wazuh CDB list: Need ability to match key+value against two dynamic decoded fields (USB-to-user binding use case)
**Wazuh Version:** 4.14.1
**Deployment:** Cluster (1 Master + 2 Workers, Docker)
---
## Use Case
I want to bind a specific USB device to a specific authorized user.
USB-1 is assigned to "nimrah". If any other user plugs it in, an alert
should trigger. This requires matching TWO decoded fields together
against a CDB list.
---
## Environment Details
- Windows agent sending Security Event ID 6416 (new device recognized)
- Decoded via windows_eventchannel decoder
- Relevant decoded fields:
- win.eventdata.deviceId = USBSTOR\\Disk&Ven_General&Prod_USB_Flash_Disk&Rev_1100\\CCYYMMDDHHmm0035&0
- win.eventdata.subjectUserName = nimrah
---
## CDB List (etc/lists/fdlist)
### Format tried for multi-field lookup:
USBSTOR\\Disk&Ven_General&Prod_USB_Flash_Disk&Rev_1100\\CCYYMMDDHHmm0035&0,nimrah:allowed
### Format tried for match_key_value:
USBSTOR\\Disk&Ven_General&Prod_USB_Flash_Disk&Rev_1100\\CCYYMMDDHHmm0035&0:nimrah
---
## Base Rule (working fine)
<rule id="100200" level="8">
<if_sid>60227</if_sid>
<field name="win.eventdata.className">^DiskDrive$</field>
<field name="win.eventdata.deviceId">^USB|^USBSTOR|^SCSI</field>
<options>no_full_log</options>
<description>A USB device plugged-in.</description>
</rule>
---
## What I Tried
### Attempt 1: Multi-field CDB lookup (comma syntax)
<!-- fdlist: USBSTOR\\Disk&amp;...&amp;0,nimrah:allowed -->
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<list field="win.eventdata.deviceId,win.eventdata.subjectUserName"
lookup="match_key">etc/lists/fdlist</list>
<options>no_full_log</options>
<description>Authorized USB used by correct user $(win.eventdata.subjectUserName).</description>
</rule>
<rule id="100202" level="12">
<if_sid>100200</if_sid>
<list field="win.eventdata.deviceId,win.eventdata.subjectUserName"
lookup="not_match_key">etc/lists/fdlist</list>
<options>no_full_log</options>
<description>USB used by WRONG user $(win.eventdata.subjectUserName)!</description>
</rule>
Result: Both rules silently fail. Only parent rule 100200 fires.
Confirmed: No built-in Wazuh rules use comma syntax — grep of entire
ruleset returns nothing for comma in field attribute.
---
### Attempt 2: match_key_value with dynamic check_value
<!-- fdlist: USBSTOR\\Disk&amp;...&amp;0:nimrah -->
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<list field="win.eventdata.deviceId"
lookup="match_key_value"
check_value="$(win.eventdata.subjectUserName)">etc/lists/fdlist</list>
<options>no_full_log</options>
<description>Authorized USB used by correct user $(win.eventdata.subjectUserName).</description>
</rule>
Result: Rule never fires. Only parent rule 100200 fires.
Question: Does check_value support dynamic field references
like $(field) or only static hardcoded strings?
---
### Attempt 3: not_match_key and not_match_key_value
<rule id="100202" level="12">
<if_sid>100200</if_sid>
<list field="win.eventdata.deviceId"
lookup="not_match_key_value"
check_value="nimrah">etc/lists/fdlist</list>
<options>no_full_log</options>
<description>USB used by WRONG user!</description>
</rule>
Result: analysisd CRITICAL error on startup:
"List match lookup="not_match_key_value" is not valid"
"Error loading the rules"
Confirmed valid lookups via grep of entire ruleset:
- match_key ✅
- match_key_value ✅
- not_match_key ❌ (causes startup error)
- not_match_key_value ❌ (causes startup error)
---
### Attempt 4: Decoder field concatenation
Tried creating a child decoder under windows_eventchannel to
concatenate deviceId + subjectUserName into one new field
win.eventdata.usbUserKey:
<decoder name="usb-user-key">
<parent>windows_eventchannel</parent>
<regex>"deviceId":"(\.+?)".+"subjectUserName":"(\.+?)"</regex>
<order>win.eventdata.usbUserKey, win.eventdata.usbUser</order>
</decoder>
Result: Does not work. windows_eventchannel is a plugin decoder —
child decoders cannot re-parse its already-decoded output via regex.
Question: Is there any supported way to create a combined/concatenated
field from two already-decoded fields?
---
## Questions
Does check_value="$(win.eventdata.subjectUserName)" support dynamic
field references or only static strings?
Is there a supported way to concatenate two decoded fields into one
new field in a decoder, so a single match_key CDB lookup can be used?
Is there a supported way to do a CDB lookup matching on a combination
of two decoded fields simultaneously?
Does not_match_key actually work? It causes a startup error in v4.14.1.
What is the recommended approach to implement USB-to-user binding
alerts without creating a separate rule per user?
---
## Requested Feature
A check_field_value attribute that takes another decoded field as reference:
<list field="win.eventdata.deviceId"
lookup="match_key_value"
check_field_value="win.eventdata.subjectUserName">etc/lists/fdlist</list>
CDB list would be:
USBSTOR\\Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100\\CCYYMMDDHHmm0035&amp;0:nimrah
This was also previously requested in issue #18311.