Syscheck Tuning Windows Agent

[Will]

I am currently in the process of tuning syscheck alerts for my windows environment, roughly 160 servers and am having some issues regarding HKEY change alerts. 

I would like to filter out alerts from the system making HKEY changes however I noticed that the username associated with each HKEY change alert isn't listed in the Wazuh alert itself. 

As such, my custom rule to ignore file changes from the system user isn't kicking in for any of the HKEY changes. I have enabled the auto_ignore option to limit the number of alerts that are triggered but I am still receiving way too many system HKEY change alerts. Is there a way for me to remove the system user HKEY change alerts without completely excluding the HKEY syscheck entries in the .conf file entirely?

Thank you, 

Will

[Jesus Linares]

Hi Will,

there are 2 ways to ignore alerts in syscheck: ossec.conf and rules. Check out the documentation:

• https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configure-to-ignore-files
  
• https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#ignoring-files-via-rules
  

They are examples for files, not registry but I think it should work.

Could you share an example of the syscheck alert that you want to ignore?.

Thanks.

Regards.

[Jesus Linares]

Hi Will,

so you want to monitor all HKEY changes, but ignore the changes made by the system user. I think that is not possible. The field syscheck.uname_after doesn't exist for registry events. Also, the field syscheck.uid_after doesn't apply on Windows (we will remove it in next releases). Also, these fields (*uname and *uid) are related with the owner of the file, not with who made the changes.

You should handle the false positives. We are working on include the who-data information for syscheck alerts and your filter will be possible, but there is no an estimated date that I can give you.

I hope it helps.

Regards.