Juan C. Tello

Alternatively an implicit decoder (like the one for `json`) could be created for the `CEF` and `LEEF` formats given that all fields have a given name. This has been requested...

This also affects Wazuh's native [Azure integration](https://documentation.wazuh.com/current/azure) which can produce alerts such as: ``` {"timestamp":"2022-05-18T14:36:53.672+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652884613.107394","decoder":{"name":"json"},"data":{"id":"Directory_11111111-1111-1111-1111-111111111111_Y9GLM_86734990","category":"UserManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","activityDisplayName":"Delete user","activityDateTime":"2022-05-18T14:35:30.5989483Z","loggedByService":"Core Directory","operationType":"Delete","initiatedBy":{"app":"null","user":{"id":"11111111-1111-1111-1111-111111111111","displayName":"null","userPrincipalName":"[email protected]","ipAddress":"111.111.111.111","userType":"null","homeTenantId":"null","homeTenantName":"null"}},"targetResources":[{"id":"11111111-1111-1111-1111-111111111111","displayName":null,"type":"User","userPrincipalName":"11111111111111111111111111111111anotheruser_company.com#EXT#@company.onmicrosoft.com","groupType":null,"modifiedProperties":[{"displayName":"Is Hard Deleted","oldValue":null,"newValue":"\"False\""}]}],"additionalDetails":[],"azure_tag":"azure-ad-graph","azure_aad_tag":"azure-active_directory"},"location":"Azure"} ``` and ``` {"timestamp":"2022-05-18T07:20:57.015+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652858457.5919","decoder":{"name":"json"},"data":{"id":"Sync_11111111-1111-1111-1111-111111111111_AAAAA_111111111","category":"ProvisioningManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","resultReason":"This app role assignment...

Hi @aderumier, You may collect multiline Crowdstrike logs with the following configuration: ``` multi-line-regex /var/log/crowdstrike/falconhoseclient/output ^{ ``` Variable multiline log collection was added on Wazuh 4.2.0 and in this configuration...

The issue is meant to address the lack of visibility as to why some alerts are not getting diff. Adding this information to the alert generated would be a very...

This still happens as of Wazuh v4.2.5, this behavior is inherited by the Wazuh API and in consequence the Wazuh Dashboard plugin as it can be observed in this video:...

> we should decide if we include it in v5.0.0 or it is discarded. Ok, I advice against considering discarding this as it is a bug that leads to unexpected...