Greetings Aaron:
Yes, just copy the rule elements to /var/ossec/rules/local_rules.xml
and use the overwrite="yes" feature to overwrite the rule.
Or if the rule would be a subset, then copy the main rule which
triggers alerts to local_rules.xml, set the level low enough or email
to ignore, and then create separate rules for what you need
notifications on.
The Window login rules are in /var/ossec/rules/msauth_rules.xml
Based on the information you provided, rule 18107 was triggered. That
is in the msauth_rules.xml file as
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
Daniel might be able to answer if you could do the equivalent of an if
then else (i.e. if <match>Logon Type: 3</match> then ignore, else
report), but the above may be a starting point for you.
Thank you.
