There isn't an official Wazuh-recommended list of registry paths to ignore, this entirely depends on your environment, use case, and the level of visibility you need.
registry_ignore supports both exact registry paths and sregex matching as described in the documentation, and it can be useful when excluding groups of dynamically changing keys instead of individual entries.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#reference-ossec-syscheck-registry-ignorehttps://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.htmlIn general, I would recommend you:
Start with minimal exclusions and observe which registry keys generate repetitive, low-value events.
Exclude only those keys that are confirmed to change frequently during normal OS or application activity.
Use targeted sregex patterns where appropriate instead of broad exclusions.
A common example is hardware enumeration keys (such as \Enum), which can generate frequent benign changes depending on the environment.
At the same time, I would avoid ignoring security-sensitive locations such as:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Services
Winlogon
Windows Defender and Firewall configuration
Audit Policy settings
These locations are commonly used for persistence or security configuration changes and generally provide valuable visibility.
If your goal is to reduce alert volume, another option is to leave the monitoring in place and tune the corresponding FIM rules instead of ignoring the registry paths entirely. That way, you retain visibility while reducing noise.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html