Wazuh Custom Rule Creation
Home > Wazuh > Wazuh Custom Rule Creation
Custom Rule Creation in Wazuh
In Wazuh, we can add custom rules on the Wazuh Manager node to trigger alerts based on specific conditions like custom rule ID, rule level, etc.
The custom rule file path is:
/var/ossec/etc/rules/local_rules.xml
Custom rule IDs should be above 100000.
Basic Structure for a Custom Rule
<group name="custom_name,">
<rule id="100010" level="5">
<if_sid>...</if_sid>
<match>...</match>
<description>...</description>
</rule>
</group>
Testing Events with wazuh-logtest
First, check if the event generated by the endpoint agent can trigger an alert.
Use the existing wazuh-logtest binary on the Wazuh Manager node:
/var/ossec/bin/wazuh-logtest
Paste the event log into the tool after running it. Example log:
Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2
Creating a Custom Rule
Step 1: Edit the Custom Rule File
Open the local rules file on the Wazuh Manager node using:
sudo nano /var/ossec/etc/rules/local_rules.xml
Step 2: Add the Custom Rule
Below is an example custom rule for SSHD authentication failures:
<group name="custom_rule,">
<rule id="100001" level="3">
<if_sid>5760</if_sid>
<match>Failed password|Failed keyboard|authentication error</match>
<description>custom rule for sshd authentication failed.</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Note: You can add or remove fields as required.
Step 3: Validate the Rule
After saving the file, validate if the rule matches the event using the wazuh-logtest tool again.
Step 4: Restart Wazuh Manager
Apply the changes by restarting the Wazuh Manager service:
sudo systemctl restart wazuh-manager
Once restarted, the custom rule will be in effect.
