Disable some rules for specific agent profile

[Kazim Koybasi]

Hi all,

We have windows servers in domain and we took prevention for multiple auth failure attacks. They have wazuh agent installed and there is lots of AUDIT_FAILURE(5157) alerts in our Wazuh ELK. Is it possible to disable windows auditing for only these agent profile?

Best,

[Miguelangel Freitas]

Hi Kazin,

You can suppress those events via the logcollector or a Manager rule:

• Disable the Windows EventID log collection on the agent side:

<localfile>

   <location>Security</location>

   <log_format>eventchannel</log_format>

   <query>Event/System[EventID!=5145]</query>

</localfile>

This can help to reduce the number of EPS coming to the manager.

• Or add a suppression rule using the <hostname> tag, for example:

  <rule id="150000" level="0">

    <if_sid>18105</if_sid>

    <id>^5157$</id>

    <hostname><agent_name1>|agent_name2</hostname>

    <description>Suppress audit failures on selected hosts.</description>

    <group>suppresion,</group>

  </rule>

I hope it helps.

Miguelangel Freitas

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d74d2b74-c645-4559-811b-410fc942cc6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kazim Koybasi]

Hello Miguelangel,

It worked. Thanks for your answer.I was at vacation so I could not write email. 

Regards,