Alert Aggregation and Deduplication
43 views
Skip to first unread message
Gael Miguez Mendez
Jul 18, 2024, 4:31:37 AM7/18/24
to Wazuh | Mailing List
Hi! I have an enterprise implementation of wazuh, where suricata is triggering a lot of alerts due to the mail server and other normal use cases. I have been reading about deduplication. Is there a way to implement something like this?
"Implement logic to aggregate and deduplicate alerts based on certain criteria such as the type of alert, the source IP address, or the time window. For example, if the same alert is generated multiple times within a short period, it can be counted once but with a counter indicating the frequency."
Thanks in advance. Best regards!
"Implement logic to aggregate and deduplicate alerts based on certain criteria such as the type of alert, the source IP address, or the time window. For example, if the same alert is generated multiple times within a short period, it can be counted once but with a counter indicating the frequency."
Thanks in advance. Best regards!
Benjamin Nworah
Jul 18, 2024, 7:58:45 AM7/18/24
to Wazuh | Mailing List
Dear Gael,
Unfortunately, Wazuh does not support deduplication. However, Wazuh has a feature where alerts can be suppressed over a period of time (in seconds) after the rule triggers an alert.
For example, the below rule will trigger an alert when an event matches its set conditions. It will not trigger any other alerts (despite having an event matching the set conditions) until 10 seconds elapses.
<rule id="100032" level="10" ignore="10">
<if_sid>61614</if_sid>
<description>No alert generated after the first trigger until 10 seconds elapses.</description>
</rule>
The documentation explains how the ignore option can be used to suppress alerts over a time period after the rule triggers an alert.
Unfortunately, Wazuh does not support deduplication. However, Wazuh has a feature where alerts can be suppressed over a period of time (in seconds) after the rule triggers an alert.
For example, the below rule will trigger an alert when an event matches its set conditions. It will not trigger any other alerts (despite having an event matching the set conditions) until 10 seconds elapses.
<rule id="100032" level="10" ignore="10">
<if_sid>61614</if_sid>
<description>No alert generated after the first trigger until 10 seconds elapses.</description>
</rule>
The documentation explains how the ignore option can be used to suppress alerts over a time period after the rule triggers an alert.
Regards,
Reply all
Reply to author
Forward
0 new messages