don't send email alert if rule has specific keywords

244 views
Skip to first unread message

Liudas Višniovas

unread,
Jun 2, 2023, 3:31:07 AM6/2/23
to Wazuh mailing list
Hi,

I'm currently looking into creating custom rule, to ignore email notifications if one of the rules has specific keywords in the logs.
I have one win10 machine which I'm receiving email alerts from and the computer sends me loads of Rule: 60154 fired (level 12) -> "Administrators group changed." and its always the same that machine was added to admin group and then removed from admin group.
I want to receive notifications for this rule just in case some specific user is trying to compromise security groups, not when it is computer generic changes.
So i would need to define that if below keywords are in the event, don't send email notification.

win.eventdata.targetUserName: Administrators

win.eventdata.targetDomainName: Builtin

win.eventdata.subjectUserName: $Machinename

win.eventdata.subjectDomainName: $companydomain


Could you please assist on this?
Much appreciated 

Julia Magán Rodríguez

unread,
Jun 2, 2023, 8:02:50 AM6/2/23
to Wazuh mailing list

Hello,

To prevent alerts from being sent by mail according to specific fields, it depends on how you have configured the alerts, but you can create a rule that checks these fields and prevent them from being sent by mail. For example, if you have configured alerts to be sent according to the rule ID, creating a rule with a different ID that checks the fields you mention is enough. If you tell me how you have configured the alerts, I will be able to help you more. For now, I leave as an example the rule created for the case mentioned above:

<rule id="100002" level="12"> <if_sid>60154</if_sid> <field name="win.eventdata.targetUserName">Administrators</field> <field name="win.eventdata.targetDomainName">Builtin</field> <field name="win.eventdata.subjectUserName">\$Machinename</field> <field name="win.eventdata.subjectDomainName">\$companydomain</field> <options>no_full_log</options> <description>Administrators group changed.</description> <mitre> <id>T1484</id> </mitre>
<group>gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,group_changed,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,win_group_changed,</group> </rule>
Reply all
Reply to author
Forward
0 new messages