Exclude multiple alerts with same field

403 views
Skip to first unread message

Håkon Haakensen

unread,
Feb 14, 2025, 2:50:56 AM2/14/25
to Wazuh | Mailing List
Hi Team!

I have a Wazuh rule that spams me with way to many identical alerts because the event can be recurring.
I want the wazuh rules to alert me the first time it triggers per user.

This is the rule in question:
"
  <rule id="602010" level="12">
    <if_sid>602000</if_sid>
    <field name="location.countryOrRegion" negate="yes">NO</field>
    <description>Sign in from $(location.countryOrRegion).</description>
  </rule>
"
I have made an exclusion rule like this:
"
  <rule id="602003" level="10" frequency="2" timeframe="28800">
    <if_matched_sid>602010</if_matched_sid>
    <same_field>userId</same_field>
    <description>Multiple sign ins from $(location.countryOrRegion).</description>
  </rule> 
"

But this ONLY triggers the SECOND time the rule is triggered.
How can i make sure the exclusion rule triggers the 2nd, 3rd, 4th, 5th etc.. time the rule would be triggered?
Something like frequency="2+" or something..

I have looked through the documentation, but found nothing to suppress excessive alerts.

Please help :)

Bony V John

unread,
Feb 14, 2025, 6:00:15 AM2/14/25
to Wazuh | Mailing List
Hi,

You can suppress rule ID 602003 after triggering it once using the ignore option available in Wazuh rules. When you add an ignore tag in rule 602003, it will trigger only once and then will not trigger again for the specified timeframe.

You can add the ignore tag as shown below, specifying the duration in seconds:

  <rule id="602003" level="10" frequency="2" timeframe="28800" ignore="28800">

You can try adding the ignore tag in your rule as shown above and check if it works. If you need further assistance in creating this rule, please share the full log. If you are using any custom decoder, please share that as well.

You can refer to the Wazuh rules syntax documentation for more details.

I have tested this use case using another sample log, and it worked fine for me. I have attached a screenshot of my testing for your reference.


Screenshot 2025-02-14 162504.png

Håkon Haakensen

unread,
Feb 14, 2025, 7:13:53 AM2/14/25
to Wazuh | Mailing List
Hi,

This would ignore the entire rule? 
I only want to ignore for the same "userId" for said duration.

Bony V John

unread,
Feb 19, 2025, 11:27:27 PM2/19/25
to Wazuh | Mailing List
Hi,

I apologize for the late response. If you use the <ignore> tag, it will ignore the entire rule for the specified time and can be used for static field values. In your case, if the "userId" is variable, you cannot use the <ignore> option in your rule, and there is currently no option to suppress an alert after it triggers the first time. At the moment, this type of alert suppression is not possible. However, Wazuh 5.0 will introduce a new ruleset engine, which will hopefully solve this issue. You can refer Wazuh rules syntax documentation for more details.

Reply all
Reply to author
Forward
0 new messages