Total number of alerts with <no_log> option enabled
91 views
Skip to first unread message
randa sabbagh
Jul 26, 2022, 5:24:16 AM7/26/22
to Wazuh mailing list
Hello All,
I was wondering if I can write a rule in wazuh that shows the number of specific alerts generated during a period of time while the option <no_log> is configured
for example:
I'm getting too many firewall logs so I used the option <no_log> to stop receiving these alerts:
<rule id="100005" level="5">
<decoded_as>windows-date-format</decoded_as>
<field name="AttackType">\.+</field>
<description>IGW Firewal $(AttackType)</description>
<options>no_log</options>
<group>firewall_block,pci_dss_1.4,nist_800_53_SC.7</group>
</rule>
<decoded_as>windows-date-format</decoded_as>
<field name="AttackType">\.+</field>
<description>IGW Firewal $(AttackType)</description>
<options>no_log</options>
<group>firewall_block,pci_dss_1.4,nist_800_53_SC.7</group>
</rule>
but at the end of the day I want to know the total number of IGW attacks in the last 24 hours
is there any way to achieve this ?
wazuh version : 4.2.1
thank you in advance
Jeremias Ignacio Posse
Jul 26, 2022, 8:43:31 AM7/26/22
to Wazuh mailing list
Hi! hope you are well, thanks for using Wazuh!
I think that what your question could not be done because it would not make a record of the alerts that are triggered if the no log option is enabled, maybe you can improve the rule to not be triggered with unimportant events for you, and use the Dashboard to see the alerts in certain time ranges or day by day, as I show you in the attached image, please feel free to ask any other questions.
randa sabbagh
Jul 27, 2022, 2:46:13 AM7/27/22
to Wazuh mailing list
Thank you very much that was helpful
Reply all
Reply to author
Forward
0 new messages