The SOCFortress Team has commited to contributing to the Open Source community. We hope you find these rulesets helpful and robust as you work to keep your networks secure 😅
Have Wazuh deployed and ingesting your logs but looking for some better detection rules? Look no further. The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.
Worlds First Open Source Cloud SOC »
Wazuh Docs
·
FREE FOR LIFE TIER
·
Our Blog
Table of Contents
The objective for this repo is to provide the Wazuh community with rulesets that are more accurate, descriptive, and enriched from various sources and integrations.
Here's why:
- Detection rules can be a tricky business and we believe everyone should have access to a strong and growing ruleset.
- Wazuh serves as a great EDR agent, however the default rulesets are rather laxed (in our opinion). We wanted to start building a strong repo of Wazuh rules for the community to implement themselves and expand upon as new threats arise.
- Cybersecurity is hard enough, let's work together 😄
Below are the current rules and integrations currently contained within this repo. Integrations, such as Office365, Sophos, etc. will have scripts provided within their respective folders for use. Feel free to build upon these scripts and contribute back 😄
- Sysmon for Windows
- Sysmon for Linux
- Office365
- Microsoft Defender
- Sophos
- MISP - Work In Progress
- Osquery
- Yara
- Suricata
- Packetbeat
- Falco
- Modsecurity
- F-Secure
- Domain Stats
- Snyk
- Autoruns
- Sigcheck
- Powershell
- Crowdstrike - WIP
- Tessian - WIP
Feel free to implement all of the rules that are contained within this repo, or pick and choose as you see fit. See our Installation section below for a bash script that can be ran on your Wazuh Manager to quickly put these rules to work!
Wazuh-Manager Version 4.x Required.
Need Assitance? - Hire SOCFortress
You can either manually download the .xml rule files onto your Wazuh Manager or make use of our wazuh_socfortress_rules.sh script
⚠️ USE AT OWN RISK: If you already have custom rules built out, there is a good chance duplicate Rule IDs will exists. This will casue the Wazuh-Manager service to fail! Ensure there are no conflicting Rule IDs and your custom rules are backed up prior to running the wazuh_socfortress_rules.sh script!
- Become Root User
- Run the Script
curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b ruleCategory/DetectionRule
) - Commit your Changes (
git commit -m 'Add some DetectionRules'
) - Push to the Branch (
git push origin ruleCategory/DetectionRule
) - Open a Pull Request
SOCFortress - - [email protected]
Security is best when we work together! Huge thank you to those supporting and those future supporters!