Regras no WAZUH

[Lucas Veríssimo]

Hi everyone, I'm using Wazuh 4.14.1
How do I create a rule so that only my specific server with ID 007 doesn't receive alerts about "System user successfully logged to the system," a level 12 rule with ID 40101? I did it this way, but it's not working. I have other rules in my custom rules; could that be causing the problem? Or, since this type of alert is level 12, I could leave it only for ID 007 so that this alert is of a lower level and doesn't alert me.

[hasitha.u...@wazuh.com]

Hi Lucas,

You can create a custom rule that using a parent rule 40101. To ignore alerts for specific server you can use <hostname> tag with agent name.

For example: 

1. <group name="test">
2.     <rule id="100301" level="0">
3.         <if_sid>40101</if_sid>
4.         <hostname>agent_name</hostname>
5.         <description>Ignore test alert.</description>
6.     </rule>
7. </group>

Replace agent_name with the 007 agent name, you can navigate to Agent management -> Summary -> Check the agent name of the 007.

In this case, you won’t face any issues because whenever the agent name is not 007, the ‘System user successfully logged to the system’ alert will be triggered. If the event contains the agent name 007, the alert will be suppressed.

If not the case please share more details regarding your custom rule and the sample logs you were tested. Then I can replicate this scenario.

Let me know if you need further assistance on this.

Ref:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-hostname

https://documentation.wazuh.com/current/user-manual/ruleset/rules/rules-classification.html