Greetings matthias: Copy the rule to /var/ossec/rules/local_rules.xml and change the level to 3 and use the overwrite="yes" option. Then restart ossec.
Example:
<rule id="18120" level="3" overwrite="yes">
<if_sid>18105</if_sid>
<id>^680</id>
<description>Windows login attempt (ignored). Duplicated.</
description>
</rule>
Thank you.
