Labels

Wazuh Advanced Rules & Threat Hunting with Wazuh

1️⃣ Wazuh Advanced Rules 

Why Customize Wazuh Rules?

Wazuh’s default rules catch many threats, but customizing rules helps:

  • Detect threats unique to your environment

  • Reduce false positives

  • Prioritize critical alerts

  • Create alert correlations

Step 1: Understand Wazuh Rules Structure

  • Wazuh rules are XML files located in /var/ossec/etc/rules/

  • The main custom file is local_rules.xml — use this for your custom rules so updates don’t overwrite them

  • Rules define conditions (matching logs), alert level (severity), and alert grouping

Step 2: Identify What to Monitor

Example use case: Detect multiple failed SSH login attempts over a short time.

Step 3: Write a Custom Rule

Open /var/ossec/etc/rules/local_rules.xml with your editor:

sudo nano /var/ossec/etc/rules/local_rules.xml

Add this example rule inside the <rules> tag:

<rule id="100001" level="10" frequency="5" timeframe="60" repeat="5">
  <if_sid>5716</if_sid> <!-- SSH failed login from default rules -->
  <description>Multiple failed SSH login attempts detected</description>
  <group>authentication_failures, ssh</group>
</rule>

Explanation:

  • id="100001" is your custom unique ID (use 100000+ to avoid conflicts)

  • level="10" sets alert severity

  • frequency="5" + timeframe="60" means 5 times in 60 seconds triggers alert

  • if_sid="5716" ties to existing Wazuh rule for SSH failed login

  • group helps filter alerts in the dashboard

Step 4: Test Your Rule

  1. Use ossec-logtest tool to simulate logs:

sudo /var/ossec/bin/ossec-logtest

  1. Paste a sample SSH failed login log (you can find real examples in /var/log/auth.log):

Aug  4 12:34:56 server sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 12345 ssh2

  1. If the rule matches, it will show the alert details.

Step 5: Reload Wazuh Manager

After saving rules, restart manager to apply:

sudo systemctl restart wazuh-manager

Step 6: Monitor & Tune

  • View alerts in the dashboard

  • Adjust level, frequency, or timeframe for tuning

  • Suppress false positives by writing suppression rules

Step 7: Create Correlation Rules (Optional)

You can create rules that trigger only when multiple different alerts happen, for example:

<rule id="100002" level="12">
  <field name="srcip">192.168.1.100</field>
  <description>Potential brute force attack from single IP</description>
  <group>bruteforce, ssh</group>
  <rule>
    <if_sid>5716</if_sid> <!-- SSH failed login -->
  </rule>
  <rule>
    <if_sid>100001</if_sid> <!-- Your previous custom rule -->
  </rule>
</rule>

2️⃣ Threat Hunting with Wazuh 

What Is Threat Hunting?

Threat hunting is proactively searching your logs for signs of hidden compromise that automated alerts might miss.

Step 1: Set Up Wazuh Agents with Rich Logging

  • Deploy agents on all critical systems

  • Enable modules like Auditd, Sysmon (Windows), and File Integrity Monitoring

Example: Enable auditd in agent’s ossec.conf:

<localfile>
  <log_format>audit</log_format>
  <location>/var/log/audit/audit.log</location>
</localfile>

Step 2: Use Wazuh Dashboard’s Search & Query Features

  • Use Kibana or Wazuh dashboard to query logs with filters

  • Example: Find failed login attempts from an IP:

rule.id:5716 AND srcip:"192.168.1.100"

  • Save common hunting queries as dashboard filters for reuse.

Step 3: Hunt for Indicators of Compromise (IOC)

Examples of IOCs:

  • Multiple failed logins in short time (brute force)

  • Creation of new user accounts

  • Addition of SSH keys to authorized_keys

  • Unexpected new system services or processes

  • File changes in /etc/ or /usr/bin

  • Outbound connections to suspicious IPs or domains

Step 4: Write Hunting Queries & Alerts

Example: Detect new SSH keys added

file.name:authorized_keys AND event.action:create

Set a rule to alert on this event.

Step 5: Automate Hunting with Custom Rules

Create a rule to detect multiple failed logins followed by successful login from same IP:

<rule id="100010" level="12" frequency="3" timeframe="120" group="threat_hunting">
  <if_sid>5716</if_sid> <!-- Failed login -->
  <if_sid>5717</if_sid> <!-- Successful login -->
  <description>Suspicious login pattern detected</description>
</rule>

Step 6: Investigate Alerts & Take Action

  • Use alert data to pivot to other logs and systems

  • Combine with threat intelligence to enrich investigations

  • Use response automation (scripts or SOAR tools)

Step 7: Continuous Hunting Cycle

  • Regularly update hunting queries based on latest TTPs (tactics, techniques, procedures)

  • Share findings with your SOC team

  • Refine rules and dashboards

Bonus Tips

  • Integrate Wazuh with external threat intel (MISP, OpenCTI)

  • Use Wazuh API to build custom hunting dashboards

  • Train SOC analysts to read logs and use query language effectively


Labels:

Comments

Post a Comment