When using sysmon rules from SwiftSecurity by following the guide from Useful Wazuh resources
You will get tons of alerts in Wazuh when using Microsoft Teams.
In order to suppress these messages add a new local rule with the following and restart wazuh:
<group name=“exclude-teams“>
<rule id=“888001″ level=“0″>
<if_sid>255564</if_sid>
<match>Teams.exe</match>
<description>Exclude Teams from sysmon</description>
</rule>
<rule id=“888002″ level=“0″>
<if_sid>255535</if_sid>
<match>Teams.exe</match>
<description>Exclude Teams from sysmon</description>
</rule>
<rule id=“888003″ level=“0″>
<if_sid>255501</if_sid>
<match>Teams.exe</match>
<description>Exclude Teams from sysmon</description>
</rule>
</group>