Projects · Open-source detection content for the Wazuh SIEM, mapped to MITRE ATT&CK.

Wazuh Rules

Open-source detection content for the Wazuh SIEM, mapped to MITRE ATT&CK.

A community-driven collection of custom Wazuh detection rules, decoders, and CDB lists — covering cloud platforms, email security gateways, endpoint telemetry, threat-intel feeds, and DLP. Production-grade content with MITRE ATT&CK mappings, drop-in compatible with Wazuh 4.x.

A community-driven collection of custom Wazuh SIEM detection rules with MITRE ATT&CK mappings, focused on production-grade detection across cloud platforms, email security gateways, and endpoint telemetry. Drop-in compatible with Wazuh 4.x.

At a glance

  • 90+ rule files covering 30+ MITRE ATT&CK techniques
  • 4 custom decoders (Forcepoint, Microsoft Purview, Proofpoint, Synology)
  • 9 CDB lists for blacklists, scanner detection, ransomware hashes, and known-good baselines
  • Dedicated rule ID ranges that don't conflict with the default Wazuh ruleset

What's covered

The pack extends Wazuh's default ruleset with focused detection content across cloud platforms (AWS CloudWatch, Azure WAF, Office 365, Google Workspace, Microsoft Purview, Microsoft Defender), email security gateways (Proofpoint, Mimecast, Forcepoint), endpoint telemetry (Sysmon for Windows, Linux, macOS; Sigma rules; auditd; osquery), network detection (Suricata, Packetbeat, Maltrail, ModSecurity), threat-intelligence feeds (MISP, OpenCTI, AbuseIPDB, AlienVault OTX, dnstwist), EDR / AV products (CrowdStrike, Cisco Secure Endpoint, Sophos, F-Secure, TrendMicro), DLP and data exfiltration patterns, identity and IAM (Duo, AD inventory), honeypots and deception (Beelzebub), and specific malware families.

Highlight packs

Forcepoint

5 rules in rules/107250-Forcepoint.xml, with custom decoder. Detects blocked traffic, failed authentication, system errors, and password changes from Forcepoint appliances.

Google Workspace audit logs

10 rules in rules/108500-Google_Workspace.xml. Base detection across Drive, admin console, login, OAuth tokens, Groups, DLP rules, user accounts, mobile, and SAML SSO. MITRE: T1078, T1136, T1528.

Microsoft Purview

29 rules in rules/108600-Microsoft_Purview.xml, with custom decoder. DLP, sensitivity labels, insider risk, eDiscovery, communication compliance, records management, and audit / configuration events.

Proofpoint

25 rules in rules/108700-Proofpoint.xml, with custom decoder. Phishing, malware, BEC and impostor detection, click protection, spam, DLP, quarantine actions, and admin policy changes.

Data Loss Prevention

A standalone DLP pack in rules/117631-Data_Loss_Prevention.xml covering cross-platform exfiltration, cloud storage abuse, USB / removable media, network and DNS tunnelling, and sensitive data pattern exposure.

Installation

Copy the rule, decoder, and list files into your Wazuh manager directories:

sudo cp rules/*.xml /var/ossec/etc/rules/
sudo cp decoders/*.xml /var/ossec/etc/decoders/
sudo cp lists/* /var/ossec/etc/lists/

Validate and reload:

sudo /var/ossec/bin/wazuh-analysisd -t
sudo systemctl restart wazuh-manager

The README inside the zip lists every file's ID range, MITRE coverage, and prerequisites for the cloud integrations.

Severity levels

Rules use the standard Wazuh severity scale — 0 for base / internal grouping, up to 15 for maximum-severity events. Most rules sit in the 10–14 band (suspicious to critical), with a smaller number of low-noise informational rules at level 3–5 for context and timeline reconstruction.

Source and contributions

Source code, full file listing, and contribution guidance are on GitHub: github.com/pbassill/wazuh-rules. Pull requests are welcome — see the README in the repo for the ID-range convention when adding a new rule file.

Author: Peter Bassill — UK Cyber Defence.

Download rule pack (.zip)