Supressing alerts based on rule id in Wazuh
From Notes_Wiki
Revision as of 13:48, 2 July 2025 by Bhargava (talk | contribs) (→Suppressing Wazuh Alert with Rule ID 60608)
Home > Wazuh > Supressing alerts based on rule id in Wazuh
Suppressing Wazuh Alert with Rule ID
Overview
This guide explains how to suppress a specific Wazuh alert triggered by rule ID 60608 (Example). This is useful when the alert is a known false positive or low-severity event that does not require action.
Step-by-Step Instructions
1. Confirm the Rule ID
Check the rule.id field of alert generated in Wazuh Dashboard :
rule.id:60608
2. Edit the Local Rules File
Open the following file for editing in Wazuh Manager Node:
/var/ossec/etc/rules/local_rules.xml
Append the suppression rule:
<group name="custom-suppression">
<rule id="110608" level="0">
<if_sid>60608</if_sid>
<description>Suppressing alert with rule ID 60608 (known false positive)</description>
</rule>
</group>
3. Restart Wazuh Manager
Apply the changes by restarting the manager:
sudo systemctl restart wazuh-manager
4. Validate Suppression
Verify that alerts with rule ID 60608 are no longer generated in the Wazuh dashboard or alert logs.
Notes
- `id="110608"` is a unique local or custom rule ID.
- `level="0"` disables the alert.
- Always ensure that suppression does not hide important alerts.
