Help with a rule
268 views
Skip to first unread message
Facu Basgall
Dec 10, 2025, 8:09:39 AM12/10/25
to Wazuh | Mailing List
I want to make a filtering rule on the rule 60204 (Multiple Logon Failure Windows) for when it is a list of User and PC to lower the level.
I have a FileServer "FS-001" where the users log in, so for example:
If it is Juan in the Workstation 001 lower the level because it is correct
If it is Marta in the Workstation 002 lower the level because it is correct
But if it is Marta in the Workstation 001 keep the level.
I have the list of users with their allowed workstations.
Luis Enrique Chico Capistrano
Dec 10, 2025, 9:07:50 AM12/10/25
to Wazuh | Mailing List
Hi Facu Basgall,
Based on your requirements, the best approach is to use CDB lists. You will find some examples in that document.
Also, here is some reference that could be useful:
If you need some help with this, I will need some examples of logs that you have received, including the login information for the different users.
Facu Basgall
Dec 12, 2025, 7:14:57 AM12/12/25
to Wazuh | Mailing List
Can you please give me an example rule?
I have tried with CDB List but it didn't work as expected
Each user has only one authorised workstation, if it happens from that user on that workstation it is not an alert but if the user or the workstation is different it is.
Luis Enrique Chico Capistrano
Dec 12, 2025, 7:29:37 PM12/12/25
to Wazuh | Mailing List
Hi Facu,
As I mentioned before, it would be great to have a Windows event so I could test it locally. The idea should be something like this:
1. Create the CDB List File
As I mentioned before, it would be great to have a Windows event so I could test it locally. The idea should be something like this:
1. Create the CDB List File
cat /var/ossec/etc/lists/authorized_workstations
Juan:001
Marta:002
Marta:002
2. Register the CDB List in ossec.conf
Location: /var/ossec/etc/ossec.conf
Add this block at the end of the file (before the final </ossec_config>):
<ossec_config>
<ruleset>
<list>etc/lists/authorized_workstations</list>
</ruleset>
</ossec_config>
Location: /var/ossec/etc/ossec.conf
Add this block at the end of the file (before the final </ossec_config>):
<ossec_config>
<ruleset>
<list>etc/lists/authorized_workstations</list>
</ruleset>
</ossec_config>
3. Create the Custom Rule
Location: /var/ossec/etc/rules/local_rules.xml
Add this rule inside the file:
<group name="local,windows,authentication,">
<!-- Rule to lower level when user logs in from their authorized workstation -->
<rule id="100100" level="3">
<if_sid>60204</if_sid>
<field name="win.system.computer">^FS-001$</field>
<list field="win.eventdata.targetUserName" lookup="match_key_value" check_value="win.eventdata.workstationName">etc/lists/authorized_workstations</list>
<description>Multiple Windows Logon Failures on FS-001 - User on authorized workstation (level lowered)</description>
<options>no_full_log</options>
<group>authentication_failures,authorized_workstation,</group>
</rule>
</group>
Location: /var/ossec/etc/rules/local_rules.xml
Add this rule inside the file:
<group name="local,windows,authentication,">
<!-- Rule to lower level when user logs in from their authorized workstation -->
<rule id="100100" level="3">
<if_sid>60204</if_sid>
<field name="win.system.computer">^FS-001$</field>
<list field="win.eventdata.targetUserName" lookup="match_key_value" check_value="win.eventdata.workstationName">etc/lists/authorized_workstations</list>
<description>Multiple Windows Logon Failures on FS-001 - User on authorized workstation (level lowered)</description>
<options>no_full_log</options>
<group>authentication_failures,authorized_workstation,</group>
</rule>
</group>
4. Restart Wazuh Manager
Message has been deleted
Facu Basgall
Dec 23, 2025, 9:48:18 AM12/23/25
to Wazuh | Mailing List
Hi, the ruler is not working as expected.
It is still capturing the event of the rule 60204 even if the conditions of the new created rule are fulfilled.
I attach images about the case
El miércoles, 17 de diciembre de 2025 a las 8:43:57 UTC-3, Facu Basgall escribió:
Thank you very much, that's what I was expecting ❤️
Luis Enrique Chico Capistrano
Jan 2, 2026, 9:30:39 AMJan 2
to Wazuh | Mailing List
Hi Facu,
Sorry for the delay. I want to reproduce your test, but to do so, I need you to share the event exactly as the manager received it.
