/Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!

Primary LanguagePython

Advanced Wazuh Detection Rules Awesome

The SOCFortress Team has committed to contributing to the Open Source community. We hope you find these rulesets helpful and robust as you work to keep your networks secure.

Forks Stargazers MIT License LinkedIn your-own-soc-free-for-life-tier


Logo Logo

Advanced Wazuh Detection Rules

Have Wazuh deployed and ingesting your logs but looking for some better detection rules? Look no further. The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.
Worlds First Open Source Cloud SOC »

Wazuh Docs · FREE FOR LIFE TIER · Our Blog

Table of Contents
  1. About This Repo
  2. Getting Started
  3. Contributing
  4. Contact
  5. Acknowledgments

About This Repo

The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.

Here's why:

  • Detection rules can be a tricky business and we believe everyone should have access to a strong and growing ruleset.
  • Wazuh serves as a great EDR agent, however the default rulesets are rather laxed (in our opinion). We wanted to start building a strong repo of Wazuh rules for the community to implement themselves and expand upon as new threats arise.
  • Cybersecurity is hard enough, let's work together 😄

(back to top)

Supported Rules and Integrations

Below are the current rules and integrations currently contained within this repo. Integrations, such as Office365, Trend Micro, etc. will have scripts provided within their respective folders for use. Feel free to build upon these scripts and contribute back 😄

Roadmap

Have an Integration already configured that you'd like to share? Or have an idea for an Integration that you would like help on? Feel free to add it to the Roadmap.

  • Feel free to bring ideas 😄

(back to top)

Getting Started

Feel free to implement all of the rules that are contained within this repo, or pick and choose as you see fit. See our Installation section below for a bash script that can be ran on your Wazuh Manager to quickly put these rules to work!

Prerequisites

Wazuh-Manager Version 4.x Required.

Wazuh Install Docs

Need Assitance? - Hire SOCFortress

Installation

You can either manually download the .xml rule files onto your Wazuh Manager or make use of our wazuh_socfortress_rules.sh script

⚠️ USE AT OWN RISK: If you already have custom rules built out, there is a good chance duplicate Rule IDs will exists. This will casue the Wazuh-Manager service to fail! Ensure there are no conflicting Rule IDs and your custom rules are backed up prior to running the wazuh_socfortress_rules.sh script!

  1. Become Root User
  2. Run the Script
    curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh

Alt Text

(back to top)

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b ruleCategory/DetectionRule)
  3. Commit your Changes (git commit -m 'Add some DetectionRules')
  4. Push to the Branch (git push origin ruleCategory/DetectionRule)
  5. Open a Pull Request

(back to top)

Contact

SOCFortress - LinkedIn - info@socfortress.co

Let SOCFortress Take Your Open Source SIEM to the Next Level

Banner

(back to top)

Acknowledgments

Security is best when we work together! Huge thank you to those supporting and those future supporters!