SIEM Detection and Alerting guided exercise

I am working on the SIEM Detection and Alerting guided exercise and have completed the steps to create the custom Wazuh rule.

My configuration is:

<rule id="100002" level="12">
  <if_sid>92653</if_sid>
  <field name="win.eventdata.targetUserName">Administrator</field>
  <description>Administrator RDP Login</description>
</rule>

I restarted the Wazuh manager after saving the rule.

The problem is that the Windows Wazuh agent never connects to the manager.

Troubleshooting completed:

  • Wazuh manager service is active and running.

  • Windows Wazuh Agent service is running.

  • agent_control -l always shows the Windows agent as Disconnected.

  • Windows agent log shows:

  • I restarted both the Wazuh manager and the Windows agent.

  • I restarted the Windows VM.

  • I restarted the entire lab.

  • I recreated the custom rule multiple times.

  • Windows Event Viewer generates Event ID 4624 (Logon Type 10), but Wazuh never receives the event, so Rule 92653 and Rule 100002 never trigger.

  • Running sudo ./lab-flag.sh never returns the flag because it reports the field name/username check is failing.

The most likely issue is that you cannot successfully “ping wazuh” from the agent. This part is missing from your troubleshooting steps listed.

You get a check for this later in the lab as well…

If you are not seeing an active agent, then the custom rule will not work. In fact nothing will work.