Could you enable the archive.log (see documentation) by setting <logall> to yes in the ossec.conf file?
Afterward, please find the raw event in /var/ossec/logs/archives/archives.log and share it with me. I need that specific event so I can test it locally.
Facu Basgall
Jan 15, 2026, 10:19:39 AMJan 15
to Wazuh | Mailing List
Hi! You won't be able to test it locally as they are events coming from EventChannel and Wazuh (as far as I understand) doesn't allow testing of these events
Please help me with the rule.
Luis Enrique Chico Capistrano
Jan 19, 2026, 6:55:51 AMJan 19
to Facu Basgall, Wazuh | Mailing List
Hi Facu,
Yes, it's possible to test EventChannel, we need to change one rule so we can use wazuh-logtest correctly.
In /var/ossec/ruleset/rules/0575-win-base_rules.xml we must modify rule 60000 by deleting or commenting out <category> and changing <decoded_as> to json:
Note that this is only temporary; once you have finished testing Windows events in wazuh-logtest, you must change the rule back to its previous state.
For this reason, I am asking for the raw event received in
Yes, it's possible to test EventChannel, we need to change one rule so we can use wazuh-logtest correctly.
In /var/ossec/ruleset/rules/0575-win-base_rules.xml we must modify rule 60000 by deleting or commenting out <category> and changing <decoded_as> to json:
<rule id="60000" level="2">
<!-- category>ossec</category -->
<!-- decoded_as>windows_eventchannel</decoded_as -->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Note that this is only temporary; once you have finished testing Windows events in wazuh-logtest, you must change the rule back to its previous state.
For this reason, I am asking for the raw event received in
archive.log. To do this, you need to enable the archiving feature (refer to the Wazuh documentation) by setting <logall> to "yes" in the ossec.conf file. Then, look for the entry in /var/ossec/logs/archives/archives.log to retrieve the raw event before the decoder processes it.Luis Enrique Chico Capistrano
Developer
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ychgtU8VPWA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/85dd6277-3042-4613-bc33-88ebfd9a5a8en%40googlegroups.com.
Facu Basgall
Jan 19, 2026, 1:04:46 PMJan 19
to Wazuh | Mailing List
It is impossible to do the step you are asking me to do, by changing the rule 60000 Wazuh does not register any Windows event. I can't lose this data in a productive and critical environment.
Other colleagues of yours have previously informed me that the Windows decoders come aged in C inside Wazuh so it is not possible to test with them. Is this true?
Luis Enrique Chico Capistrano
Jan 20, 2026, 7:10:18 PMJan 20
to Wazuh | Mailing List
Hi Facu,
You're right; that change is only for testing and should not be used in production. I suggested it only to demonstrate that wazuh-logtest can process Windows events if formatted as JSON.
Could you send some sample events from the archives.log so I can help you? If you need to rewrite any sensitive data, please do so. However, I require the full log structure to test with wazuh-logtest.
Facu Basgall
Jan 21, 2026, 10:12:22 AMJan 21
to Wazuh | Mailing List
This is a screenshot of an event from archives.log:
I tried to make a rule with that user and workstation specifically to lower the level of the rule but it didn't work.
Here are the rules I have created for 60204.
The custom rule 101200 works perfectly, but 101203 does not work and that is the one I need help with. The ideal would be to make 101203 work with a CDB List, as I mentioned at the beginning of the ticket, but as it was not working I commented the lines
<rule id="60204" level="12" frequency="10" timeframe="60" overwrite="yes">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<description>Multiple Windows Logon Failures - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<options>no_full_log</options>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101200" level="10">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName">^SRVXSQL1</field>
<field name="win.eventdata.ipAddress">172.16.1.116</field>
<description>Multiple Windows Logon Failures (baja prioridad) - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<!--<list field="win.eventdata.targetUserName" lookup="match_key_value" check_value="win.eventdata.workstationName">etc/lists/multiple-logon-failure</list>-->
<field name="win.eventdata.targetUserName">^jpepe$</field>
<field name="win.eventdata.ipAddress">^PC002$</field>
<description>Multiple Windows Logon Failures user jpepe on authorized workstation PC002</description>
<!--<description>Multiple Windows Logon Failures on srvxx - User on authorized workstation (level lowered)</description>-->
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
Luis Enrique Chico Capistrano
Jan 21, 2026, 9:20:21 PMJan 21
to Wazuh | Mailing List
Hi Facu,
In the meantime, the only workaround is to create many rules, one per desired combination.
After extensive debugging with wazuh-logtest, I identified the issues. I originally thought this was possible, but the key and value match only supports literal strings and does not support dynamic field references. This is a known limitation:
In the meantime, the only workaround is to create many rules, one per desired combination.
I apologize for the inconvenience. This will be resolved in Wazuh 5.0, but there is no release date for it yet.
Facu Basgall
Jan 22, 2026, 6:42:57 AMJan 22
to Wazuh | Mailing List
Thank you for your response.
Similarly it does not work for me to make a single rule for each case, if you check the rule 101203 I sent you is a possible combination and does not work as it continues to enter the rule 60204
If the rule 101200 works correctly but is another use case.
Luis Enrique Chico Capistrano
Jan 22, 2026, 8:55:59 AMJan 22
to Wazuh | Mailing List
Hi Facu,
I successfully triggered rule 101203 using wazuh-logtest. Here's what I found:
Testing Requirements
To test rule 101203, you need to simulate the frequency condition from the parent rule 60204:
- Rule 60204 has frequency="8" and timeframe="60"
- This means it triggers after 8 authentication failures from the same IP within 60 seconds
- In wazuh-logtest, you need to pipe the same event at least 8 times so that rule 60122 fires 7 times (firedtimes: '7'), and on the 8th+ occurrence, rule 60204 will trigger
- Once 60204 triggers, rule 101203 (as a child rule) gets evaluated
# Run this 8 times to trigger the frequency rule
for i in {1..8}; do
cat test_event.json
done | /var/ossec/bin/wazuh-logtest
Where test_event.json contains your event:
tus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}
After the 7th event, rule 101203 triggers successfully:
**Phase 3: Completed filtering (rules). id: '60122'
level: '5'
description: 'Logon Failure - Unknown user or bad password'
groups: '['windows', 'windows_security', 'authentication_failed']'
firedtimes: '7'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1531']'
mitre.tactic: '['Impact']'
mitre.technique: '['Account Access Removal']'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE","message":"\"Error de una cuenta al iniciar sesión.\r\n\r\nSujeto:\r\n\tId. de seguridad:\t\tS-1-0-0\r\n\tNombre de cuenta:\t\t-\r\n\tDominio de cuenta:\t\t-\r\n\tId. de inicio de sesión:\t\t0x0\r\n\r\nTipo de inicio de sesión:\t\t\t3\r\n\r\nCuenta con error de inicio de sesión: \r\n\tId. de seguridad:\t\tS-1-0-0\r\n\tNombre de cuenta:\t\tjpepe\r\n\tDominio de cuenta:\t\tEMPRESA\r\n\r\nInformación de error:\r\n\tMotivo del error:\t\tNombre de usuario desconocido o contraseña incorrecta\r\n\tEstado:\t\t\t0xC000006D\r\n\tSubestado:\t\t0xC000006A\r\n\r\nInformación de proceso:\r\n\tId. de proceso del autor de la llamada:\t0x0\r\n\tNombre de proceso del autor de la llamada:\t-\r\n\r\nInformación de red:\r\n\tNombre de estación de trabajo:\tPC002\r\n\tDirección de red de origen:\t172.16.1.250\r\n\tPuerto de origen:\t\t50726\r\n\r\nInformación de autenticación detallada:\r\n\tProceso de inicio de sesión:\t\tNtLmSsp \r\n\tPaquete de autenticación:\tNTLM\r\n\tServicios transitados:\t-\r\n\tNombre de paquete (solo NTLM):\t-\r\n\tLongitud de clave:\t0\r\n\r\nEste evento se genera cuando se produce un error en una solicitud de inicio de sesión. Lo genera el equipo al que se intentó tener acceso.\r\n\r\nLos campos de sujeto indican la cuenta del sistema local que solicitó el inicio de sesión. Suele ser un servicio como el servicio de servidor o un proceso local como Winlogon.exe o Services.exe.\r\n\r\nEl campo Tipo de inicio de sesión indica la clase de inicio de sesión que se solicitó. Los tipos más comunes son 2 (interactivo) y 3 (red).\r\n\r\nLos campos Información de proceso indican la cuenta y el proceso en el sistema que solicitó el inicio de sesión.\r\n\r\nLos campos Información de red indican dónde se originó una solicitud de inicio de sesión remota. Nombre de estación de trabajo no está siempre disponible y se puede dejar en blanco en algunos casos.\r\n\r\nLos campos de información de autenticación proporcionan información detallada sobre esta solicitud de inicio de sesión específica.\r\n\t- Servicios transitados indica los servicios intermedios que participaron en esta solicitud de inicio de sesión.\r\n\t- Nombre de paquete indica el subprotocolo que se usó entre los protocolos NTLM.\r\n\t- Longitud de clave indica la longitud de la clave de sesión generada. Será 0 si no se solicitó una clave de sesión.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
win.system.message: '"Error de una cuenta al iniciar sesión.
