How to make an exception for wazuh logs
1,610 views
Skip to first unread message
JUAN FELIPE RODRIGUEZ ZAMUDIO
Aug 17, 2023, 12:55:57 PM8/17/23
to Wazuh mailing list
Hi
I start a new implementation of wazuh in our enterprise enviroment i want to put the false positive alert asociated with the opera.exe navigator because actually in my security events this route generate me alerts but not its a real alert
AppData\\Local\\Programs\\Opera\\opera.exe
I start a new implementation of wazuh in our enterprise enviroment i want to put the false positive alert asociated with the opera.exe navigator because actually in my security events this route generate me alerts but not its a real alert
AppData\\Local\\Programs\\Opera\\opera.exe
How can i put them in a whitelist or a ignored list for dont receive this false alerts in my dashboard
Thanks for your help
Thanks for your help
Diego Ariel Balbuena
Aug 17, 2023, 1:54:03 PM8/17/23
to Wazuh mailing list
Hi Juan Felipe! Thank you for sharing with the community
To whitelist or ignore false positive alerts associated with the opera.exe navigator in Wazuh, you can follow these steps:
If you need further assistance, please let us know.
Best regards,
Diego
- Access the Wazuh manager dashboard.
- Navigate to the 'Rules' section.
- Search for the rule that generates the false positive alerts for opera.exe.
- Edit the rule and add an exception or whitelist condition for the specific path 'AppData\Local\Programs\Opera\opera.exe'.
- Save the changes and apply the updated rule.
If you need further assistance, please let us know.
Best regards,
Diego
JUAN FELIPE RODRIGUEZ ZAMUDIO
Aug 17, 2023, 3:15:02 PM8/17/23
to Diego Ariel Balbuena, Wazuh mailing list, Jeferson Styben Gonzalez Ramirez
Hi , Diego
I try this before i made a new custom rule file for create the exception because the local default rule don't give me access for edit them
So i made a new one but they don't work wazuh continue generating the false positive alerts
So i made a new one but they don't work wazuh continue generating the false positive alerts
im add a image here for more information
Thanks for your help and i'm attend to comments
Thanks for your help and i'm attend to comments
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/uI4eyi3Ub1c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/813a5f9d-4f9e-4bd5-ad19-39f2337365d1n%40googlegroups.com.
Cordialmente,
|
Juan Felipe Rodriguez Zamudio Analista de Seguridad de la Información 3209807123 Calle 134 A #45-96 asegu...@grupoalciautos.com.co |  |
Importante: Este mensaje y sus anexos pueden contener información confidencial o legalmente protegida y no puede ser utilizada ni divulgada por personas diferentes a su destinatario. Si por error, recibe este mensaje, por favor avise inmediatamente a su remitente y destruya toda copia que tenga del mismo. Cualquier uso, divulgación, copia, distribución, impresión o acto derivado del conocimiento total o parcial de este mensaje sin autorización de GRUPO ALCIAUTOS será sancionado de acuerdo con las leyes vigentes. De otra parte, al destinatario se le considera custodio de la información contenida y debe velar por su confidencialidad, integridad y privacidad.
Diego Ariel Balbuena
Aug 18, 2023, 3:20:25 PM8/18/23
to Wazuh mailing list
Hi Juan Felipe!
Got it. Please let me share our documentation for Changing an existing rule -> https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
I think it can be helpful for your request. Feel free to update if you had any doubts.
Regards,
Diego
Reply all
Reply to author
Forward
0 new messages