Exception

[Luis Oscar Piña]

Good afternoon, thank you for your support.

I have to do a weekly report and the same CVE shows up every week so I need to make an exception or something because it is considered as a false positive to me. Is there something that I can do about it.

Thanks.

[Matias Pereyra]

Hello !

All alerts can be silenced if we create a new rule with level 0 that matches those specific events.

The Custom rules and decoders documentation section has some examples, we can override an existing rule with a new behavior or adding a new child rule that depends on Vulnerability Detector rules.

Considering the second approach, here I have written a custom rule in etc/rules/local_rules.xml that silences a specific CVE ID

     <rule id="10002" level="0">

         <if_sid>23501</if_sid>

         <options>no_full_log</options>

         <field name="vulnerability.cve">CVE-2021-1234</field>

         <description>$(vulnerability.cve) has been manually silenced</description>

     </rule>

This rule will silence the selected CVE for all agents. You could also change it and filter by source IP, severity, package name, etc.

Thanks for using Wazuh.
Regards.

[Luis Oscar Piña]

Thank you very much, but this would also work at the kibana dashboard level? My problem is not the alert is when I make a Graphic

[Matias Pereyra]

That new rule will completely prevent the event from being generated, in the alerts.json file and also in the dashboard.

If you don't need to suppress it but only remove it temporary from the visualization to create a report, then add a new filter:

                               

In the example above, I'm selecting the data.vulnerability.cve field and an is not condition.

Then, just write the desired CVE to be ignored and create the report.

Regards.

[Luis Oscar Piña]

Thanks but is not only one CVE they are to many, in one agent I have about 500 KB´s installed, I´m traying to supress the CVEs that allready have a KB, and I have to do it every week. 

[Matias Pereyra]

Hello again!

The filters are really flexible, take a look for example at Wildcard Query.

We can create an expression that matches any condition.

If I understood correctly, you want to exclude those Windows vulnerability alerts that are related to the KB security patches:

• Create a new filter, but press Edit as Query DSL
• Use the query from the example to select all the alerts with a condition starting with KB*
  

                                   

• Save it, and select Exclude results to negate and remove these results from the report

                                   

By the other hand, if your system has many false positives, there might be something else going on. Have you got the last Wazuh version installed ? Is the MSU feed enable ? Is the agent scanning the hotfixes correctly? You could provide us the logs and configuration files if you need we check this more in depth.

Regards.

[Luis Oscar Piña]

Thanks a lot. your information is going to be very helpfull in my learning.

Regards

[Matias Pereyra]

Glad to help! 
Thanks for using Wazuh!

Have a nice day.