Sujeto:
Id. de seguridad: S-1-0-0
Nombre de cuenta: -
Dominio de cuenta: -
Id. de inicio de sesión: 0x0
Tipo de inicio de sesión: 3
Cuenta con error de inicio de sesión:
Id. de seguridad: S-1-0-0
Nombre de cuenta: jpepe
Dominio de cuenta: EMPRESA
Información de error:
Motivo del error: Nombre de usuario desconocido o contraseña incorrecta
Estado: 0xC000006D
Subestado: 0xC000006A
Información de proceso:
Id. de proceso del autor de la llamada: 0x0
Nombre de proceso del autor de la llamada: -
Información de red:
Nombre de estación de trabajo: PC002
Dirección de red de origen: 172.16.1.250
Puerto de origen: 50726
Información de autenticación detallada:
Proceso de inicio de sesión: NtLmSsp
Paquete de autenticación: NTLM
Servicios transitados: -
Nombre de paquete (solo NTLM): -
Longitud de clave: 0
Este evento se genera cuando se produce un error en una solicitud de inicio de sesión. Lo genera el equipo al que se intentó tener acceso.
win.system.opcode: '0'
win.system.processID: '740'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_FAILURE'
win.system.systemTime: '2026-01-21T14:28:13.410845300Z'
win.system.task: '12544'
win.system.threadID: '4196'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '101203'
level: '10'
description: 'Multiple Windows Logon Failures - User jpepe on authorized workstation PC002 (level lowered)'
groups: '['local', 'syslog', 'sshd', 'authentication', 'windowsauthentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1110']'
mitre.tactic: '['Credential Access']'
mitre.technique: '['Brute Force']'
nist_800_53: '['AU.14', 'AC.7', 'SI.4']'
pci_dss: '['10.2.4', '10.2.5', '11.4']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'C C7.3']'
**Alert to be generated.
Hope this helps! Let me know if you need any clarification.
I successfully triggered rule 101203 using wazuh-logtest. Here's what I found:
Testing Requirements
To test rule 101203, you need to simulate the frequency condition from the parent rule 60204:
- Rule 60204 has frequency="8" and timeframe="60"
- This means it triggers after 8 authentication failures from the same IP within 60 seconds
- In wazuh-logtest, you need to pipe the same event at least 8 times so that rule 60122 fires 7 times (firedtimes: '7'), and on the 8th+ occurrence, rule 60204 will trigger
- Once 60204 triggers, rule 101203 (as a child rule) gets evaluated
Using what I suggested before: https://groups.google.com/g/wazuh/c/ychgtU8VPWA/m/xVkM2d85AQAJ
# Run this 8 times to trigger the frequency rule
for i in {1..8}; do
cat test_event.json
done | /var/ossec/bin/wazuh-logtest
Where test_event.json contains your event:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":
"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDI
"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDI
T_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subSta
tus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}
After the 7th event, rule 101203 triggers successfully:
**Phase 3: Completed filtering (rules).
level: '5'
description: 'Logon Failure - Unknown user or bad password'
groups: '['windows', 'windows_security', 'authentication_failed']'
firedtimes: '7'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1531']'
mitre.tactic: '['Impact']'
mitre.technique: '['Account Access Removal']'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE","message":"\"Error de una cuenta al iniciar sesión.\r\n\r\nSujeto:\r\n\tId. de seguridad:\t\tS-1-0-0\r\n\tNombre de cuenta:\t\t-\r\n\tDominio de cuenta:\t\t-\r\n\tId. de inicio de sesión:\t\t0x0\r\n\r\nTipo de inicio de sesión:\t\t\t3\r\n\r\nCuenta con error de inicio de sesión: \r\n\tId. de seguridad:\t\tS-1-0-0\r\n\tNombre de cuenta:\t\tjpepe\r\n\tDominio de cuenta:\t\tEMPRESA\r\n\r\nInformación de error:\r\n\tMotivo del error:\t\tNombre de usuario desconocido o contraseña incorrecta\r\n\tEstado:\t\t\t0xC000006D\r\n\tSubestado:\t\t0xC000006A\r\n\r\nInformación de proceso:\r\n\tId. de proceso del autor de la llamada:\t0x0\r\n\tNombre de proceso del autor de la llamada:\t-\r\n\r\nInformación de red:\r\n\tNombre de estación de trabajo:\tPC002\r\n\tDirección de red de origen:\t172.16.1.250\r\n\tPuerto de origen:\t\t50726\r\n\r\nInformación de autenticación detallada:\r\n\tProceso de inicio de sesión:\t\tNtLmSsp \r\n\tPaquete de autenticación:\tNTLM\r\n\tServicios transitados:\t-\r\n\tNombre de paquete (solo NTLM):\t-\r\n\tLongitud de clave:\t0\r\n\r\nEste evento se genera cuando se produce un error en una solicitud de inicio de sesión. Lo genera el equipo al que se intentó tener acceso.\r\n\r\nLos campos de sujeto indican la cuenta del sistema local que solicitó el inicio de sesión. Suele ser un servicio como el servicio de servidor o un proceso local como Winlogon.exe o Services.exe.\r\n\r\nEl campo Tipo de inicio de sesión indica la clase de inicio de sesión que se solicitó. Los tipos más comunes son 2 (interactivo) y 3 (red).\r\n\r\nLos campos Información de proceso indican la cuenta y el proceso en el sistema que solicitó el inicio de sesión.\r\n\r\nLos campos Información de red indican dónde se originó una solicitud de inicio de sesión remota. Nombre de estación de trabajo no está siempre disponible y se puede dejar en blanco en algunos casos.\r\n\r\nLos campos de información de autenticación proporcionan información detallada sobre esta solicitud de inicio de sesión específica.\r\n\t- Servicios transitados indica los servicios intermedios que participaron en esta solicitud de inicio de sesión.\r\n\t- Nombre de paquete indica el subprotocolo que se usó entre los protocolos NTLM.\r\n\t- Longitud de clave indica la longitud de la clave de sesión generada. Será 0 si no se solicitó una clave de sesión.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
win.system.message: '"Error de una cuenta al iniciar sesión.
Sujeto:
Id. de seguridad: S-1-0-0
Nombre de cuenta: -
Dominio de cuenta: -
Id. de inicio de sesión: 0x0
Tipo de inicio de sesión: 3
Cuenta con error de inicio de sesión:
Nombre de cuenta: jpepe
Dominio de cuenta: EMPRESA
Información de error:
Motivo del error: Nombre de usuario desconocido o contraseña incorrecta
Estado: 0xC000006D
Subestado: 0xC000006A
Información de proceso:
Id. de proceso del autor de la llamada: 0x0
Nombre de proceso del autor de la llamada: -
Información de red:
Nombre de estación de trabajo: PC002
Dirección de red de origen: 172.16.1.250
Puerto de origen: 50726
Información de autenticación detallada:
Proceso de inicio de sesión: NtLmSsp
Paquete de autenticación: NTLM
Servicios transitados: -
Nombre de paquete (solo NTLM): -
Longitud de clave: 0
Este evento se genera cuando se produce un error en una solicitud de inicio de sesión. Lo genera el equipo al que se intentó tener acceso.
Los campos de sujeto indican la cuenta del sistema local que solicitó el inicio de sesión. Suele ser un servicio como el servicio de servidor o un proceso local como Winlogon.exe o Services.exe.
El campo Tipo de inicio de sesión indica la clase de inicio de sesión que se solicitó. Los tipos más comunes son 2 (interactivo) y 3 (red).
Los campos Información de proceso indican la cuenta y el proceso en el sistema que solicitó el inicio de sesión.
Los campos Información de red indican dónde se originó una solicitud de inicio de sesión remota. Nombre de estación de trabajo no está siempre disponible y se puede dejar en blanco en algunos casos.
Los campos de información de autenticación proporcionan información detallada sobre esta solicitud de inicio de sesión específica.
- Servicios transitados indica los servicios intermedios que participaron en esta solicitud de inicio de sesión.
- Nombre de paquete indica el subprotocolo que se usó entre los protocolos NTLM.
- Longitud de clave indica la longitud de la clave de sesión generada. Será 0 si no se solicitó una clave de sesión."'win.system.opcode: '0'
win.system.processID: '740'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_FAILURE'
win.system.systemTime: '2026-01-21T14:28:13.410845300Z'
win.system.task: '12544'
win.system.threadID: '4196'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '101203'
level: '10'
description: 'Multiple Windows Logon Failures - User jpepe on authorized workstation PC002 (level lowered)'
groups: '['local', 'syslog', 'sshd', 'authentication', 'windowsauthentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1110']'
mitre.tactic: '['Credential Access']'
mitre.technique: '['Brute Force']'
nist_800_53: '['AU.14', 'AC.7', 'SI.4']'
pci_dss: '['10.2.4', '10.2.5', '11.4']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'C C7.3']'
**Alert to be generated.
Note: Take into account that you should't have two rules (101200, 101203) that depend on 60204, when I tested I didn't have the rule 101200.
Hope this helps! Let me know if you need any clarification.
Luis Enrique Chico Capistrano
Jan 22, 2026, 8:59:13 AMJan 22
to Wazuh | Mailing List
Sorry, the rule I used was:
<description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<field name="win.eventdata.targetUserName">^jpepe$</field>
<field name="win.eventdata.workstationName">^PC002$</field><description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
Facu Basgall
Jan 23, 2026, 7:08:56 AMJan 23
to Wazuh | Mailing List
In the previous message you clarify "Note that you should not have two rules (101200, 101203) that depend on 60204, when I tested I did not have rule 101200"
How do I make multiple rules that depend on 60204? Or is this not possible? Because rule 60204 is generating a lot of false positives in my environment and I need to make specific rules for each case so I can lower the level of false positives.
Luis Enrique Chico Capistrano
Jan 23, 2026, 7:08:55 PMJan 23
to Wazuh | Mailing List
Hi Facu,
The previous warning about not having both rules (101200 and 101203) was likely because having multiple rules during troubleshooting can make it harder to identify which one is causing a conflict. Once you have confirmed the logic for one, you can safely add as many as you need to cover all your false positive scenarios.
However, it looks like the fields you are matching in rule 101200 are different from those in 101203. Make sure that if a log is supposed to trigger 101200, your custom child rule follows that specific logic. I hope that clears things up rather than causing more confusion!
Facu Basgall
Feb 2, 2026, 7:42:37 AMFeb 2
to Wazuh | Mailing List
The 101200 rule works perfectly but the 101203 rule does not work, it keeps entering the default rule 60204 and I need it to enter the 101203 rule as it generates false positives
Can you test in your environment with both rules?
Luis Enrique Chico Capistrano
Feb 2, 2026, 9:07:51 AMFeb 2
to Wazuh | Mailing List
Hi Facu,
We should probably review the event triggering rule 60204. Could you share the raw event so I can test it? Using the rules below, the configuration works as expected:
```
<rule id="101200" level="10">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName">^SRVXSQL1</field>
<field name="win.eventdata.ipAddress">172.16.1.116</field>
<description>Multiple Windows Logon Failures (baja prioridad) - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
```
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
We should probably review the event triggering rule 60204. Could you share the raw event so I can test it? Using the rules below, the configuration works as expected:
```
# cat /var/ossec/etc/rules/local_rules.xml
<!-- Local rules -->
<group name="local,syslog,sshd,authentication,windows">
<!-- Local rules -->
<group name="local,syslog,sshd,authentication,windows">
<rule id="101200" level="10">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName">^SRVXSQL1</field>
<field name="win.eventdata.ipAddress">172.16.1.116</field>
<description>Multiple Windows Logon Failures (baja prioridad) - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<field name="win.eventdata.targetUserName">^jpepe$</field>
<field name="win.eventdata.workstationName">^PC002$</field>
<description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<field name="win.eventdata.workstationName">^PC002$</field>
<description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
```
Using the following event:
```
Using the following event:
```
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}
```
I was able to trigger rule 101203, as shown below:
```
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}
**Phase 1: Completed pre-decoding.
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
win.system.opcode: '0'
win.system.processID: '740'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_FAILURE'
win.system.systemTime: '2026-01-21T14:28:13.410845300Z'
win.system.task: '12544'
win.system.threadID: '4196'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
win.system.processID: '740'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_FAILURE'
win.system.systemTime: '2026-01-21T14:28:13.410845300Z'
win.system.task: '12544'
win.system.threadID: '4196'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60122'
level: '5'
description: 'Logon Failure - Unknown user or bad password'
groups: '['windows', 'windows_security', 'authentication_failed']'
firedtimes: '7'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1531']'
mitre.tactic: '['Impact']'
mitre.technique: '['Account Access Removal']'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
level: '5'
description: 'Logon Failure - Unknown user or bad password'
groups: '['windows', 'windows_security', 'authentication_failed']'
firedtimes: '7'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1531']'
mitre.tactic: '['Impact']'
mitre.technique: '['Account Access Removal']'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}'
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2026-01-21T14:28:13.410845300Z","eventRecordID":"119177303","processID":"740","threadID":"4196","channel":"Security","computer":"srvxx.empresayy.com.ar","severityValue":"AUDIT_FAILURE"},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"jpepe","targetDomainName":"EMPRESA","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PC002","keyLength":"0","processId":"0x0","ipAddress":"172.16.1.250","ipPort":"50726"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '172.16.1.250'
win.eventdata.ipPort: '50726'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc000006a'
win.eventdata.subjectLogonId: '0x0'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.eventdata.targetDomainName: 'EMPRESA'
win.eventdata.targetUserName: 'jpepe'
win.eventdata.targetUserSid: 'S-1-0-0'
win.eventdata.workstationName: 'PC002'
win.system.channel: 'Security'
win.system.computer: 'srvxx.empresayy.com.ar'
win.system.eventID: '4625'
win.system.eventRecordID: '119177303'
win.system.keywords: '0x8010000000000000'
win.system.level: '0'
```
Luis Enrique Chico Capistrano
Feb 4, 2026, 10:02:16 AMFeb 4
to Wazuh | Mailing List
Hi Facu,
I haven't been able to test the event using just the alert details. To look into this further, I'll need the raw event as it appears in your archive.log. Would you be able to share that with me?
Luis Enrique Chico Capistrano
Feb 6, 2026, 7:17:10 AMFeb 6
to Wazuh | Mailing List
Hi Facu,
cat /var/ossec/etc/rules/local_rules.xml
----
```
Based on the archives.log files that you shared, I couldn't trigger any events for rule 60204. I only see the child rule 101203 that we generated previously.
bash-5.2# cat result_logtest.log |grep -E "\sid:"
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '101203'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
Just in case, could you review your custom rules? Here are mine:
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
id: '101203'
id: '60122'
id: '60122'
id: '60122'
id: '60122'
Just in case, could you review your custom rules? Here are mine:
cat /var/ossec/etc/rules/local_rules.xml
----
<group name="local,syslog,sshd,authentication,windows">
<rule id="101200" level="10">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName">^SRVXSQL1</field>
<field name="win.eventdata.ipAddress">172.16.1.116</field>
<description>Multiple Windows Logon Failures (baja prioridad) - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<field name="win.eventdata.targetUserName">^jpepe$</field>
<field name="win.eventdata.workstationName">^PC002$</field>
<description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
<rule id="101200" level="10">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName">^SRVXSQL1</field>
<field name="win.eventdata.ipAddress">172.16.1.116</field>
<description>Multiple Windows Logon Failures (baja prioridad) - Usuario: $(win.eventdata.targetUserName) - IP: $(win.eventdata.ipAddress)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="101203" level="10">
<if_sid>60204</if_sid>
<field name="win.system.computer">^srvxx.empresayy.com.ar$</field>
<field name="win.eventdata.targetUserName">^jpepe$</field>
<field name="win.eventdata.workstationName">^PC002$</field>
<description>Multiple Windows Logon Failures - User $(win.eventdata.targetUserName) on authorized workstation $(win.eventdata.workstationName) (level lowered)</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_C
C7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
----
I extracted the JSON events from your file /tmp/events_community.json to use as input for wazuh-logtest. As I mentioned before, in my testing environment I changed the following:
```
In /var/ossec/ruleset/rules/0575-win-base_rules.xml we must modify rule 60000 by deleting or commenting out <category> and changing <decoded_as> to json:
<rule id="60000" level="2">
<!-- category>ossec</category -->
<!-- decoded_as>windows_eventchannel</decoded_as -->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
```
cat /tmp/events_community.json |var/ossec/bin/wazuh-logtest &>result_logtest.log
I have attached the files for your review. Please let me know if you have other events that might require a different rule. However, for the event you shared, the rule we created should be enough.
Reply all
Reply to author
Forward
0 new messages