rule dont working (cyrillic issue?)

[Mefisto Evil]

hello i have a trash events about BITS service restarting in windows i want to supress this. this is windows with cyrillic language. so i create rule

<rule id="100199" level="0">
  <if_sid>61104</if_sid>-->
  <field name="win.eventdata.param1">Фоновая интеллектуальная служба передачи (BITS)</field>
<!-- <field name="win.eventdata.param4">BITS</field>-->
<description>Suppress BITS startup type change to Manual</description>
</rule>


and with 
<field name="win.eventdata.param4">BITS</field>
its supressing but with
  <field name="win.eventdata.param1">Фоновая интеллектуальная служба передачи (BITS)</field>
no supressing and i dont understand why. i want second version, with full description of event , not just "BITS"
original event json is like this


{ "_index": "wazuh-alerts-4.x-2026.01.07", "_id": "1GAZmZsB97dn97S641oM", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "192.168.9.4", "name": "srv-test", "id": "015" }, "manager": { "name": "srv-wazuh" }, "data": { "win": { "eventdata": { "param3": "Вручную", "param4": "BITS", "param1": "Фоновая интеллектуальная служба передачи (BITS)", "param2": "Автоматически" }, "system": { "eventID": "7040", "eventSourceName": "Service Control Manager", "keywords": "0x8080000000000000", "providerGuid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}", "level": "4", "channel": "System", "opcode": "0", "message": "\"Тип запуска службы \"Фоновая интеллектуальная служба передачи (BITS)\" был изменен с \"Автоматически\" на \"Вручную\".\"", "version": "0", "systemTime": "2026-01-07T15:37:27.822540300Z", "eventRecordID": "1494101", "threadID": "3040", "computer": "srv-test", "task": "0", "processID": "812", "severityValue": "INFORMATION", "providerName": "Service Control Manager" } } }, "rule": { "firedtimes": 1, "mail": false, "level": 3, "pci_dss": [ "10.6" ], "hipaa": [ "164.312.b" ], "tsc": [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "Service startup type was changed", "groups": [ "windows", "windows_system", "policy_changed" ], "id": "61104", "nist_800_53": [ "AU.6" ], "info": "This does not appear to be logged on Windows 2000", "gdpr": [ "IV_35.7.d" ] }, "location": "EventChannel", "decoder": { "name": "windows_eventchannel" }, "id": "1767800163.1691739", "timestamp": "2026-01-07T20:36:03.848+0500" }, "fields": { "timestamp": [ "2026-01-07T15:36:03.848Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboards-highlighted-field@srv-wazuh@/opensearch-dashboards-highlighted-field@" ], "agent.name": [ "@opensearch-dashboards-highlighted-field@srv-test@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1767800163848 ] }

[Olamilekan Abdullateef Ajani]

Hello Mefisto,

The issue you are experiencing is due to character encoding problems when matching the value of the field "param1." The characters require proper UTF-8 encoding.

That being said, what we can do is use PCRE2 regex syntax when matching that field. Please see a sample below, which I tested and works. You can refer to the attached image for result.

<group name="custom-test,">
   <rule id="198199" level="0">
        <if_sid>61104</if_sid>-->
        <field name="win.eventdata.param1" type="pcre2">(?i)Фоновая.*служба.*BITS</field>

        <!-- <field name="win.eventdata.param4">BITS</field>-->
      <description>Suppress BITS startup type change to Manual</description>
   </rule>

</group>

Ref:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Please let me know if you require further assistance on this.