Wazuh Modify Rule
Locate the rule you need to update based on the ID of the alert:
Example:
Output:
Copy the entry from the rule:
<rule id="60176" level="12">
<if_sid>60144,60145</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-551$</field>
<description>Backup Operators Group Changed</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
Paste the rule in to the local rules file:
Update the rule as needed. In this case we've lowered the level. Also add the overwrite to yes.
<rule id="60176" level="6" overwrite="yes">
<if_sid>60144,60145</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-551$</field>
<description>Backup Operators Group Changed</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
Restart the manager: