How to Suppress Alerts in Wazuh
Wazuh is a powerful open-source security platform for threat detection and response. Sometimes, you may need to suppress specific alerts that are not relevant to your environment. This guide walks you through the steps to suppress a rule in Wazuh effectively.
Step-by-Step Guide to Suppress a Rule in Wazuh
1. Log in to Wazuh
Open your web browser and navigate to your Wazuh dashboard. Log in with your credentials to access the management interface.
2. Navigate to “Threat Hunting”
Once logged in, go to the Threat Hunting section. This is where all detected security events and alerts are displayed.
3. Find the Alert You Want to Suppress
Browse through the alerts or use the search filters to locate the specific alert you want to suppress.
4. Click on the Rule ID
Each alert is generated based on a predefined rule. Click on the Rule ID of the alert you want to suppress.
5. Copy the Rule ID
After clicking the Rule ID, you will see details about the rule. Copy the Rule ID for reference.
6. Open the Rule File
Click on the rule file associated with the Rule ID. This file contains the logic used to trigger the alert.
7. Search for the Rule in the File
Press Ctrl + F and paste the Rule ID to quickly find the rule definition in the file.
Example of an Original Rule Before Suppression
Sometimes, you may need to refer back to the original rule before making modifications. Here is an example of the original rule before it was customized:
<rule id="100201" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)sdbinst\.EXE</field>
<description>Application Compatibility Database launched</description>
<mitre>
<id>T1546.011</id>
</mitre>
</rule>
Press Ctrl + F and paste the Rule ID to quickly find the rule definition in the file.
8. Copy the Entire Rule
Once you find the rule, copy the whole rule definition. This will be used to create a custom suppression rule.
9. Go Back to “Rules” and Click on “Custom Rule”
Return to the Rules section in Wazuh and select Custom Rule to create a modified version of the rule.
10. Create a New Rule File for Suppressed Rules
It’s a good practice to keep all suppressed rules in a separate file. Click “Add New Rule File” and give it an appropriate name (e.g., suppress_rules.xml).
11. Add the Rule with the overwrite Flag
Paste the copied rule and modify it to suppress alerts by setting the overwrite flag in the Rule ID. For example:
<group name="custom_sysmon_rules">
<rule id="100201" level="0" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)sdbinst\.EXE</field>
<options>no_full_log</options>
<description>Application Compatibility Database launched</description>
<mitre>
<id>T1546.011</id>
</mitre>
</rule>
</group>
12. Adjust the Rule Level
Modify the level attribute to suit your needs. Setting it to 0 completely suppresses the rule, but you can increase it if you want minimal alerts instead of full suppression.
13. Save the Rule and Restart Wazuh Manager
Click Save to apply the changes. Then restart the Wazuh Manager for the changes to take effect:
sudo systemctl restart wazuh-manager
Tips for When and How to Suppress Logs in Wazuh
- Only suppress logs when necessary - Suppressing too many alerts can cause security blind spots.
- Use
level=0carefully - Setting a rule to level0fully suppresses it, which may not always be the best approach. - Review suppressed logs periodically - Some alerts may become relevant over time, so review and adjust suppression rules as needed.
- Use separate rule files for suppression - This keeps custom modifications organized and easy to manage.
- Test before deploying to production - Apply rule changes in a test environment before using them in a live system.
- Suppress based on context - Instead of suppressing all occurrences of an event, consider limiting suppression to specific users, hosts, or processes.
- Ensure compliance with security policies - Some regulations require specific logs to be retained, so check compliance before suppressing.
By following these steps and best practices, you can efficiently suppress unnecessary alerts in Wazuh while maintaining a structured and manageable rule set. This approach ensures that your security monitoring remains relevant to your specific needs.