Wazuh ignoring rule by word
265 views
Skip to first unread message
Grzegorz Ryszka
Nov 14, 2022, 4:41:43 AM11/14/22
to Wazuh mailing list
Hi, I am currently implementing Wazuh in my company and I have a question. How to create a role that will not create an alert if there is a specific word in the log? For example, it will not generate an alert if it finds the word "FileCoAuth.exe" in the log. I am attaching a snippet of the log below.
"\AppData\Local\Microsoft\OneDrive\19.152.0927.0012\FileCoAuth.exe -Embedding 2147943660 {94269C4E-071A-4116-90E6-52E557067E4E}"
It was System Error(10000) from WinEvtLog fired by rule 18103.
I want to keep everything from this rule just without this one which match "FileCoAuth.exe"
Adebayo Kalejaiye
Nov 14, 2022, 6:58:10 AM11/14/22
to Wazuh mailing list
Hi kaddenik,
Thank you for posting in the community. This can be done by suppressing the rule in the /var/ossec/etc/rules/local_rules.xml when the log has the FileCoAuth.exe as shown below.
<rule id="100401" level="0">
<if_sid>18103</if_sid>
<match>FileCoAuth.exe</match>
<description>Ignoring error event.</description>
<group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
</rule>
<if_sid>18103</if_sid>
<match>FileCoAuth.exe</match>
<description>Ignoring error event.</description>
<group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
</rule>
Please see further documentation below:
I hope this helps.
Best Regards
Grzegorz Ryszka
Nov 14, 2022, 8:09:25 AM11/14/22
to Wazuh mailing list
Hi, I did the same but without <group> and it does not work before.
It is necessery to use this? "<group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>", asking for future rules :D
Best Regards.
Adebayo Kalejaiye
Jan 16, 2023, 6:46:29 AM1/16/23
to Wazuh mailing list
Hi kadd,
It is necessary to include the <group> since you are suppressing and referencing an existing rule which is contained in a group.
I hope this helps.
Best Regards,
Adebayo Kalejaiye
Adebayo Kalejaiye
Jan 17, 2023, 3:49:51 AM1/17/23
to Wazuh mailing list
Hi kadd,
Apologies for the late response, please let me clarify how <group> information can help route the events to other pre-existing rules with <if_group> but in this particular case, it wouldn't change the behavior.
Also, the <group> tags will also provide regulatory compliance mapping as well as further context on the type of alert
I hope this helps.
Best Regards,
Adebayo Kalejaiye
Reply all
Reply to author
Forward
0 new messages