Wazuh shows excluded rule in dashboard

[volnodumcev]

Hello to all.

There is a out-of-the-box rule in wazuh /var/ossec/ruleset/rules/0955-WEF-baseline_rules.xml
Well, I need to change a severity level of the rule id="67027" from 3 to 1. I've red in wazuh docs that the most right way is copy this rule to the custom rules folder, change the severity level from 3 to 1 and exclude the rule file in ossec.config "ruleset" section. I did it and restarted the wazuh manager. During a restart process I've noticed a message the rule file was excluded completely and new file was added from the custom folder. But even after that I still receive alerts of rule 67027 with severity level 3.

[jftuduri]

Hi @volnodumcev , sorry for the delay in getting back to you.

To change the alert level of a rule, you can overwrite the rule definition with the desired level. Here's how to do it:

• Copy the entire rule definition into a local rules file. We recommend using /var/ossec/etc/rules/local_rules.xml.
• Set the overwrite attribute of the rule to yes.
• Adjust the level attribute to your desired value.

For example, if you want to change the alert level of rule 67027 to 1, your configuration would look like this:

<group name="windows, WEF">
  <rule id="67027" level="1" overwrite="yes">
    <if_sid>60103</if_sid>
    <field name="win.system.providerName">Microsoft-Windows-Security-Auditing</field>
    <field name="win.system.eventID">4688</field>
    <description>A process was created.</description>
    <options>no_full_log</options>
  </rule>
</group>

Once you’ve made the changes, restart the Wazuh manager for them to take effect:

systemctl restart wazuh-manager

You can check out this guide for more info: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules

If you encounter any issues or have further questions, feel free to reach out.

Regards!

[Damian-Mangold]

I closed it because it had been inactive for more than 7 days. Please reopen it if necessary.