Extract MD5 hash from win.eventdata.hashes field into a separate field
Breathald 's
I'm trying to extract the MD5 hash from the win.eventdata.hashes field (Sysmon Event ID 1) into a separate field like win.eventdata.hashes.md5 to display only the MD5 in my custom rule description.
Environment:
- Wazuh Manager version: 4.14.2
- OS: Ubuntu 24
- Agents: Windows Server 2022 with Sysmon
Current situation:
I have a working custom rule that detects execution of test_virus.exe:
<group name="sysmon_hunting,">
<rule id="100103" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)test_virus\.exe</field>
<description>VICTORY: Virus detected - $(win.eventdata.hashes)</description
<mitre><id>T1204</id></mitre>
</rule>
</group>
This rule works correctly and displays all hashes in the description:
VICTOIRE : Virus detecté - MD5=F13E161C2B44E5232FA92228F29EDF95,SHA256=7D453801B059E4DAB59B1B159CCD713E1D3593FAA537C6AC5BBC2CE6C1E78A4D,IMPHASH=01C58048892B7C8200168186256493A9
**Goal:**
I want to extract only the MD5 hash into a separate field so I can use `$(win.eventdata.hashes.md5)` in my rule description to display:
VICTORY: Virus detected - MD5: F13E161C2B44E5232FA92228F29EDF95
What I've tried:
Attempt 1: Custom decoder with parent json
<decoder name="sysmon_hashes_extract">
<parent>json</parent>
<prematch type="pcre2">MD5=</prematch>
<regex type="pcre2">MD5=([A-Fa-f0-9]{32})</regex>
<order>win.eventdata.hashes.md5</order>
</decoder>
Result: Works in wazuh-logtest with simple JSON input, but breaks Phase 3 (rules matching) because the decoder interferes with the normal JSON decoding. Other fields like win.eventdata.image are no longer extracted.
Attempt 2: Custom decoder with parent windows_eventchannel
<decoder name="sysmon_hashes_md5">
<parent>windows_eventchannel</parent>
<prematch type="pcre2">MD5=</prematch>
<regex type="pcre2">MD5=([A-Fa-f0-9]{32})</regex> <order>win.eventdata.hashes.md5</order>
</decoder>
Result: Wazuh Manager fails to start with error:
ERROR: (2101): Parent decoder name invalid: 'windows_eventchannel'.
ERROR: (2106): Error adding decoder plugin.
CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
Attempt 3: Custom decoder without parent
<decoder name="extract_md5_from_hashes">
<prematch type="pcre2">MD5=[A-Fa-f0-9]{32}</prematch>
<regex type="pcre2">MD5=([A-Fa-f0-9]{32})</regex>
<order>md5_hash</order>
</decoder>
Result: Wazuh Manager starts, but the field md5_hash is not populated. The description shows MD5: without any value.
Observations:
- Real Windows events use decoder windows_eventchannel (visible in alerts: "decoder":{"name":"windows_eventchannel"})
- The windows_eventchannel decoder doesn't exist in /var/ossec/ruleset/decoders/ - it seems to be built into Wazuh
- Custom decoders with parent json work in wazuh-logtest but don't apply to real Windows events
- Real Windows events use decoder windows_eventchannel (visible in alerts: "decoder":{"name":"windows_eventchannel"})
- The windows_eventchannel decoder doesn't exist in /var/ossec/ruleset/decoders/ - it seems to be built into Wazuh
- Custom decoders with parent json work in wazuh-logtest but don't apply to real Windows events
Sample event from archives:
{
"timestamp": "2026-02-02T09:46:12.374+0100",
"agent": {"id": "002", "name": "SRV2022-02", "ip": "10.0.0.11"},
"decoder": {"name": "windows_eventchannel"},
"data": {
"win": {
"system": {
"eventID": "1",
"channel": "Microsoft-Windows-Sysmon/Operational",
"severityValue": "INFORMATION"
},
"eventdata": {
"image": "C:\\Users\\administrator\\Desktop\\test_virus.exe",
"hashes": "MD5=F13E161C2B44E5232FA92228F29EDF95,SHA256=7D453801B059E4DAB59B1B159CCD713E1D3593FAA537C6AC5BBC2CE6C1E78A4D,IMPHASH=01C58048892B7C8200168186256493A9"
}
}
}
}
Questions:
- Is it possible to create a custom decoder that extracts a substring from a field decoded by windows_eventchannel?
- Is there another approach to extract the MD5 into a separate field at the Wazuh level?
- Should I use an Elasticsearch ingest pipeline instead?
Thank you for your help!
Breathald 's
In principle, custom decoders cannot be applied after the windows_eventchannel decoder because it is integrated into the Wazuh source code.
Can anyone confirm this?