on this, please let me know.
Reply all
Reply to author
Forward
0 new messages