FIM Registry alert flood when Windows boots up

83 views
Skip to first unread message

Slate Cap

unread,
Oct 23, 2023, 10:23:55 AM10/23/23
to Wazuh | Mailing List
Hello!

I'm currently battling an issue of getting flooded with some FIM Registry alerts every morning when a Windows device is started up. I've tried adding custom rules to the local_rules.xml file on the manager server but I must not have them configured correctly.

I don't want to completely suppress these rules, so I was trying to tune by frequency within a 20-30 second window. For example, for Rule 751 - Registry Value Entry Deleted I have the following custom rule:

<rule id="100005" level="0" frequency="5" timeframe="20" noalert="1">
    <if_sid>751</if_sid>
    <description>Suppressing frequent 'Registry Value Entry Deleted' alerts when they occur rapidly</description>
    <same_field>agent.name</same_field>
    <if_matched_sid>751</if_matched_sid>
  </rule>

I added the noalert="1" as a redundancy to level="0" but I'm still getting the alerts coming through.

Diego Ariel Balbuena

unread,
Oct 23, 2023, 5:33:37 PM10/23/23
to Wazuh | Mailing List
Hi Slate! Thank you for sharing with the community

It can be useful for following the best practices.

According to your custom rule, let me share the reference for the relevant options you are applying:

I think you should remove the first <if_sid> option since you expect this new rule to be triggered once rule 751 happens 5 times in 20 seconds. Only <if_matched_sid> is required.

I hope it helps!
Looking forward to your update

Regards,
Diego

Slate Cap

unread,
Oct 24, 2023, 12:03:19 AM10/24/23
to Wazuh | Mailing List
Thanks for the suggestion Diego! I removed the <if_sid> option and moved the <if_matched_sid> up in it's place. So far I'm not seeing the same alert flooding, so hopefully that did the trick!

Thanks again,
Slate
Reply all
Reply to author
Forward
0 new messages