Latest revision as of 11:23, 7 November 2025

Home > Wazuh > Custom Suppression Rules Configured

Wazuh Custom Suppression Rules

Reference

For detailed steps on how to create custom rules in Wazuh, refer to the following article:

Wazuh Custom Rule Creation*

Overview

Custom rules in Wazuh allow administrators to tailor alerting behavior based on their environment. These rules can:

Suppress known false positives
Correlate multiple alerts into a single event
Adjust alert levels
Match or exclude specific fields
Improve detection accuracy and reduce noise in the SIEM

Typically, custom rules are added under the `/var/ossec/etc/rules/local_rules.xml` file. Each rule is enclosed in a `<group>` tag and defined using a `<rule>` element with attributes like:

`id` — Unique identifier for the rule (must be above 100000 for custom rules)
`level` — Alert severity (0 to disable alerting)
`if_sid` — Specifies which base rule this rule modifies or depends on
`field` / `match` — Match event field values
`description` — Human-readable explanation of what the rule does
`options` — Additional behaviors (e.g., `no_full_log` to suppress full logging)

Custom Suppression Rules

Below are some suppression rules used for known benign alerts.

<!-- Event ID's suppression --> 
<group name="windows,">
  <rule id="100050" level="0">
    <if_sid>60104</if_sid>
    <field name="win.system.eventID">5038</field>
    <match>ScriptControl64_19809.dll</match>
    <description>Suppress known false positive for ScriptControl64_19809.dll in Event ID 5038</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="windows,">
  <rule id="100051" level="0">
    <if_sid>60104</if_sid>
    <field name="win.system.eventID">4957</field>
    <field name="win.eventdata.ruleAttr">Remote Addresses</field>
    <description>Suppress Windows Firewall event 4957 related to empty remote address resolution</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="windows,">
  <rule id="100053" level="0">
    <if_sid>60104</if_sid>
    <field name="data.win.system.eventID">4674</field>
    <field name="data.win.eventdata.processName">C:\Windows\System32\winlogon.exe</field>
    <description>Suppress Event ID 4674 triggered by LOCAL SERVICE for SeSecurityPrivilege</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="Supressing_Event_data,">
  <rule id="100054" level="0">
    <if_sid>60107</if_sid>
    <field name="win.eventdata.privilegeList">SeProfileSingleProcessPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege</field>
    <description>Failed attempt to perform a privileged operation suppressed</description>
    <options>no_full_log</options>
    <group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
</group>

<group name="local,syscheck">
  <rule id="100055" level="0">
    <if_sid>594</if_sid>
    <decoded_as>syscheck_registry_key_modified</decoded_as>
    <match field="syscheck.changed_attributes">mtime</match>
    <description>Suppress mtime-only changes</description>
  </rule>
</group>

<group name="local,syscheck">
  <rule id="100056" level="0">
    <if_sid>594</if_sid>
    <decoded_as>syscheck_registry_key_modified</decoded_as>
    <match field="syscheck.changed_attributes">permission</match>
    <description>Suppress permission-only changes</description>
  </rule>
</group>

<!-- Custom suppression rules -->
<group name="windows,">
  <rule id="100060" level="0">
    <if_sid>60106</if_sid>
    <description>Suppressed rule.id:60106</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="windows,">
  <rule id="100061" level="0">
    <if_sid>60642</if_sid>
    <field name="data.win.system.eventID">16384</field>
    <description>Suppressed Event ID 16384</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="windows,">
  <rule id="100062" level="0">
    <if_sid>61104</if_sid>
    <description>Suppressed "Software protection service scheduled successfully"</description>
    <options>no_full_log</options>
  </rule>
</group>

<group name="registry,virustotal,">
  <rule id="100063" level="0">
    <if_sid>87103,750,598,752</if_sid>
    <description>Suppressing multiple rule IDs 87103, 750, 598, 752</description>
  </rule>
</group>

Notes

Always use a **unique rule ID** above `100000` for custom rules to prevent conflicts with default rules.
Ensure your XML structure is valid — a missing tag may cause Wazuh Manager to fail rule loading.
After editing `local_rules.xml`, restart the Wazuh Manager service:

     systemctl restart wazuh-manager

Use `wazuh-logtest` to verify custom rule logic before applying it in production.

Anonymous

Search

Difference between revisions of "Custom Suppression Rules Configured"

Namespaces

More

Page actions

Latest revision as of 11:23, 7 November 2025

Contents

Wazuh Custom Suppression Rules

Reference

Overview

Custom Suppression Rules

Notes

Navigation

Navigation

Wiki tools

Wiki tools

Anonymous

Search

Difference between revisions of "Custom Suppression Rules Configured"

Latest revision as of 11:23, 7 November 2025

Wazuh Custom Suppression Rules

Reference

Overview

Custom Suppression Rules

Notes

Navigation

Wiki tools

Page tools