Exclusion rule
64 views
Skip to first unread message
gustavo rodriguez
Oct 5, 2023, 2:48:25 PM10/5/23
to Wazuh | Mailing List
Query when creating an exclusion rule
Is it valid to create it like this? to exclude several fields in a single rule?
<group name="windows, sysmon, sysmon_event1">
<rule id="100070" level="1">
<if_sid>61603</if_sid>
<field name="win.eventdata.originalfilename">^Teams.exe$|^Acrobat.exe$</fi$
<description>False positive teams</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,</group>,gdpr_IV_32.2,</group>
</rule>
</group>
In this case I am exluding Teams.exe and Acrobat.exe , or do I have to make a rule for each one?
Is it valid to create it like this? to exclude several fields in a single rule?
<group name="windows, sysmon, sysmon_event1">
<rule id="100070" level="1">
<if_sid>61603</if_sid>
<field name="win.eventdata.originalfilename">^Teams.exe$|^Acrobat.exe$</fi$
<description>False positive teams</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,</group>,gdpr_IV_32.2,</group>
</rule>
</group>
In this case I am exluding Teams.exe and Acrobat.exe , or do I have to make a rule for each one?
Raul Del Pozo Moreno
Oct 5, 2023, 3:41:12 PM10/5/23
to gustavo rodriguez, Wazuh | Mailing List
Hello
That rule will do the following:
It will generate a level 1 alert when the win.eventdata.originalfilename field contains, start, and end with the values Teams.exe or Acrobat.exe
Could you specify a little more what you want to achieve?
Remember that if the field matches those values and you do not want to generate the alert, you can specify it in the header as follows:
It will generate a level 1 alert when the win.eventdata.originalfilename field contains, start, and end with the values Teams.exe or Acrobat.exe
Could you specify a little more what you want to achieve?
- Do not generate the alert completely if those fields are matched?
- Exclude those fields from the generated alert?
Remember that if the field matches those values and you do not want to generate the alert, you can specify it in the header as follows:
<rule id="01" level="0" noalert="1">
- noalert
- Definition: Not trigger an alert if the rule matches.
- Allowed values:
- 0 (alerts, value by default)
- 1 (no alerts). If noalert is set to 1, the event continues analyzing other rules despite the rule matches.
 | Raúl Del Pozo Moreno QA + Automation engineer |
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4e95ea1c-9a0e-461e-bb95-00bdf8a0a427n%40googlegroups.com.
gustavo rodriguez
Oct 6, 2023, 8:16:30 AM10/6/23
to Wazuh | Mailing List
Hi Raul, thanks for your reply.
"Do not generate the alert completely if those fields are matched?"
Sure, what I want is to eliminate false positives.
Is it the best practice when you don't want to receive events from some field to use "no alert"?
So as not to fill up with unnecessary events.
"Do not generate the alert completely if those fields are matched?"
Is it the best practice when you don't want to receive events from some field to use "no alert"?
So as not to fill up with unnecessary events.
Raul Del Pozo Moreno
Oct 6, 2023, 10:15:03 AM10/6/23
to gustavo rodriguez, Wazuh | Mailing List
If you want to prevent an alert from being generated, you should use what I indicated in the previous comment.
<rule id="01" level="0" noalert="1">
About
Is it the best practice when you don't want to receive events from some field to use "no alert"?
You must consider whether you want to cancel the alert completely or mark it with the minimum alert level (1), so you must be very careful if you decide not to generate the alert since you may not see legitimate alerts.
Canceling the generation of an alert could generate a security hole with all that that entails, I would recommend that an alert always be generated, with a level appropriate to the importance given, and only resort to not generating alerts in certain very specific cases and after an analysis of the impact it may have
Canceling the generation of an alert could generate a security hole with all that that entails, I would recommend that an alert always be generated, with a level appropriate to the importance given, and only resort to not generating alerts in certain very specific cases and after an analysis of the impact it may have
| Raúl Del Pozo Moreno QA + Automation engineer |
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ffd9a78-3380-455f-823b-25610ecb7f22n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages