This repository contains a collection of custom Wazuh rulesets and decoders for various technologies to help security professionals enhance their monitoring capabilities. These rulesets are designed to work with Wazuh, an open source security monitoring solution.
This repository includes rulesets and decoders for the following technologies:
| Technology | Description | Documentation |
|---|---|---|
| WithSecure | Advanced endpoint protection solutions | WithSecure README |
| Microsoft Defender | Microsoft's built-in antivirus and security solution | Defender README |
| Darktrace | Enterprise Immune System for network detection and response | Darktrace README |
| Kaspersky | Endpoint security and antivirus solutions | Kaspersky README |
| Synology | Network-attached storage devices | Synology README |
| SMTP/Email | Email server monitoring with Outlook integration | SMTP README |
| Installation Scripts | Deployment scripts for Wazuh agents | Scripts README |
wazuh-stuff/
├── withsecure/ # WithSecure integration
│ ├── decoders/ # Decoders for WithSecure logs
│ ├── rules/ # Alert rules for WithSecure events
│ ├── scripts/ # Integration scripts for WithSecure
│ └── docs/ # Documentation for WithSecure integration
├── defender/ # Microsoft Defender integration
│ ├── decoders/ # Decoders for Defender logs
│ ├── rules/ # Alert rules for Defender events
│ └── docs/ # Documentation for Defender integration
├── darktrace/ # Darktrace integration
├── kaspersky/ # Kaspersky integration
├── synology/ # Synology integration
├── smtp/ # SMTP monitoring integration
└── scripts/ # General installation and configuration scripts
-
Clone this repository:
git clone https://github.com/fredycibersec/wazuh-stuff.git
-
Navigate to the repository:
cd wazuh-stuff -
Choose the technology you want to implement and follow the specific README instructions.
To install the WithSecure integration:
# Copy decoders
sudo cp withsecure/decoders/withsecure_decoders.xml /var/ossec/etc/decoders/
# Copy rules
sudo cp withsecure/rules/withsecure_rules.xml /var/ossec/etc/rules/
# Restart Wazuh Manager
sudo systemctl restart wazuh-managerContributions to improve existing rulesets or add new technologies are welcome! Please follow these steps:
- Fork the repository
- Create a new branch for your changes:
git checkout -b feature/new-technology-integration
- Make your changes following the same structure and style
- Test your changes thoroughly
- Submit a pull request with a clear description of your changes
This project is licensed under the MIT License - see the LICENSE file for details.
- Wazuh Team for creating an amazing open source security monitoring solution
- All contributors who have helped improve and expand this collection
Made with ❤️ by SaruMan