Suppress/Throttle excessive rules getting triggered for same condition

182 views
Skip to first unread message

Aditya Srivastava

unread,
Nov 18, 2021, 11:15:37 AM11/18/21
to Wazuh mailing list
Hi Team,

We have FIM enabled on our wazuh setup and have a file "/etc/testfile.txt" being monitored (on agent side). For any change in this file, rule 'id:510' gets triggered and we have email configured which sends out email to respective stake holder that your file is changed.
Now under current situation, say the file is changed 10 times in a day, 10 alerts are sent to respective team. 
What our requirement is that we want only one alert per day to be send out to the team (via email) for any number of time the file is changed.
This feature is similar to "throttle" option available in Splunk alerts.

Thanks,
Aditya

victor....@wazuh.com

unread,
Nov 18, 2021, 12:33:53 PM11/18/21
to Wazuh mailing list

Hello Aditya,

Maybe the better option is to use the auto-ignore option(https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#auto-ignore) but this is restricted to only managers for the moment, so, we need to overwrite the integrity rule in order to avoid multiple triggers.

In this case, I am going to overwrite the rule 550, adding this to the /var/ossec/etc/rules/local_rules.xml file:

   <rule id="550" level="7" overwrite="yes" ignore="86400">
    <category>ossec</category>
    <deco    ded_as>syscheck_integrity_changed</decoded_as>
    <description>Integrity checksum changed.</description>
    <mitre>
      <id>T1492</id>
    </mitre>
    <group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

Where ignore value is the time (in seconds) to ignore this rule after firing it. So, the integrity checksum changed alerts will be triggered only once per day (for all the files monitored by the syscheck module)

For more information check this documentation page https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Remember to restart your wazuh-manager after changing your rules

If you have any doubt do not hesitate to ask.

Reply all
Reply to author
Forward
0 new messages