https://github.com/socfortress/Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!

The SOCFortress Team has committed to contributing to the Open Source community. We hope you find these rulesets helpful and robust as you work to keep your networks secure.

Table of Contents

1. About This Repo
   • Supported Rules and Integrations
2. Getting Started
   • Prerequisites
   • Installation
3. Contributing
4. Contact
5. Acknowledgments

The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.

Here's why:

• Detection rules can be a tricky business and we believe everyone should have access to a strong and growing ruleset.
• Wazuh serves as a great EDR agent, however the default rulesets are rather laxed (in our opinion). We wanted to start building a strong repo of Wazuh rules for the community to implement themselves and expand upon as new threats arise.
• Cybersecurity is hard enough, let's work together 😄

(back to top)

Below are the current rules and integrations currently contained within this repo. Integrations, such as Office365, Trend Micro, etc. will have scripts provided within their respective folders for use. Feel free to build upon these scripts and contribute back 😄

• Sysmon for Windows
• Sysmon for Linux
• Office365
• Microsoft Defender
• Sophos
• MISP
• Osquery
• Yara
• Suricata
• Packetbeat
• Falco
• Modsecurity
• F-Secure
• Domain Stats
• Snyk
• Autoruns
• Sigcheck
• Powershell
• Crowdstrike
• Alienvault
• Tessian - WIP

Have an Integration already configured that you'd like to share? Or have an idea for an Integration that you would like help on? Feel free to add it to the Roadmap.

• Feel free to bring ideas 😄

(back to top)

Feel free to implement all of the rules that are contained within this repo, or pick and choose as you see fit. See our Installation section below for a bash script that can be ran on your Wazuh Manager to quickly put these rules to work!

Wazuh-Manager Version 4.x Required.

Wazuh Install Docs

Need Assitance? - Hire SOCFortress

You can either manually download the .xml rule files onto your Wazuh Manager or make use of our wazuh_socfortress_rules.sh script

⚠️ USE AT OWN RISK: If you already have custom rules built out, there is a good chance duplicate Rule IDs will exists. This will casue the Wazuh-Manager service to fail! Ensure there are no conflicting Rule IDs and your custom rules are backed up prior to running the wazuh_socfortress_rules.sh script!

1. Become Root User
2. Run the Script

   curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh

(back to top)

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b ruleCategory/DetectionRule)
3. Commit your Changes (git commit -m 'Add some DetectionRules')
4. Push to the Branch (git push origin ruleCategory/DetectionRule)
5. Open a Pull Request

(back to top)

SOCFortress - - info@socfortress.co

(back to top)

Security is best when we work together! Huge thank you to those supporting and those future supporters!

• Wazuh Team
• Taylor Walton
• Juan Romero