🛡️ Wazuh Advanced Rules Cheat Sheet &🔍 Threat Hunting with Wazuh Cheat Sheet
🛡️ Wazuh Advanced Rules Cheat Sheet
| Feature | Syntax / File / Command | Purpose |
|---|---|---|
| Custom Rules File | /var/ossec/etc/rules/local_rules.xml |
Where all user-defined rules go |
| Restart Wazuh Manager | sudo systemctl restart wazuh-manager |
Apply any rule changes |
| Rule Example | <rule id="100001" level="10">...</rule> |
Use IDs > 100000 to avoid overwriting default |
| Rule: SSH Brute Force | <rule id="100001" frequency="5" timeframe="60"> |
Detect 5 failed SSH logins in 60 sec |
| Test Rule Matching | sudo /var/ossec/bin/ossec-logtest |
Manually test logs against rules |
| Suppress False Positives | /var/ossec/etc/decoders/suppressions.conf |
Suppress benign rules |
| Rule Grouping | <group>authentication_failures</group> |
Helps in organizing and filtering alerts |
| Alert Severity Level | level="1" (low) to level="15" (critical) |
Controls priority of alerts |
| Correlated Rules | Use multiple <if_sid> in one rule |
Combine events for complex detection |
🔍 Threat Hunting with Wazuh Cheat Sheet
| Feature | Command / Config / Use | Purpose |
|---|---|---|
| Agent Installation | curl -sO https://packages.wazuh.com/... && sudo bash install.sh |
Install agents on endpoints |
| Enable Audit Logs | <localfile><log_format>audit</log_format>...</localfile> |
Capture process, file, and command events |
| Hunting Example (Kibana Query) | rule.id:5716 AND srcip:"192.168.1.100" |
Find failed SSH logins from a specific IP |
| Common Threat Indicators | - Multiple failed logins - Unexpected process starts - File change in /etc |
Real-world threat patterns |
| Hunting Rule with Threshold | <rule id="100002" frequency="3" timeframe="120">...</rule> |
Detect 3+ matching events in 2 minutes |
| Dashboards & Filters | Filter by rule.id, location, group, or level |
Pinpoint suspicious behaviors fast |
| Use Wazuh RESTful API | GET /security/user/authenticate (example) |
Automate hunting via custom tools |
| Response Automation | Integrate with scripts or SOAR based on alert triggers | Reduce manual incident handling |
| Alert Investigation | Enrich with GeoIP, VirusTotal, AbuseIPDB | Identify malicious actors quickly |
Comments
Post a Comment