How to ignore files o directories in Windows?

[Mxnita]

Hi All,

The active response alerts me about Executable file dropped in folder commonly used by malware, but the process that generates this alert is miiserver.exe (Microsoft Azure AD Sync). How can I stop receiving alerts about this process or lower the level so that it no longer indicates that it is level 15?

The data.win.system.message returns this output:

"File created:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2023-06-20 15:38:17.364
ProcessGuid: {daa0229b-7622-6490-7c00-000000006900}
ProcessId: 5736
Image: C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe
TargetFilename: C:\Users\ADSyncMSA_aa0f1$\AppData\Local\Temp\__PSScriptPolicyTest_g1wa0nhz.tuf.ps1
CreationUtcTime: 2023-06-20 15:38:17.364
User: DOMAIN\ADSyncMSA_aa0f1$"

Thanks in advance

[Julio Gasco]

Hi,

Thanks for using our community

What we can do is create a new custom rule for when the image file is miiserver.exe, can you share the actual rule being triggered ? And the JSON of the alert being triggered with that we can create a new custom rule only when the affected file is the one mentioned before and lower the alert so that it does not trigger the active response. We can also silence the alert by setting a level lower to 3.

Belos is some reference documentation on customer rules and decoders

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules

The Idea here is to create a new custom rule that calls the actual rule being triggered (with the <if_sid> tag as parent) and filter by the miiserver.exe image name. That is why I need the JSON of the alert being triggered now, to have the details on the alert fields

You can obtain the JSON in the discover tab by looking for the alert and going to the JSON tab as shown on the following screenshots

I will be waiting your input on this

Regards!