a lot of trash events from windows wazuh agent

[Mefisto Evil]

hello there is a bunch of events that i dont want to see from wazuh agent on windows

is there a way to simply see only events that make sense expect making exclusions for any of them

examples:

Registry Key '[x32] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4253111719-3249652016-3070459680-1110' modified
Registry Value '[x32] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-3093465106-2529487144-634884625-500\Microsoft.Windows.Search_cw5n1h2txyewy' modified
and more

[Octavio Valle López]

Hello,

I understand that you are being shown many modification events in Windows registers. My first question is if you are using FIM/syscheck. If you are not using it, you can downgrade it by changing this setting in the agent:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#disabled


If the case is that you are using it and want to add exclusions or modify what to monitor, I recommend setting it here:

Inclusion
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry

Exclusion:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#registry-ignore




For this particular case, the line that triggers these events is the following, which monitors changes in the installed Windows services.
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

[Mefisto Evil]

Octavio Valle López   Yes im using syscheck.  from what you said i should make exclusions for every registry branch 

in my experience this is not only "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services" branch

anyway thanks

понедельник, 17 апреля 2023 г. в 10:50:51 UTC+5, Octavio Valle López: