Feature request: Exclude vulnerability analysis and FIM events from "Security events" module #5864
Comments
zbalkan
changed the title
|
I understand your situation. Every Wazuh installation can have more events of one module than others. And those can mean noise in certain circumstances, like the one you describe. I think it is not possible to balance out all the possibilities a deployment can have for all users. A possible solution would be to be able to save those filters, so a user can customize the dashboard just once, changing the default applied filters. But AFAIK, OpenSearch does not support this globally. We will need further research to reach a viable solution. In the meantime, you can either add the filters, or create a custom dashboard for the indexed data. |
|
Hi @gdiazlo, Since Integrity Module and Vulnerabilities have their own dashboards, the suggested segregation might be reasonable. A FIM event is yet another log but it does not add value to the security events. When it comes to detailed investigation, we use Discovery module already. Tailoring by default or being able to tailor globally are our options to minimize the inconveniences. It's not a bug but a papercuts in this case. |
|
We're working on new dashboards, due to Wazuh 4.8.0 hopefully, we will consider this. |
Description
The Integrity module and vulnerability modules have their own dashboards for further analysis. But many times we find that the security events and alerts are bombarded by FIM events and vulnerability checks. The first thing we do on "Security events" module, is to exclude these events to have a clear and concise view.
For the sake of clarity an ease of use, please filter these out of Security Events module by default, so that we don't need to do it every single time.
Tasks
The steps that have to be completed in order to close the issue.
Additional information
The text was updated successfully, but these errors were encountered: