Custom Suppression Rules Configured
From Notes_Wiki
Revision as of 11:23, 7 November 2025 by Sunilvarma (talk | contribs) (Created page with " Home > Wazuh > Custom Suppression Rules Configured = Wazuh Custom Suppression Rules = == Reference == For detailed steps on how to create custom rules in Wazuh, refer to the following article: *[http://rekallcm1/notes_wiki/index.php?title=Wazuh_Custom_Rule_Creation Wazuh Custom Rule Creation]* == Overview == Custom rules in Wazuh allow administrators to tailor alerting behavior based on their environment. These rules can: * Suppress known fals...")
Home > Wazuh > Custom Suppression Rules Configured
Wazuh Custom Suppression Rules
Reference
For detailed steps on how to create custom rules in Wazuh, refer to the following article:
Overview
Custom rules in Wazuh allow administrators to tailor alerting behavior based on their environment. These rules can:
- Suppress known false positives
- Correlate multiple alerts into a single event
- Adjust alert levels
- Match or exclude specific fields
- Improve detection accuracy and reduce noise in the SIEM
Typically, custom rules are added under the `/var/ossec/etc/rules/local_rules.xml` file. Each rule is enclosed in a `<group>` tag and defined using a `<rule>` element with attributes like:
- `id` — Unique identifier for the rule (must be above 100000 for custom rules)
- `level` — Alert severity (0 to disable alerting)
- `if_sid` — Specifies which base rule this rule modifies or depends on
- `field` / `match` — Match event field values
- `description` — Human-readable explanation of what the rule does
- `options` — Additional behaviors (e.g., `no_full_log` to suppress full logging)
Custom Suppression Rules
Below are some suppression rules used for known benign alerts.
<!-- Event ID's suppression -->
<group name="windows,">
<rule id="100050" level="0">
<if_sid>60104</if_sid>
<field name="win.system.eventID">5038</field>
<match>ScriptControl64_19809.dll</match>
<description>Suppress known false positive for ScriptControl64_19809.dll in Event ID 5038</description>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,">
<rule id="100051" level="0">
<if_sid>60104</if_sid>
<field name="win.system.eventID">4957</field>
<field name="win.eventdata.ruleAttr">Remote Addresses</field>
<description>Suppress Windows Firewall event 4957 related to empty remote address resolution</description>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,">
<rule id="100053" level="0">
<if_sid>60104</if_sid>
<field name="data.win.system.eventID">4674</field>
<field name="data.win.eventdata.processName">C:\Windows\System32\winlogon.exe</field>
<description>Suppress Event ID 4674 triggered by LOCAL SERVICE for SeSecurityPrivilege</description>
<options>no_full_log</options>
</rule>
</group>
<group name="Supressing_Event_data,">
<rule id="100054" level="0">
<if_sid>60107</if_sid>
<field name="win.eventdata.privilegeList">SeProfileSingleProcessPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege</field>
<description>Failed attempt to perform a privileged operation suppressed</description>
<options>no_full_log</options>
<group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<group name="local,syscheck">
<rule id="100055" level="0">
<if_sid>594</if_sid>
<decoded_as>syscheck_registry_key_modified</decoded_as>
<match field="syscheck.changed_attributes">mtime</match>
<description>Suppress mtime-only changes</description>
</rule>
</group>
<group name="local,syscheck">
<rule id="100056" level="0">
<if_sid>594</if_sid>
<decoded_as>syscheck_registry_key_modified</decoded_as>
<match field="syscheck.changed_attributes">permission</match>
<description>Suppress permission-only changes</description>
</rule>
</group>
<!-- Custom suppression rules -->
<group name="windows,">
<rule id="100060" level="0">
<if_sid>60106</if_sid>
<description>Suppressed rule.id:60106</description>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,">
<rule id="100061" level="0">
<if_sid>60642</if_sid>
<field name="data.win.system.eventID">16384</field>
<description>Suppressed Event ID 16384</description>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,">
<rule id="100062" level="0">
<if_sid>61104</if_sid>
<description>Suppressed "Software protection service scheduled successfully"</description>
<options>no_full_log</options>
</rule>
</group>
<group name="registry,virustotal,">
<rule id="100063" level="0">
<if_sid>87103,750,598,752</if_sid>
<description>Suppressing multiple rule IDs 87103, 750, 598, 752</description>
</rule>
</group>
Notes
- Always use a **unique rule ID** above `100000` for custom rules to prevent conflicts with default rules.
- Ensure your XML structure is valid — a missing tag may cause Wazuh Manager to fail rule loading.
- After editing `local_rules.xml`, restart the Wazuh Manager service:
systemctl restart wazuh-manager
- Use `wazuh-logtest` to verify custom rule logic before applying it in production.
