Skip to content

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!

Notifications You must be signed in to change notification settings

socfortress/Wazuh-Rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

12aa4a0 · Feb 25, 2025
Oct 30, 2023
Dec 11, 2024
Dec 7, 2022
Sep 20, 2022
Feb 22, 2024
Jan 3, 2023
Aug 4, 2023
Aug 29, 2022
Mar 16, 2023
Aug 20, 2023
Mar 7, 2023
Oct 24, 2023
Feb 25, 2025
Aug 19, 2022
Aug 19, 2022
Nov 1, 2023
Aug 20, 2022
Mar 23, 2023
Aug 21, 2023
Oct 24, 2023
Aug 20, 2022
Aug 20, 2022
Aug 3, 2023
Aug 23, 2023
Feb 4, 2023
Aug 20, 2022
Mar 18, 2023
Feb 11, 2025
Dec 30, 2022
Mar 30, 2023
Oct 25, 2023
Aug 15, 2023
May 26, 2023
Jul 12, 2024
Aug 20, 2022
Apr 9, 2023
Jan 6, 2023
Jul 3, 2023
Aug 15, 2023
Aug 20, 2022
Aug 22, 2024
Aug 20, 2022
Jul 10, 2023
Mar 7, 2023
Feb 5, 2024
Mar 7, 2023
Nov 7, 2022
Aug 9, 2022
Mar 7, 2023
Aug 22, 2024
Aug 20, 2022
Aug 19, 2022
Nov 26, 2022
Apr 25, 2023
Apr 25, 2023
Aug 21, 2023

Repository files navigation

Advanced Wazuh Detection Rules Awesome

The SOCFortress Team has committed to contributing to the Open Source community. We hope you find these rulesets helpful and robust as you work to keep your networks secure.

Forks Stargazers MIT License LinkedIn your-own-soc-free-for-life-tier


Logo Logo

Advanced Wazuh Detection Rules

Have Wazuh deployed and ingesting your logs but looking for some better detection rules? Look no further. The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.
Worlds First Open Source Cloud SOC »

Wazuh Docs · FREE FOR LIFE TIER · Our Blog

Table of Contents
  1. About This Repo
  2. Getting Started
  3. Contributing
  4. Contact
  5. Acknowledgments

About This Repo

The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.

Here's why:

  • Detection rules can be a tricky business and we believe everyone should have access to a strong and growing ruleset.
  • Wazuh serves as a great EDR agent, however the default rulesets are rather laxed (in our opinion). We wanted to start building a strong repo of Wazuh rules for the community to implement themselves and expand upon as new threats arise.
  • Cybersecurity is hard enough, let's work together 😄

(back to top)

Supported Rules and Integrations

Below are the current rules and integrations currently contained within this repo. Integrations, such as Office365, Trend Micro, etc. will have scripts provided within their respective folders for use. Feel free to build upon these scripts and contribute back 😄

Roadmap

Have an Integration already configured that you'd like to share? Or have an idea for an Integration that you would like help on? Feel free to add it to the Roadmap.

  • Feel free to bring ideas 😄

(back to top)

Getting Started

Feel free to implement all of the rules that are contained within this repo, or pick and choose as you see fit. See our Installation section below for a bash script that can be ran on your Wazuh Manager to quickly put these rules to work!

Prerequisites

Wazuh-Manager Version 4.x Required.

Wazuh Install Docs

Need Assitance? - Hire SOCFortress

Installation

You can either manually download the .xml rule files onto your Wazuh Manager or make use of our wazuh_socfortress_rules.sh script

⚠️ USE AT OWN RISK: If you already have custom rules built out, there is a good chance duplicate Rule IDs will exists. This will casue the Wazuh-Manager service to fail! Ensure there are no conflicting Rule IDs and your custom rules are backed up prior to running the wazuh_socfortress_rules.sh script!

  1. Become Root User
  2. Run the Script
    curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh

Alt Text

(back to top)

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b ruleCategory/DetectionRule)
  3. Commit your Changes (git commit -m 'Add some DetectionRules')
  4. Push to the Branch (git push origin ruleCategory/DetectionRule)
  5. Open a Pull Request

(back to top)

Contact

SOCFortress - LinkedIn - [email protected]

Let SOCFortress Take Your Open Source SIEM to the Next Level

Banner

(back to top)

Acknowledgments

Security is best when we work together! Huge thank you to those supporting and those future supporters!

About

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!

Resources

Stars

Watchers

Forks

Packages

No packages published