FİM ignore best practise

12 views
Skip to first unread message

Farid Alakbarli

unread,
Jul 1, 2026, 11:10:21 AM (2 days ago) Jul 1
to Wazuh | Mailing List

Hello everyone,

I have a question regarding File Integrity Monitoring (FIM) and the registry_ignore option in Wazuh.

What are the recommended best practices for configuring registry_ignore in a production environment?

Specifically, I'm interested in understanding:

  • Which registry paths are commonly excluded to reduce noise without impacting security visibility?
  • Are there any official recommendations or real-world examples for configuring registry_ignore?
  • How do you balance reducing false positives while ensuring important registry modifications are still monitored?

I would appreciate it if you could share your experience or point me to any official guidance.

Thank you!

Olamilekan Abdullateef Ajani

unread,
Jul 1, 2026, 12:00:15 PM (2 days ago) Jul 1
to Wazuh | Mailing List
Hello,

There isn't an official Wazuh-recommended list of registry paths to ignore, this entirely depends on your environment, use case, and the level of visibility you need.

registry_ignore supports both exact registry paths and sregex matching as described in the documentation, and it can be useful when excluding groups of dynamically changing keys instead of individual entries.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#reference-ossec-syscheck-registry-ignore
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html

In general, I would recommend you:

Start with minimal exclusions and observe which registry keys generate repetitive, low-value events.
Exclude only those keys that are confirmed to change frequently during normal OS or application activity.
Use targeted sregex patterns where appropriate instead of broad exclusions.

A common example is hardware enumeration keys (such as \Enum), which can generate frequent benign changes depending on the environment.

At the same time, I would avoid ignoring security-sensitive locations such as:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Services
Winlogon
Windows Defender and Firewall configuration
Audit Policy settings

These locations are commonly used for persistence or security configuration changes and generally provide valuable visibility.

If your goal is to reduce alert volume, another option is to leave the monitoring in place and tune the corresponding FIM rules instead of ignoring the registry paths entirely. That way, you retain visibility while reducing noise.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Reply all
Reply to author
Forward
0 new messages