Fix False Positive
25 views
Skip to first unread message
Tengku Arya Saputra
Jan 16, 2026, 4:06:39 PM (2 days ago) Jan 16
to Wazuh | Mailing List
Hi Team
data.win.eventdata.commandLine: C:\\Windows\\system32\\cmd.exe /c tasklist /nh /fi \“imagename eq telescope.exe\”
data.win.eventdata.currentDirectory: C:\\Program Files\\uniagent\\extension\\install\\telescope\\
and
data.win.eventdata.commandLine: \“C:\\Program Files\\Datadog\\Datadog Agent\\bin\\datadog-installer.exe\” get-states
data.win.eventdata.newProcessName: C:\\Program Files\\Datadog\\Datadog Agent\\bin\\datadog-installer.exe
Please exclude this, I don't want it on my dashboard, no alerts, please help me fix this.
hasitha.u...@wazuh.com
Jan 17, 2026, 12:13:20 AM (yesterday) Jan 17
to Wazuh | Mailing List
Hi Tengku,
You can create a custom rule with level 0 to use the above mentioned paths to avoid the false positives with reference to the triggered default rule
To create custom rules, you need to use this path /var/ossec/etc/rules
For example:
Replace the xxxx with the rule that is triggering as a false positive.
You can create a custom rule with level 0 to use the above mentioned paths to avoid the false positives with reference to the triggered default rule
To create custom rules, you need to use this path /var/ossec/etc/rules
For example:
- <group name="windows-custom">
- <rule id 100102 level="0">
- <if_sid>xxxx</if_sid>
- <field name="win.eventdata.commandLine" type="pcre2">^C:\\Windows\\system32\\cmd.exe /c tasklist /nh /fi \"imagename eq telescope.exe\"$</field>
- <field name="win.eventdata.currentDirectory" type="pcre2">^C:\\Program Files\\uniagent\\extension\\install\\telescope\\$</field>
- <description>Test silence alert</description>
- </rule>
- <rule id 100103 level="0">
- <if_sid>xxxx</if_sid>
- <field name="win.eventdata.commandLine" type="pcre2">^\“C:\\Program Files\\Datadog\\Datadog Agent\\bin\\datadog-installer.exe\” get-states$</field>
- <field name="win.eventdata.newProcessName" type="pcre2">^C:\\Program Files\\Datadog\\Datadog Agent\\bin\\datadog-installer.exe$</field>
- <description>Test silence alert</description>
- </rule>
- </group>
Replace the xxxx with the rule that is triggering as a false positive.
If you ned further assistance on this, then you can share a sample log from archives.json log, so we can replicate on my end. Enable archives.json log, set the <logall_json>yes</logall_json> to yes in the Wazuh manager ossec.conf file.Documentation:Wazuh Documentation | logall
<ossec_config> <global> __________________ <logall_json>yes</logall_json> _______________ Restart the Wazuh manager to apply changes.
systemctl restart wazuh-managerThis option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming logs generated by your endpoints. After setting this option, restart the manager and check the archives.json file.
NOTE
Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption. Look for if there are any new logs inside the archive log which is relevant. Use grep parameters related to the log. cat /var/ossec/logs/archives/archives.json | grep Keywoard Please share the sample log from archives.json log so we can check further your requirment. To learn more about rules, you can refer to these guides.
Rules
Rules Syntax
Regular Expression Syntax
NOTE
Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption. Look for if there are any new logs inside the archive log which is relevant. Use grep parameters related to the log. cat /var/ossec/logs/archives/archives.json | grep Keywoard Please share the sample log from archives.json log so we can check further your requirment. To learn more about rules, you can refer to these guides.
Rules
Rules Syntax
Regular Expression Syntax
Reply all
Reply to author
Forward
0 new messages