Custom Rule Guide

[Muhammad Ali Khan]

Hi, In my Wazuh environment, email alerts are configured to trigger for events with a severity level of 12. A specific event occurs daily at a fixed time and consistently generates a level-12 alert. Although the severity is high, the activity is known, expected, and not suspicious.

Because this event runs every day, it repeatedly triggers email notifications, creating unnecessary alert noise. The challenge is to handle this recurring event in a way that prevents unnecessary emails while ensuring the event is still logged and does not affect other genuine level-12 security alerts.
kindly guide me how can i handle this ?

[Stuti Gupta]

Hi Muhammad Ali Khan,

You can achieve this, expected level-12 alert, by creating a custom rule that targets only this specific event. This way, the event will still be logged, but it will no longer trigger alert and it won’t affect any other genuine level-12 alerts.

You need to create the custom rule on the basis of that rule that triggers at a fixed time (for example, let’s assume it is 5748). Then create a new custom rule that matches this rule only when the known, expected condition occurs, and set its level to 0, so it does not trigger an alert.

Example (replace with your actual conditions):
<group name="ignore_known_events">
 <rule id="100010" level="0">
 <if_sid>5748</if_sid>
 <user>203.0.113.10</user>
 <description>Known scheduled event, safe to ignore for alerts</description>
 </rule>
</group>

You can match on any field that uniquely identifies your expected event (user, source IP, command, path, etc.).

Restart the Wazuh manager to apply the custom rule: systemctl restart wazuh-manager

To learn more about rules please refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.html

Let me know if you want help writing the rule based on your exact event details. For that, please share the log. 

[Muhammad Ali Khan]

Thanx dear , understood but the issue is that there is a specific time window during which a known scheduled event generates level-12 logs. Since this activity is expected and non-suspicious, I want to handle it based on that specific time and event signature, so it does not trigger alerts or email notifications, while all other genuine level-12 alerts continue to work as expected.

I want to apply a custom rule that targets this event only during its scheduled time.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/a5ab01ed-c954-4824-81ad-c3082555dbc3n%40googlegroups.com.

[Stuti Gupta]

In that case you can use the time syntax  like:

<rule id="17101" level="0">
  <if_group>authentication_success</if_group>
  <time>6 pm - 8:30 am</time>
  <description>Successful login during non-business hours.</description>
  <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
</rule>

This rule wont triggers on successful logins occurring between 6 PM and 8 AM Wazuh server time because of 0 level


To know more about this please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html