Need Guidance on Customizing Wazuh Rules to Reduce False Positives

[louay Kaltoum]

Hello everyone,

I’m currently working on customizing some Wazuh rules and would appreciate your guidance.

My goal is to reduce false positives for certain alerts that I know are safe. These alerts usually reference binaries, executables, or PowerShell script paths that I personally create and fully trust.

I want to keep the original rules intact, but create child rules with regex filters that match only these known-safe files. When these child rules trigger, I want the alert level to be lowered (for example, reduced to level 7), and ideally prevent the parent rule from triggering at its original severity (e.g., level 15).

I attempted this approach, but I ran into an issue: Wazuh always triggers the most specific child rule. Since the SOC Fortress ruleset contains very specific child rules, my custom rules are not being prioritized the way I need. I want to find a solution that:

• Doesn’t require deleting or modifying existing rules

• Allows my custom child rules to remain valid

• Ensures that when my “safe file” rule matches, it correctly overrides or mutes the parent rule’s higher-severity alert

If anyone has experience with rule ordering, rule IDs, or techniques to ensure custom child rules take priority without modifying upstream rules, I would really appreciate your advice.

Thank you in advance for your help.

Best regards,

[Pedro Nicolás Gomez]

Hi, 
The first thing we need to do is identify which rule IDs we want to reduce the alert level for.

Once these have been identified, we can create a child rule with a lower level (for example, level=7) and use the <if_sid> option:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid

With <if_sid>, we can evaluate whether one of the original rules has already matched, and then add an additional condition to verify whether the binary, executable, or PowerShell script corresponds to one of your trusted files.  

This approach allows you to add custom rules without editing or overwriting any of the existing rules.  

  

Example

Let’s assume we create the following rule:

<rule id="100110" level="7">

   <if_sid>1234, 12345, 5555</if_sid>

   <match>^C:\\MyTrustedTool\\.*</match>

   <description>Trusted tool: custom overridden rule</description>

</rule>

Behavior:

• Rule 100110 will trigger a level 7 alert only if one of the rules 1234, 12345, or 5555 matched previously, and matches the regular expression ^C:\\MyTrustedTool\\.*.

• If  the regular expression  does not match, then the original rules (1234, 12345, 5555) will continue to trigger normally with their original severity levels.

Here I share information to create rules:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.htm

[louay Kaltoum]

Hello,

Here is the parent rule I’m working with:

<rule id="92200" level="15"> <if_group>sysmon_event_11</if_group> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\(Windows\\\\Temp|Users).+\.(bat|cmd|lnk|pif|vbs|vbe|js|wsh|ps1)</field> <options>no_full_log</options> <description>Scripting file created under Windows Temp or User folder</description> <mitre> <id>T1059</id> <id>T1105</id> </mitre> </rule>

And here is the custom child rule I created to lower the severity for a known safe file:

<rule id="100000" level="7" overwrite="yes"> <if_sid>92200</if_sid> <field name="win.eventdata.targetFilename" type="pcre2">(?i)trusted_tool.*\.ps1$</field> <description>Safe PowerShell script from internal trusted tool (lower severity)</description> <group>windows,syscheck,scripting,</group> </rule>

This child rule does work, but only if I remove one of the existing child rules under the same parent rule.
The issue is that one of the built-in child rules is more specific than mine, so Wazuh always selects that rule instead of my custom one.

My goal is to keep all existing rules (including the SOC Fortress children) untouched, while having my custom child rule take priority when the filename matches my known safe pattern.

Do you have recommendations on how to correctly prioritize custom child rules without removing or modifying the default ones?

Thank you!

[Pedro Nicolás Gomez]

First, I see that you added <rule id="100000" level="7" overwrite="yes">.
The overwrite="yes" attribute is not necessary because we don’t want to overwrite the rule with ID 100000; instead, we want to create a child rule.
If other, more specific rules are being evaluated before yours, you can add those rule IDs to the <if_sid> list, for example:

<if_sid>92200, 92201, 92xyz, ...</if_sid>

This way, your new rule will also become a child of 92201, 92xyz, etc.

If you can share details about which SOC Fortress ruleset is causing conflicts, the rule configuration you’re currently using, and an example log, I can provide more specific guidance.