Exclusion rule

64 views
Skip to first unread message

gustavo rodriguez

unread,
Oct 5, 2023, 2:48:25 PM10/5/23
to Wazuh | Mailing List
Query when creating an exclusion rule

Is it valid to create it like this? to exclude several fields in a single rule?

<group name="windows, sysmon, sysmon_event1">
<rule id="100070" level="1">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.originalfilename">^Teams.exe$|^Acrobat.exe$</fi$
    <description>False positive teams</description>
    <options>no_full_log</options>
    <group>pci_dss_10.2.5,</group>,gdpr_IV_32.2,</group>
  </rule>
</group>

In this case I am exluding Teams.exe and Acrobat.exe , or do I have to make a rule for each one?

Raul Del Pozo Moreno

unread,
Oct 5, 2023, 3:41:12 PM10/5/23
to gustavo rodriguez, Wazuh | Mailing List
Hello

That rule will do the following:

It will generate a level 1 alert when the win.eventdata.originalfilename field contains, start, and end with the values Teams.exe or Acrobat.exe 

Could you specify a little more what you want to achieve?

  • Do not generate the alert completely if those fields are matched?
  • Exclude those fields from the generated alert?

Remember that if the field matches those values and you do not want to generate the alert, you can specify it in the header as follows:

<rule id="01" level="0" noalert="1">

  • noalert
    • Definition: Not trigger an alert if the rule matches.
    • Allowed values:
      • 0 (alerts, value by default)
      • 1 (no alerts). If noalert is set to 1, the event continues analyzing other rules despite the rule matches.


WazuhRaúl Del Pozo Moreno
QA + Automation engineer


--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4e95ea1c-9a0e-461e-bb95-00bdf8a0a427n%40googlegroups.com.

gustavo rodriguez

unread,
Oct 6, 2023, 8:16:30 AM10/6/23
to Wazuh | Mailing List
Hi Raul, thanks for your reply.


"Do not generate the alert completely if those fields are matched?"

Sure, what I want is to eliminate false positives.

Is it the best practice when you don't want to receive events from some field to use "no alert"?

So as not to fill up with unnecessary events.

Raul Del Pozo Moreno

unread,
Oct 6, 2023, 10:15:03 AM10/6/23
to gustavo rodriguez, Wazuh | Mailing List
If you want to prevent an alert from being generated, you should use what I indicated in the previous comment.


<rule id="01" level="0" noalert="1">

About


Is it the best practice when you don't want to receive events from some field to use "no alert"?

You must consider whether you want to cancel the alert completely or mark it with the minimum alert level (1), so you must be very careful if you decide not to generate the alert since you may not see legitimate alerts.

Canceling the generation of an alert could generate a security hole with all that that entails, I would recommend that an alert always be generated, with a level appropriate to the importance given, and only resort to not generating alerts in certain very specific cases and after an analysis of the impact it may have

WazuhRaúl Del Pozo Moreno
QA + Automation engineer

Reply all
Reply to author
Forward
0 new messages