We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi team,
A user reported that AWS Config is flooding the alert.json file. I can check that a lot of events are repeated:
AWS Config
alert.json
I think that we could set ignore attribute in rules to avoid firing alerts.
ignore
I made some tests after adding this rules in local_rules.xml and it seems that works:
local_rules.xml
<group name="aws_config"> <rule id="80450" level="0" overwrite="yes" ignore="3600"> <if_sid>80200</if_sid> <field name="aws.source">config</field> <description>AWS Config alert.</description> <group>aws_config,</group> <options>no_full_log</options> </rule> <!-- ConfigHistory vs ConfigSnapshot --> <rule id="80451" level="0" overwrite="yes" ignore="3600"> <if_sid>80450</if_sid> <field name="aws.log_info.log_file">\.+ConfigHistory</field> <description>AWS Config - History</description> <group>aws_config,aws_config_history,</group> <options>no_full_log</options> </rule> <rule id="80452" level="0" overwrite="yes" ignore="3600"> <if_sid>80450</if_sid> <field name="aws.log_info.log_file">\.+ConfigSnapshot</field> <description>AWS Config - Snapshot</description> <group>aws_config,aws_config_snapshot,</group> <options>no_full_log</options> </rule> <!-- Config history --> <rule id="80453" level="3" overwrite="yes" ignore="3600"> <if_sid>80451</if_sid> <description>AWS Config - History [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description> <group>aws_config,aws_config_history,</group> <options>no_full_log</options> </rule> <rule id="80454" level="0" ignore="3600"> <if_sid>80451</if_sid> <field name="aws.configurationItemStatus">OK</field> <description>AWS Config - History [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description> <group>aws_config,aws_config_history,</group> <options>no_full_log</options> </rule> <!-- Config Snapshot --> <rule id="80475" level="3" overwrite="yes" ignore="3600"> <if_sid>80452</if_sid> <description>AWS Config - Snapshot [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description> <group>aws_config,aws_config_snapshot,</group> <options>no_full_log</options> </rule> <rule id="80476" level="6" overwrite="yes" ignore="3600"> <if_sid>80475</if_sid> <field name="aws.configuration.complianceType">\.+</field> <description>AWS Config - Snapshot Compliance [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)] [$(aws.configuration.configRuleList.configRuleName)]: $(aws.resourceId) ($(aws.configurationItemStatus)) $(aws.configuration.complianceType)</description> <group>aws_config,aws_config_snapshot,aws_config_snapshot_compliance,</group> <options>no_full_log</options> </rule> </group>
Anyway, we should study the AWS Config alerts for improving the rules.
Best regards,
Demetrio.
The text was updated successfully, but these errors were encountered:
Closing this issue since we made a PR to solve this here: wazuh/wazuh-ruleset#775
Regards,
Miguel Casares
Sorry, something went wrong.
No branches or pull requests
Hi team,
A user reported that
AWS Config
is flooding thealert.json
file. I can check that a lot of events are repeated:I think that we could set
ignore
attribute in rules to avoid firing alerts.I made some tests after adding this rules in
local_rules.xml
and it seems that works:Anyway, we should study the
AWS Config
alerts for improving the rules.Best regards,
Demetrio.
The text was updated successfully, but these errors were encountered: