Ignore security event module alerts
127 views
Skip to first unread message
Carlos Arturo Erazo Narváez
Nov 25, 2024, 12:16:01 AM11/25/24
to Wazuh | Mailing List
Hello team
I currently have a problem with Wazuh, I manage the FIM module and I am always monitoring it. However, a few days ago I had some problems with the Wazuh server since I was getting too many alerts from the “Security Events” module.
My question is if there is a way to ignore these events?
I have seen in some forums that this process is done by editing the severity of the alerts, but for my case this way is not viable.
Maybe there is another way to ignore these unwanted events?
I currently have a problem with Wazuh, I manage the FIM module and I am always monitoring it. However, a few days ago I had some problems with the Wazuh server since I was getting too many alerts from the “Security Events” module.
My question is if there is a way to ignore these events?
I have seen in some forums that this process is done by editing the severity of the alerts, but for my case this way is not viable.
Maybe there is another way to ignore these unwanted events?
Stuti Gupta
Nov 25, 2024, 2:30:59 AM11/25/24
to Wazuh | Mailing List
Hi
Carlos Arturo Erazo Narváez
Modify the configuration settings to limit the types of events that trigger alerts. You can specify which directories or files to monitor more selectively. This can be done by editing the ossec.conf file on your Wazuh agent. You can use the ignore option to ignore a path. It allows one entry of either file or directory per line. However, you can use multiple lines to add exclusions for multiple paths. https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html#adding-exclusions
Wazuh allows for customization of alert rules. You can create or modify existing rules to suppress alerts based on specific criteria such as event type, source, or severity. This involves editing the rules files located in /var/ossec/etc/rules/. You can also modify or create custom rule using ignore or overwrite for that you can refer to
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
If you want to exclude logs collection, go to ossec.conf of Wazuh agent on your endpoint
You can remove these lines related to the event channel log or log file collection
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
Additionally in windows, for specific event id, you can use expressions like !=, <>: The left-hand expression is not equal to the right-hand expression. like:
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
In this case, the Wazuh agent will send system-related events, excluding the specified event IDs.
Refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#windows
You can do this by following these steps:
Run PowerShell as administrator
Open the configuration file with
notepad.exe 'C:\Program Files (x86)\ossec-agent\ossec.conf'
Then remove the configuration and save the file.
After that restart the agent
Restart-Service -Name wazuh
In Linux you can use ignore and excluded options
For example, to ignore events related to configuration changes in the audit log:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
<ignore type="PCRE2">type=.+_CHANGE</ignore>
<ignore type="osregex">type=CONFIG_\.+</ignore>
</localfile>
For example, we may want to read all the files from a directory, but exclude those files whose name starts with an e.
<localfile>
<log_format>syslog</log_format>
<location>/var/logs/*</location>
<exclude>/var/logs/e*</exclude>
</localfile>
Then restart the wazuh-agent using the command systemctl restart wazuh-agent
Refer To https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Hope this helps
Modify the configuration settings to limit the types of events that trigger alerts. You can specify which directories or files to monitor more selectively. This can be done by editing the ossec.conf file on your Wazuh agent. You can use the ignore option to ignore a path. It allows one entry of either file or directory per line. However, you can use multiple lines to add exclusions for multiple paths. https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html#adding-exclusions
Wazuh allows for customization of alert rules. You can create or modify existing rules to suppress alerts based on specific criteria such as event type, source, or severity. This involves editing the rules files located in /var/ossec/etc/rules/. You can also modify or create custom rule using ignore or overwrite for that you can refer to
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
If you want to exclude logs collection, go to ossec.conf of Wazuh agent on your endpoint
You can remove these lines related to the event channel log or log file collection
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
Additionally in windows, for specific event id, you can use expressions like !=, <>: The left-hand expression is not equal to the right-hand expression. like:
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
In this case, the Wazuh agent will send system-related events, excluding the specified event IDs.
Refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#windows
You can do this by following these steps:
Run PowerShell as administrator
Open the configuration file with
notepad.exe 'C:\Program Files (x86)\ossec-agent\ossec.conf'
Then remove the configuration and save the file.
After that restart the agent
Restart-Service -Name wazuh
In Linux you can use ignore and excluded options
For example, to ignore events related to configuration changes in the audit log:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
<ignore type="PCRE2">type=.+_CHANGE</ignore>
<ignore type="osregex">type=CONFIG_\.+</ignore>
</localfile>
For example, we may want to read all the files from a directory, but exclude those files whose name starts with an e.
<localfile>
<log_format>syslog</log_format>
<location>/var/logs/*</location>
<exclude>/var/logs/e*</exclude>
</localfile>
Then restart the wazuh-agent using the command systemctl restart wazuh-agent
Refer To https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Hope this helps
Carlos Arturo Erazo Narváez
Nov 27, 2024, 11:19:52 PM11/27/24
to Wazuh | Mailing List
Hi Stuti
Thank you very much for replying to my message. Sorry for my late reply, I modified my agent.conf file to propagate the configuration with the agents. However, I encountered a new problem in Windows agents, since there are events inside the “Security Events” module that do not have the “EventID” parameter.
Could you please recommend me some configuration to ignore this kind of events?
I share with you the content of the alert in JSON format
{ "_index": "wazuh-alerts-4.x-2024.11.28", "_id": "dN3ncJMBNHjPSbFbT2ds", "_version": 1, "_score": null, "_source": { "syscheck": { "mode": "scheduled", "path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\webthreatdefusersvc_3e01bf6\\Security", "uname_after": "SYSTEM", "gname_after": "SYSTEM", "mtime_after": "2024-11-27T08:57:19", "uid_after": "S-1-5-18", "gid_after": "S-1-5-18", "arch": "[x32]", "win_perm_after": [ { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE" ], "name": "SYSTEM" }, { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE" ], "name": "Administradores" } ], "event": "deleted" }, "input": { "type": "log" }, "agent": { "ip": "192.168.0.63", "name": "Win11", "id": "012" }, "manager": { "name": "localhost.localdomain" }, "rule": { "mail": false, "level": 5, "pci_dss": [ "11.5" ], "hipaa": [ "164.312.c.1", "164.312.c.2" ], "tsc": [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "Registry Key Entry Deleted.", "groups": [ "ossec", "syscheck", "syscheck_entry_deleted", "syscheck_registry" ], "nist_800_53": [ "SI.7" ], "gdpr": [ "II_5.1.f" ], "firedtimes": 63, "mitre": { "technique": [ "File Deletion", "Data Destruction", "Modify Registry" ], "id": [ "T1070.004", "T1485", "T1112" ], "tactic": [ "Defense Evasion", "Impact" ] }, "id": "597", "gpg13": [ "4.13" ] }, "location": "syscheck", "decoder": { "name": "syscheck_registry_key_deleted" }, "id": "1732766024.7657019", "full_log": "Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\webthreatdefusersvc_3e01bf6\\Security' deleted\nMode: scheduled\n", "timestamp": "2024-11-27T22:53:44.998-0500" }, "fields": { "syscheck.mtime_after": [ "2024-11-27T08:57:19.000Z" ], "timestamp": [ "2024-11-28T03:53:44.998Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboar...@localhost.localdomain@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1732766024998 ] }
Thank you very much for replying to my message. Sorry for my late reply, I modified my agent.conf file to propagate the configuration with the agents. However, I encountered a new problem in Windows agents, since there are events inside the “Security Events” module that do not have the “EventID” parameter.
Could you please recommend me some configuration to ignore this kind of events?
I share with you the content of the alert in JSON format
{ "_index": "wazuh-alerts-4.x-2024.11.28", "_id": "dN3ncJMBNHjPSbFbT2ds", "_version": 1, "_score": null, "_source": { "syscheck": { "mode": "scheduled", "path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\webthreatdefusersvc_3e01bf6\\Security", "uname_after": "SYSTEM", "gname_after": "SYSTEM", "mtime_after": "2024-11-27T08:57:19", "uid_after": "S-1-5-18", "gid_after": "S-1-5-18", "arch": "[x32]", "win_perm_after": [ { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE" ], "name": "SYSTEM" }, { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE" ], "name": "Administradores" } ], "event": "deleted" }, "input": { "type": "log" }, "agent": { "ip": "192.168.0.63", "name": "Win11", "id": "012" }, "manager": { "name": "localhost.localdomain" }, "rule": { "mail": false, "level": 5, "pci_dss": [ "11.5" ], "hipaa": [ "164.312.c.1", "164.312.c.2" ], "tsc": [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "Registry Key Entry Deleted.", "groups": [ "ossec", "syscheck", "syscheck_entry_deleted", "syscheck_registry" ], "nist_800_53": [ "SI.7" ], "gdpr": [ "II_5.1.f" ], "firedtimes": 63, "mitre": { "technique": [ "File Deletion", "Data Destruction", "Modify Registry" ], "id": [ "T1070.004", "T1485", "T1112" ], "tactic": [ "Defense Evasion", "Impact" ] }, "id": "597", "gpg13": [ "4.13" ] }, "location": "syscheck", "decoder": { "name": "syscheck_registry_key_deleted" }, "id": "1732766024.7657019", "full_log": "Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\webthreatdefusersvc_3e01bf6\\Security' deleted\nMode: scheduled\n", "timestamp": "2024-11-27T22:53:44.998-0500" }, "fields": { "syscheck.mtime_after": [ "2024-11-27T08:57:19.000Z" ], "timestamp": [ "2024-11-28T03:53:44.998Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboar...@localhost.localdomain@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1732766024998 ] }
Stuti Gupta
Nov 29, 2024, 1:56:27 AM11/29/24
to Wazuh | Mailing List
Hi Carlos
You can configure the FIM module to ignore certain Windows Registry keys with the registry_ignore option. You can specify multiple lines to declare multiple registry entries.
Follow these steps to configure the FIM module to ignore the HKEY_LOCAL_MACHINE\Security\Policy and any Windows Registry entry that matches the simple regex pattern \Enum$ from FIM results.
Add this configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Wazuh agent:
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
Restart the Wazuh agent to apply the configuration: Restart-Service -Name wazuh
Refer to https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html
Hope this helps
You can configure the FIM module to ignore certain Windows Registry keys with the registry_ignore option. You can specify multiple lines to declare multiple registry entries.
Follow these steps to configure the FIM module to ignore the HKEY_LOCAL_MACHINE\Security\Policy and any Windows Registry entry that matches the simple regex pattern \Enum$ from FIM results.
Add this configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Wazuh agent:
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
Restart the Wazuh agent to apply the configuration: Restart-Service -Name wazuh
Refer to https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html
Hope this helps
Reply all
Reply to author
Forward
0 new messages