Wazuh Ruleset 3.9.5

There are no changes for Wazuh Ruleset in this version.

Wazuh Ruleset 3.9.4

There are no changes for Wazuh Ruleset in this version.

Wazuh Ruleset 3.9.3

Fixed

• NGINX Decoder: make "server" field optional. Thanks to @iasdeoupxe. (#243)
• Remove tailing quote from field "res" in Auditd decoder. Thanks to @branchnetconsulting. (#412)
• Fix conflict between fields "uid" and "auid" in Auditd decoder. Thanks to @tokibi. (#246)
• Prevent rules for AWS, Suricata, VirusTotal, OwnCloud, Vuls, CIS-CAT, Vulnerability Detector, MySQL, Osquery, and Azure from including the full log in JSON format. (#443)

Wazuh Ruleset 3.9.2

Fixed

• Fixed Windows rule about audit log. (#408)
• Fixed check 11522 of Solaris SCA policy. (#420)

Wazuh Ruleset 3.9.1

Fixed

• Fixed rule for the SCA check 5035 about SSH protocol. (#385)
• Fixed duplicated rules for the SCA policy cis_debianlinux7-8_L2. (#386)
• Fixed Windows Defender rule description. (#388)
• Fixed rules and requirements for SCA CIS policies of Mac OS X. (#387)
• Fixed Windows NT registries in Windows SCA policies. (#393)
• Fixed Windows EventChannel rules for Eventlog and Security Essentials. (#397)
• Fixed Windows rules to avoid filtering by erroneous provider names. (#403)

Wazuh Ruleset 3.9.0

Added

• Adapt Sysmon rules to new Windows eventchannel format. (#285)
• Added ruleset for the SCA module. (#288)
• Added policy files in YAML format for the SCA module. (#288)
• Added the policy cis_win2012r2_memberL2_rcl.yml for SCA. (#289) (Thanks to @Bob-Andrews)
• Improved rules for the docker listener. (#293) (#307)
• New options same_field and not_same_field to correlate dynamic fields in rules. (#302)
• New rule to catch a logon success from a Windows workstation. (#304)
• Added rules about Application and System channels for the Windows eventchannel format. (#325)
• Added PCI-DSS and GDPR mapping to rules for the docker listener. (#333)

Changed

• Changed the eventchannel field names in rules. (#299)
• Redistribute the eventchannel rules by incoming channel. (#325)
• Prevent events invoked by AWS Internal from flooding alerts. (#351)

Fixed

• Fixed the bruteforce attack rules for Windows Eventchannel. (#302)
• Updated links for Windows rules. (#311) (Credits to @atomicturtle (#1675))
• Several fixes for Windows rules for the eventlog format. (Thanks to @branchnetconsulting)
  • Fixed SID regexes for eventlog Windows rules. (#197)
  • Fixed the matched string of rule 18270. (#219)
  • Fixed Sysmon rule when the destination port is empty. (#229)
  • Fixed the description for rule 18260. (#232)
  • Generalize description for rule 83201. (#241)
• Fixed the flow for Windows rule 18230. (#253) (Thanks to @wiredaem0n)

Wazuh Ruleset 3.8.2

Changed

• Rework of the rules for Windows Eventchannel. (#277)

Wazuh Ruleset 3.8.1

There are no changes for Wazuh Ruleset in this version.

Wazuh Ruleset 3.8.0

Added

• Added new rules to support the new Windows eventchannel decoder. (#247)
• Extend Auditd decoder to support more fields. (#256)
• Added rule to alert when an agent is removed. (#2127)

Changed

• Now CDB lists are not prebuilt in the repository. (#249)

Wazuh Ruleset 3.7.2

There are no changes for Wazuh Ruleset in this version.