Basic Rule Set for Blocking Noise
516 views
Skip to first unread message
Logan Simmons
Jan 26, 2022, 9:48:34 AM1/26/22
to Wazuh mailing list
Hey all!
Was wondering if users or developers of Wazuh have any tips they can pass along regarding blocking out the noisy logs.
We have about 240-ish agents and we get a lot of useful logs but also a lot of unnecessary logs.
I'm looking to block everyday things that would be considered false positives.
Any tips, how to's, or config examples are welcome and much appreciated!
This conversation is for sharing knowledge to everyone in the world of Wazuh. :)
Was wondering if users or developers of Wazuh have any tips they can pass along regarding blocking out the noisy logs.
We have about 240-ish agents and we get a lot of useful logs but also a lot of unnecessary logs.
I'm looking to block everyday things that would be considered false positives.
Any tips, how to's, or config examples are welcome and much appreciated!
This conversation is for sharing knowledge to everyone in the world of Wazuh. :)
antonio....@wazuh.com
Jan 26, 2022, 10:12:54 AM1/26/22
to Wazuh mailing list
Hello, lsimmonspowva.
You can easily reduce the noisy alerts by creating a custom rule to detect the specific case and setting the rule level to 0. In the following link, you can find more information about the Wazuh ruleset, and here, the different levels that you can configure.
Finally, I will like to mention that Wazuh provides a tool to check custom rules and decoders. This tool is called wazuh-logtest. More info in this link
Logan Simmons
Jan 28, 2022, 11:47:47 AM1/28/22
to Wazuh mailing list
Thank you for the information!
I seem to be doing something incorrectly when creating a custom rule under the local.xml custom rule set. I have since deleted the old manager and am in the process of building a better wazuh manager with higher specs than last.
What I want to accomplish:
I want to ignore successful logons and log off logs (Im not sure what log rule# that is at the moment) to a domain controller when a user system reaches out to them for authentication checks.
I would like to have it only log the report if there was 'x' amount of unsuccessful events on user machines (I have a group in wazuh for this)
successful log on outside of our org IP range
OR successful log in after 'x' amount of failed attempts
I'm fairly new to wazuh and SIEM's deployments overall so I apologize for my ignorance. Is this something that is possible with wazuh?
I seem to be doing something incorrectly when creating a custom rule under the local.xml custom rule set. I have since deleted the old manager and am in the process of building a better wazuh manager with higher specs than last.
What I want to accomplish:
I want to ignore successful logons and log off logs (Im not sure what log rule# that is at the moment) to a domain controller when a user system reaches out to them for authentication checks.
I would like to have it only log the report if there was 'x' amount of unsuccessful events on user machines (I have a group in wazuh for this)
successful log on outside of our org IP range
OR successful log in after 'x' amount of failed attempts
I'm fairly new to wazuh and SIEM's deployments overall so I apologize for my ignorance. Is this something that is possible with wazuh?
antonio....@wazuh.com
Feb 4, 2022, 3:49:32 AM2/4/22
to Wazuh mailing list
Hello Isimmonspowva.
First of all, sorry for the late reply.
We already have rules that will detect brute force attacks. If you want to ignore this kind of alert, you will need to create a child rule of those rules. If you don't know the exact rule that you want to ignore, you can check its ID in the alert (you can find a text alert in the file `/var/ossec/logs/ossec.log` or in the WUI)
To silence the rule, you can use the `overwrite` parameter to discard the default rule and set the level of the new rule to 0. There is a tutorial on this page of the documentation.
If you have any doubts, don't hesitate to ask.
Kind regards.
Reply all
Reply to author
Forward
0 new messages