Errors when Overwriting Default Rules

22 views
Skip to first unread message

Mithun Haridas

unread,
Nov 10, 2025, 6:12:13 AM (yesterday) Nov 10
to Wazuh | Mailing List
Hi team, 

I need assistance with overwriting the default Sysmon rules. I’ve attempted to lower the rule level for some default rules, but I’m encountering an error.

Default Rules

  <rule id="92900" level="12">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
    <field name="win.eventdata.grantedAccess" type="pcre2">(?i)(0x1010|0x40)</field>
    <field name="win.eventdata.sourceImage" type="pcre2" negate="yes">(?i)(C:\\\\Program Files|wmiprvse\.exe)</field>
    <options>no_full_log</options>
    <description>Lsass process was accessed by $(win.eventdata.sourceImage) with read permissions, possible credential dump</description>
    <mitre>
      <id>T1003.001</id>
    </mitre>
  </rule>

  <rule id="92910" level="12">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)explorer\.exe</field>
    <options>no_full_log</options>
    <description>Explorer process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
    <mitre>
      <id>T1055</id>
    </mitre>
  </rule>

  <rule id="92920" level="14">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)mstsc\.exe</field>
    <options>no_full_log</options>
    <description>Windows Remote Dektop utility process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
    <mitre>
      <id>T1055</id>
    </mitre>
  </rule>


Custom Overwritten Rules

  <rule id="92900" level="8" overwrite="yes">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
    <field name="win.eventdata.grantedAccess" type="pcre2">(?i)(0x1010|0x40)</field>
    <field name="win.eventdata.sourceImage" type="pcre2" negate="yes">(?i)(C:\\\\Program Files|wmiprvse\.exe)</field>
    <options>no_full_log</options>
    <description>Lsass process was accessed by $(win.eventdata.sourceImage) with read permissions, possible credential dump</description>
    <mitre>
      <id>T1003.001</id>
    </mitre>
  </rule>

  <rule id="92910" level="8" overwrite="yes">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)explorer\.exe</field>
    <options>no_full_log</options>
    <description>Explorer process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
    <mitre>
      <id>T1055</id>
    </mitre>
  </rule>

  <rule id="92920" level="8" overwrite="yes">
    <if_group>sysmon_event_10</if_group>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)mstsc\.exe</field>
    <options>no_full_log</options>
    <description>Windows Remote Dektop utility process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
    <mitre>
      <id>T1055</id>
    </mitre>
  </rule>
 
  I changed the default rule level from 12/14 to 8 to lower their severity. However, the system is returning warnings indicating that the if_group value cannot be overwritten.  

Error:

WARNING: (7605): It is not possible to overwrite 'if_group' value in rule '92900'. The original value is retained.  

WARNING: (7605): It is not possible to overwrite 'if_group' value in rule '92910'. The original value is retained.  

WARNING: (7605): It is not possible to overwrite 'if_group' value in rule '92920'. The original value is retained.  

INFO: (7202): Session initialized with token 'bfd975ea'


  Could you please help me understand why this occurs and how to properly resolve it? 


Regards, 

Bony V John

unread,
Nov 10, 2025, 6:40:29 AM (yesterday) Nov 10
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Nov 10, 2025, 8:38:23 AM (24 hours ago) Nov 10
to Wazuh | Mailing List
Hi,

I have tested this on my end and found that it is a common issue. As a workaround, you can follow the steps below to change the rule level.
We will copy the same rule into a custom rule file and exclude the default rule file. This allows you to modify the rule level without using the overwrite tag.

Execute the commands on Wazuh Manager command line:

Copy the default rule file to a custom rule file:

cp /var/ossec/ruleset/rules/0945-sysmon_id_10.xml /var/ossec/etc/rules/local-sysmon_id_10.xml

Edit the copied custom rule file:
vi /var/ossec/etc/rules/local-sysmon_id_10.xml
Update only the rule level as needed, do not add the overwrite option in the tag. Save and exit the file once done.

Exclude the default rule file in the Wazuh Manager configuration:
Open the main configuration file:
vi /var/ossec/etc/ossec.conf

Inside the <ruleset> tag, add the following line:  

<rule_exclude>ruleset/rules/0945-sysmon_id_10.xml</rule_exclude>

Restart the Wazuh Manager service to apply the changes:  

systemctl restart wazuh-manager

After the restart, Wazuh will use your modified custom rule file with the updated rule level.

For more details you can refer this Wazuh documentation.

Reply all
Reply to author
Forward
0 new messages