🛡️ Smarter Detections: Creating SIGMA Exclusion Rules in CoPilot for Velociraptor Alerts
In our last post, we set up SIGMA rule analysis using Velociraptor and successfully piped those alerts into CoPilot, giving us a powerful detection pipeline across our endpoints. But as many defenders have noticed, Velociraptor’s implementation of SIGMA rules lacks support for field-level exclusions — a crucial feature when it comes to reducing false positives and alert fatigue.
Today, we’re going to close that gap.
The Problem: SIGMA Limitations in Velociraptor
Velociraptor executes SIGMA rules effectively, but it lacks the ability to filter out alerts based on specific field values. This can lead to a flood of alerts triggered by trusted agents — think antivirus tools, RMM software, or even Wazuh itself — that you don’t want to fully suppress, but also don’t want cluttering your alert queue.
The Solution: Exclusions in CoPilot
CoPilot, our case management and alert orchestration system, now supports field-based exclusion rules for SIGMA alerts. Instead of disabling entire rules, you can now create intelligent filters that suppress alerts only under certain conditions, such as specific parent processes, command-line arguments, or file paths.
Let’s walk through how to do that.
Example: Exclude Wazuh Agent from a SIGMA Alert
Say you’re getting alerts from a rule like Process Access (Sysmon), but the triggering process is always the wazuh-agent.exe — a process you trust.
Here’s how to exclude it in CoPilot:
- Open CoPilot, go to Incident Management > Sources, and click on the Exclusion Rules tab.
- Click “Create Exclusion Rule”.
- Set:
- Name: Anything you like (e.g., “Exclude Wazuh Agent”).
- Channel: The SIGMA data source, e.g., Sysmon.
- Title: Match the exact SIGMA rule title.
- Field Match:
- Field Name:
SourceImage : C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe - (Optional) Customer: Scope this exclusion to a specific customer.
- Enable the rule and submit.
Now, when Velociraptor sends this alert again, CoPilot will check the exclusion list and suppress it if it matches this rule + field value combo.
Wildcard Matching with Regex for Flexible Exclusions
Sometimes, the exact path may vary — for example:
C:\\Program Files (x86)\\ossec-agent\\shared\\sysmon_config.xmlor
C:\\Program Files (x86)\\please-subscribe\\shared\\sysmon_config.xmlWe can accommodate for both situations by setting a wildcard within our directory path:
regex:C:\Program Files (x86)\.*\shared\sysmon_config.xmlThis pattern will match any path ending in sysmonconfig.xml, regardless of the directory name.
Results: Fewer False Positives, Smarter Detections
By pushing exclusion logic to CoPilot, you avoid modifying upstream SIGMA rules while keeping detection coverage intact. Key benefits include:
- No need to fork or alter community SIGMA rules
- Alert fidelity remains high
- Reduce operational noise from “known good” software
- Maintain consistent detection pipelines via Velociraptor
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
