Windows Event alerts via email - How can I include event detail in email body?

[Joseph Keegan]

Hello,

I'm creating alerts with Wazuh and have successfully been getting email alerts on basic things so far (ie eventid-4720 new user added).  I created this with the GUI.  

However, all I get in the alert is that the alert trigger happened.  No details other than the alert time , severity, and monitor name that triggered the alert.

What I WANT is:  the entire details of the Windows event, which is data that is in the event in Wazuh.  These are being pulled by the Windows Wazuh agent.

Help is appreciated, I'm pretty new to Wazuh but so far so good ... I'm just not getting anywhere with the details here.  

If there is a json template that someone could point me to for Windows events where I could just paste and enter the event-id I'm looking for, that would help a LOT.

I also have only read that there is a json rule list somewhere, I have not found where it is yet, so I can only create alerts / monitors / triggers in the webGUI ... so a link to the how-to would also help.  

Thanks everyone!  

[Marcos Darío Buslaiman]

Hi Joseph,

Thanks for using Wazuh!

I am going to review this and investigate what possibilities we have and I will notify you as soon as possible for any news.

Regards

Marcos

[Marcos Darío Buslaiman]

Hi  Joseph,
Sorry for the delay, 
Regarding your questions about the email alert that does not contain the details, could you share the RulesIDs of that rules? 

On the other hand regarding the list of rules, you can see them, both built-in and custom, using the GUI you can go to the Wazuh Menu --> Management --> Administration --> Rules
Here you can find more information about rules Custom rules and decoders.

Please, check the attached images.
   

Regards
Marcos