diff --git a/roles/debian/wazuh/files/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
new file mode 100644
index 000000000..8b9728ada
--- /dev/null
+++ b/roles/debian/wazuh/files/custom_wazuh_rules.xml
@@ -0,0 +1,26 @@
+
+
+
+
+ HTTP 401 response code
+ web-accesslog
+ " 401
+
+
+
+
+ 100100
+
+ Multiple 401 errors from same source IP (possible brute force attempt)
+ no_full_log
+
+
+
+
+
+ 521
+ scantem
+ Whitelist alerts containing 'scantem' in the title.
+ no_full_log
+
+
diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml
index 7224c1c1e..6195e7a06 100644
--- a/roles/debian/wazuh/tasks/main.yml
+++ b/roles/debian/wazuh/tasks/main.yml
@@ -133,6 +133,24 @@
state: restarted
when: filebeat_exists
+- name: Check if wazuh-manager service exists
+ ansible.builtin.command: systemctl list-unit-files --type=service --no-pager
+ register: wazuh_service
+ ignore_errors: true
+ changed_when: false
+
+- name: Deploy custom Wazuh local rules
+ ansible.builtin.copy:
+ src: custom_wazuh_rules.xml
+ dest: "{{ wazuh_dir | default('/var/ossec') }}/etc/rules/custom_wazuh_rules.xml"
+ owner: wazuh
+ group: wazuh
+ mode: '0640'
+ notify: restart wazuh-manager
+ tags:
+ - rules
+ when: "'wazuh-manager.service' in wazuh_service.stdout"
+
- name: Write the password to /var/ossec/etc/authd.pass
ansible.builtin.copy:
dest: /var/ossec/etc/authd.pass
@@ -146,4 +164,10 @@
ansible.builtin.systemd:
name: wazuh-manager
state: restarted
- when: "'wazuh-manager.service' in wazuh_service.stdout or 'wazuh-agent.service' in wazuh_service.stdout"
+ when: "'wazuh-manager.service' in wazuh_service.stdout"
+
+- name: Restart wazuh-agent to apply changes
+ ansible.builtin.systemd:
+ name: wazuh-agent
+ state: restarted
+ when: "'wazuh-agent.service' in wazuh_service.stdout"