Lots of alerts
59 views
Skip to first unread message
Rei Gjata
Jan 7, 2025, 6:33:27 AMJan 7
to Wazuh | Mailing List
Hello
I'm getting a lot of alerts from some Windows processes as far as i understand.
They are Policy Scripts triggered by Windows and sdbinst.exe which is a windows process as far as i read on internet.
Is there any way to create specific rules to not trigger these events anymore.?
Since they are coming on a bunch of alerts. like 2000 or 1000 per day...
Im attaching photos of these alerts
thank you in advance
I'm getting a lot of alerts from some Windows processes as far as i understand.
They are Policy Scripts triggered by Windows and sdbinst.exe which is a windows process as far as i read on internet.
Is there any way to create specific rules to not trigger these events anymore.?
Since they are coming on a bunch of alerts. like 2000 or 1000 per day...
Im attaching photos of these alerts
thank you in advance
Olamilekan Abdullateef Ajani
Jan 7, 2025, 7:49:56 AMJan 7
to Wazuh | Mailing List
Hello Rei,
Based on what you have shared, you can create a rule to silent the event when seen in wazuh by using the custom rule I created below.
<group name="custom_rule,">
<rule id="110001" level="0">
<if_group>windows</if_group>
<field name="win.eventdata.image" type="osregex">\.+sdbinst.exe|\.+sdbinst.exe\.+</field>
<description>Silent sdbinst windows process</description>
</rule>
</group>
<rule id="110001" level="0">
<if_group>windows</if_group>
<field name="win.eventdata.image" type="osregex">\.+sdbinst.exe|\.+sdbinst.exe\.+</field>
<description>Silent sdbinst windows process</description>
</rule>
</group>
You can apply the above in the /var/ossec/etc/rules/local_rules.xml file to create a custom rule.
Better still, since this is coming from an event channel on windows, if you identify the event ID, you can modify the ossec.conf file on the agent <localfile> section to ignore the event entirely.
You can read more about this in the reference below.
Ref:
Rei Gjata
Jan 7, 2025, 8:59:43 AMJan 7
to Wazuh | Mailing List
Hello
So basically i can shutdown this events with the Event ID even from the shared agent config right?
That is literally awesome.
Thanks for the help
So basically i can shutdown this events with the Event ID even from the shared agent config right?
That is literally awesome.
Thanks for the help
Olamilekan Abdullateef Ajani
Jan 8, 2025, 3:17:09 AMJan 8
to Wazuh | Mailing List
Hello Rei,
If you have agent groups in place, you could centrally push out a replacement <localfile> section for the eventchannel you want to suppress collection from, with a <query> line containing an expression that would always be false.
If you had an agent group called "windows_group" with Windows agents belonging to it which should not collect Security eventchannel events, you could add this to the agent.conf for that agent group, and they will log nothing from the Security eventchannel.
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID == 1 and EventID != 1]</query>
</localfile>
If you had an agent group called "windows_group" with Windows agents belonging to it which should not collect Security eventchannel events, you could add this to the agent.conf for that agent group, and they will log nothing from the Security eventchannel.
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID == 1 and EventID != 1]</query>
</localfile>
Place the event ID in the event ID section.
I hope this helps. Please let me know if you need further assistance.
Rei Gjata
Jan 8, 2025, 5:07:17 AMJan 8
to Wazuh | Mailing List
One last question
Can i find the EventID directly on Wazuh logs?
Or do i need to find that on Event Viewer on Windows?
Can i find the EventID directly on Wazuh logs?
Or do i need to find that on Event Viewer on Windows?
Thank You
Olamilekan Abdullateef Ajani
Jan 8, 2025, 6:14:46 AMJan 8
to Wazuh | Mailing List
Hello Rei,
You can capture the EventID directly from windows event viewer and exclude it in the localfile configuration.
Best regards
Rei Gjata
Jan 8, 2025, 6:19:45 AMJan 8
to Wazuh | Mailing List
Thank you
Best Regards to you
Best Regards to you
Reply all
Reply to author
Forward
0 new messages