Labels

πŸ›‘️ Wazuh Advanced Rules Cheat Sheet &πŸ” Threat Hunting with Wazuh Cheat Sheet

πŸ›‘️ Wazuh Advanced Rules Cheat Sheet

Feature Syntax / File / Command Purpose
Custom Rules File /var/ossec/etc/rules/local_rules.xml Where all user-defined rules go
Restart Wazuh Manager sudo systemctl restart wazuh-manager Apply any rule changes
Rule Example <rule id="100001" level="10">...</rule> Use IDs > 100000 to avoid overwriting default
Rule: SSH Brute Force <rule id="100001" frequency="5" timeframe="60">
<if_sid>5716</if_sid>		 Detect 5 failed SSH logins in 60 sec
Test Rule Matching sudo /var/ossec/bin/ossec-logtest Manually test logs against rules
Suppress False Positives /var/ossec/etc/decoders/suppressions.conf Suppress benign rules
Rule Grouping <group>authentication_failures</group> Helps in organizing and filtering alerts
Alert Severity Level level="1" (low) to level="15" (critical) Controls priority of alerts
Correlated Rules Use multiple <if_sid> in one rule Combine events for complex detection

πŸ” Threat Hunting with Wazuh Cheat Sheet

Feature Command / Config / Use Purpose
Agent Installation curl -sO https://packages.wazuh.com/... && sudo bash install.sh Install agents on endpoints
Enable Audit Logs <localfile><log_format>audit</log_format>...</localfile> Capture process, file, and command events
Hunting Example (Kibana Query) rule.id:5716 AND srcip:"192.168.1.100" Find failed SSH logins from a specific IP
Common Threat Indicators - Multiple failed logins
- Unexpected process starts
- File change in /etc		 Real-world threat patterns
Hunting Rule with Threshold <rule id="100002" frequency="3" timeframe="120">...</rule> Detect 3+ matching events in 2 minutes
Dashboards & Filters Filter by rule.id, location, group, or level Pinpoint suspicious behaviors fast
Use Wazuh RESTful API GET /security/user/authenticate (example) Automate hunting via custom tools
Response Automation Integrate with scripts or SOAR based on alert triggers Reduce manual incident handling
Alert Investigation Enrich with GeoIP, VirusTotal, AbuseIPDB Identify malicious actors quickly
Labels:

Comments

Post a Comment