hcornet
506716e703
Some checks failed
Deployment Verification / deploy-and-test (push) Failing after 29s
43 lines
1.2 KiB
XML
43 lines
1.2 KiB
XML
<!-- Local rules -->
|
|
|
|
<!-- Modify it at your will. -->
|
|
<!-- Copyright (C) 2015, Wazuh Inc. -->
|
|
|
|
<!-- Example -->
|
|
<group name="local,syslog,sshd,">
|
|
|
|
<!--
|
|
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
|
|
-->
|
|
<rule id="100001" level="5">
|
|
<if_sid>5716</if_sid>
|
|
<srcip>1.1.1.1</srcip>
|
|
<description>sshd: authentication failed from IP 1.1.1.1.</description>
|
|
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
|
|
</rule>
|
|
|
|
</group>
|
|
|
|
<group name="misp,">
|
|
<rule id="100620" level="10">
|
|
<field name="integration">misp</field>
|
|
<match>misp</match>
|
|
<description>MISP Events</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="100621" level="5">
|
|
<if_sid>100620</if_sid>
|
|
<field name="misp.error">\.+</field>
|
|
<description>MISP - Error connecting to API</description>
|
|
<options>no_full_log</options>
|
|
<group>misp_error,</group>
|
|
</rule>
|
|
<rule id="100622" level="12">
|
|
<field name="misp.category">\.+</field>
|
|
<description>MISP - IoC found in Threat Intel - Category: $(misp.category), Attribute: $(misp.value)</description>
|
|
<options>no_full_log</options>
|
|
<group>misp_alert,</group>
|
|
</rule>
|
|
</group>
|
|
|