Disable rule

Thaynara Soares

unread,

Dec 18, 2024, 3:52:49 PM12/18/24

to Wazuh | Mailing List

I would like to deactivate a rule from its operation because in a rule.id there are several operations and I want to deactivate some that are not so important to receive alerts, for example:

data.office365.Subscription | data.office365.Operation | rule.groups

Audit.General | ViewForm | MicrosoftForms

ViewRuntimeForm | RULE.ID 91594
CreateResponse
ViewResponses
ViewResponse
ListForms
ExportForm
PreviewForm
UpdateFormSetting
DeleteResponse
EditForm

I want to disable only the words that are in red.

malena...@wazuh.com

unread,

Dec 18, 2024, 7:17:14 PM12/18/24

to Wazuh | Mailing List

Hi Thaynara,

Thank you for reaching out!

To disable specific operations within a rule without affecting the entire rule, you can create a custom rule in the /var/ossec/etc/rules/local_rules.xml file. Unfortunately, Wazuh doesn't allow the direct deactivation of individual operations within a rule; however, you can adjust the rule to ignore the events that correspond to the operations of lesser importance.

Here's a general approach you can take:

Copy the original rule: Identify the original rule (e.g., rule ID 91594) in the ruleset located at /var/ossec/ruleset/rules/ and copy its definition to your local_rules.xml.
Modify the Match Conditions: Edit the copy to exclude the specific operations you want to disable (in this case, the ones you've highlighted in red). You can achieve this by adjusting the <match> tag or using <not_match> conditions if available.
Add the overwrite="yes" tag: Remember to include the overwrite="yes" attribute to ensure that your changes take precedence over the original rule.
Restart the Wazuh manager: After making these changes, restart the Wazuh manager to apply them.

If you need help to redact the rule I will need the events that generate the alerts.

Thaynara Soares

unread,

Dec 19, 2024, 12:56:23 PM12/19/24

to Wazuh | Mailing List

For example like this?

<rule id="91594" level="3">
<if_sid>91532 overwrite="yes"</if_sid>

<not_match>PreviewForm</not_match>

<field name="office365.RecordType" type="osregex">^66$</field>
<description>Office 365: Microsoft Forms events.</description>
<options>no_full_log</options>
<group>MicrosoftForms,hipaa_164.312.b,pci_dss_10.6.2</group>
</rule>

malena...@wazuh.com

unread,

Dec 20, 2024, 8:56:30 PM12/20/24

to Wazuh | Mailing List

I was testing, and adding this rule worked for me:

<rule id="915940" level="0">
<if_sid>91594</if_sid>
<field name="office365.Operation" type="pcre2">^(ViewForm|ViewRuntimeForm|CreateResponse|PreviewForm)$</field> <description>Office 365: Microsoft operations without alerts.</description> <options>no_full_log</options> <group>MicrosoftForms,hipaa_164.312.b,pci_dss_10.6.2</group>
</rule>

This is based on the original alert-generating rule, 91594. I set the level to 0 to ensure that these will never be included in your configuration regarding the base level from which you decide to receive alerts.

In the field name, I included a regular expression that matches each of the options for which you want to stop receiving alerts.

You can add this rule in your own XML file that you create within /var/ossec/etc/rules/

With that, you should be able to resolve your issue. Best regards!

Thaynara Soares

unread,

Jan 7, 2025, 1:31:21 PM1/7/25

to Wazuh | Mailing List

Sorry for the delay in responding, I tried to put what you said but the syntax is giving an error, could you help?

malena...@wazuh.com

unread,

Jan 8, 2025, 8:25:38 AM1/8/25

to Wazuh | Mailing List

Could you share with me a screenshot of the error?

And a screenshot of your rules file in which you set this rule I provided you?

Thank you!

Thaynara Soares

unread,

Jan 8, 2025, 12:28:48 PM1/8/25

to Wazuh | Mailing List

malena...@wazuh.com

unread,

Jan 8, 2025, 4:44:31 PM1/8/25

to Wazuh | Mailing List

Sorry, I didn't copy the complete structure

<group name="office365,">

<rule id="915940" level="0">
<if_sid>91594</if_sid>
<field name="office365.Operation" type="pcre2">^(ViewForm|ViewRuntimeForm|CreateResponse|PreviewForm)$</field>
<description>Office 365: Microsoft operations without alerts.</description>
<options>no_full_log</options>
<group>MicrosoftForms,hipaa_164.312.b,pci_dss_10.6.2</group>
</rule>

</group>

The syntax error is because doesn't have <group> tag at the beggining and the final.

Let me know if that result for you.

Thaynara Soares

unread,

Jan 9, 2025, 12:17:37 PM1/9/25

to Wazuh | Mailing List

I tested it and it worked. I'm not receiving any more of the logs mentioned, thank you very much for your help.

Thaynara Soares

unread,

Jan 10, 2025, 2:46:46 PM1/10/25

to Wazuh | Mailing List

One question, if I want to not receive alerts from those in yellow, would it be like this?

<options>no_full_log</options>
<group>MicrosoftForms,hipaa_164.312.b,pci_dss_10.6.2</group>
</rule>
</group>

malena...@wazuh.com

unread,

Jan 13, 2025, 9:05:59 AM1/13/25

to Wazuh | Mailing List

It looks good.

If you want to continue working with different customization of rules, you can test these with these tools:

You can test your regular expressions in https://regex101.com/
To test its result, you can use the wazuh-logtest tool as shown in the screenshot. Simply run /var/ossec/bin/wazuh-logtest and then, paste the log you want to process. You will see the result of decode and evaluate this log.

Best regards!

Captura desde 2025-01-13 10-55-57.png

Thaynara Soares

unread,

Jan 13, 2025, 12:23:40 PM1/13/25

to Wazuh | Mailing List

Is the formatting really like this?

malena...@wazuh.com

unread,

Jan 13, 2025, 2:02:30 PM1/13/25

to Wazuh | Mailing List

Thaynara Soares

unread,

Jan 13, 2025, 2:22:18 PM1/13/25

to Wazuh | Mailing List

I fixed it, thanks for the help

malena...@wazuh.com

unread,

Jan 13, 2025, 2:26:47 PM1/13/25

to Wazuh | Mailing List

You are welcome! Good luck!

Reply all

Reply to author

Forward