We found a variety of duplications in the current ruleset provided with wazuh 4.12.
rules/0545-osquery_rules.xml
The rules with the id 24123 and 24124 are exactly the same and so one of them could be removed:
<rule id="24123" level="4">
<if_sid>24100</if_sid>
<field name="osquery.name">keychain_items</field>
<description>osquery: $(osquery.pack) $(osquery.subquery): Keychain $(osquery.columns.label) path is $(osquery.columns.path)</description>
<group>it_compliance,</group>
<options>no_full_log</options>
</rule>
<rule id="24124" level="4">
<if_sid>24100</if_sid>
<field name="osquery.name">keychain_items</field>
<description>osquery: $(osquery.pack) $(osquery.subquery): Keychain $(osquery.columns.label) path is $(osquery.columns.path)</description>
<group>it_compliance,</group>
<options>no_full_log</options>
</rule>rules/0392-fortimail_rules.xml
here the rules pairs [44682, 44681] and [44715, 44711] are refering to the same event:
<rule id="44681" level="3">
<if_sid>44641</if_sid>
<field name="msg">Permission of mail</field>
<description>FortiMail: An administrator set or deleted permission of mail using the CLI or web-based manager.</description>
</rule>
<rule id="44682" level="3">
<if_sid>44641</if_sid>
<field name="msg">Permission of mail</field>
<description>FortiMail: An administrator set or deleted permission of mail using the CLI or web-based manager.</description>
</rule>
--
<rule id="44711" level="3">
<if_sid>44709</if_sid>
<field name="msg">Successfully loaded virus db</field>
<description>FortiMail: The antivirus database is successfully loaded.</description>
</rule>
<rule id="44715" level="3">
<if_sid>44709</if_sid>
<field name="msg">Successfully loaded virus db</field>
<description>FortiMail: The user successfully uploaded the antivirus database.</description>
</rule>rules/0585-win-application_rules.xml
The rules pairs [60702, 60676], [60732, 60745] and [60843, 60845] are refering to the same event:
<rule id="60676" level="3">
<if_sid>60675</if_sid>
<field name="win.system.eventID">^8224$</field>
<options>no_full_log</options>
<description>The VSS service is shutting down due to idle timeout.</description>
</rule>
<rule id="60702" level="5">
<if_sid>60675</if_sid>
<field name="win.system.eventID">^8224$</field>
<options>no_full_log</options>
<description>The VSS service is shutting down due to idle timeout.</description>
</rule>
--
<rule id="60732" level="5">
<if_sid>60726</if_sid>
<field name="win.system.eventID">^5612$</field>
<options>no_full_log</options>
<description>A quota reached a warning value, WMI stopped WMIPRVSE.EXE.</description>
<mitre>
<id>T1047</id>
</mitre>
</rule>
<rule id="60745" level="5">
<if_sid>60726</if_sid>
<field name="win.system.eventID">^5612$</field>
<options>no_full_log</options>
<description>WMI stopped WMIPRVSE.EXE because a quota reached a warning value.</description>
<mitre>
<id>T1047</id>
</mitre>
</rule>
--
<rule id="60843" level="5">
<if_sid>60838</if_sid>
<field name="win.system.eventID">^4102$</field>
<options>no_full_log</options>
<description>MS DTC transaction manager could not be initialized.</description>
</rule>
<rule id="60845" level="5">
<if_sid>60838</if_sid>
<field name="win.system.eventID">^4102$</field>
<options>no_full_log</options>
<description>MS DTC transaction manager could not be initialized.</description>
</rule>
We found a variety of duplications in the current ruleset provided with wazuh 4.12.
rules/0545-osquery_rules.xmlThe rules with the id 24123 and 24124 are exactly the same and so one of them could be removed:
rules/0392-fortimail_rules.xmlhere the rules pairs [44682, 44681] and [44715, 44711] are refering to the same event:
rules/0585-win-application_rules.xmlThe rules pairs [60702, 60676], [60732, 60745] and [60843, 60845] are refering to the same event: