Hello Aditya,
Maybe the better option is to use the auto-ignore option(https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#auto-ignore) but this is restricted to only managers for the moment, so, we need to overwrite the integrity rule in order to avoid multiple triggers.
In this case, I am going to overwrite the rule 550
, adding this to the /var/ossec/etc/rules/local_rules.xml
file:
<rule id="550" level="7" overwrite="yes" ignore="86400">
<category>ossec</category>
<deco ded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<mitre>
<id>T1492</id>
</mitre>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Where ignore value is the time (in seconds) to ignore this rule after firing it. So, the integrity checksum changed alerts will be triggered only once per day (for all the files monitored by the syscheck module)
For more information check this documentation page https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Remember to restart your wazuh-manager after changing your rules
If you have any doubt do not hesitate to ask.