Created
September 10, 2021 13:03
-
-
Save sergzin/d621054b21ff4d82e0329ba798b77ac4 to your computer and use it in GitHub Desktop.
Wazuh Rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[test1] | |
log 1 pass = Sep 6 16:19:35 hostname1 APP: user1;API: User logged in using API | |
rule = 990010 | |
alert = 3 | |
decoder = apiuser | |
[test2] | |
log 1 pass = Sep 6 16:19:35 hostname1 APP: apiuser1;API: User logged in using API | |
rule = 990020 | |
alert = 0 | |
decoder = apiuser | |
[test3] | |
log 1 pass = Sep 6 16:19:35 hostname999 APP: eviluser;API: User logged in using API | |
rule = 990099 | |
alert = 10 | |
decoder = apiuser |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<decoder name="app"> | |
<program_name>APP</program_name> | |
</decoder> | |
<decoder name="apiuser"> | |
<use_own_name>true</use_own_name> | |
<parent>app</parent> | |
<prematch type="pcre2" offset="after_parent">^[A-Za-z0-9-]+;API</prematch> | |
<regex type="pcre2" offset="after_parent">^([A-Za-z0-9-]+);API</regex> | |
<order>user</order> | |
</decoder> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<group name="syslog,APP,"> | |
<rule id="990001" level="0" noalert="1"> | |
<decoded_as>apiuser</decoded_as> | |
<match type="pcre2">User logged (in|out)</match> | |
<description>User login</description> | |
<group>access_control,authentication_success</group> | |
</rule> | |
<rule id="990010" level="3"> | |
<if_sid>990001</if_sid> | |
<hostname>hostname1|hostname2</hostname> | |
<user>user1|user2</user> | |
<description>Audit User login</description> | |
<group>access_control,authentication_success</group> | |
</rule> | |
<rule id="990020" level="0"> | |
<if_sid>990001</if_sid> | |
<hostname>hostname1|hostname3</hostname> | |
<user>apiuser1|apiuser2</user> | |
<description>Known User login</description> | |
<group>access_control,authentication_success</group> | |
</rule> | |
<rule id="990099" level="10"> | |
<if_sid>990001</if_sid> | |
<description>Unauthorized User login</description> | |
<group>access_control,authentication_success</group> | |
</rule> | |
</group> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment