Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge 4.7 into 4.7.2 #6908

Merged
merged 14 commits into from
Jan 4, 2024
+62 −56
Merged

Merge 4.7 into 4.7.2 #6908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
c6500a7
Expand on the <group> element
javimed Aug 31, 2023
1737cbf
Change rule examples and improve texts
javimed Sep 1, 2023
f18631f
wAdding difference of usage for <group> element as enclosing or inner…
JorgeMarinoDev Nov 11, 2023
1d79588
Add MacOS 14 SCA Policies
Dec 27, 2023
8c44a9e
Add changes from review
javimed Dec 27, 2023
b7e0e09
Merge pull request #6890 from wazuh/6887-macos-14-sca
javimed Dec 27, 2023
81e9fe4
Update source/user-manual/ruleset/ruleset-xml-syntax/rules.rst
javimed Dec 28, 2023
8c3b811
Merge branch '4.7' into 6268-confusing-group-tag
javimed Dec 28, 2023
1c16e57
Merge pull request #6421 from wazuh/6268-confusing-group-tag
javimed Dec 28, 2023
cb0fac9
Switch use case positions
javimed Dec 28, 2023
64a909a
Merge pull request #6895 from wazuh/change/switch-use-case-positions
javimed Dec 28, 2023
4fd65df
Remove WPK unavailable notice
javimed Dec 29, 2023
e0f5ab3
Merge pull request #6897 from wazuh/maintenance/remove-wpk-unavailabl…
javimed Dec 29, 2023
f64a6ce
Merge branch '4.7' into merge-4.7-into-4.7.2
javimed Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions source/getting-started/use-cases/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ Below you can find examples of some of the most common use cases of the Wazuh pl
Endpoint security Threat intelligence Security operations Cloud security
================================= ================================ ============================== ==================================
:doc:`configuration-assessment` :doc:`threat-hunting` :doc:`incident-response` :doc:`container-security`
:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`Workload protection <cloud-workload-protection>`
:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`posture-management`
:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`posture-management`
:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`Workload protection <cloud-workload-protection>`
================================= ================================ ============================== ==================================

.. toctree::
Expand All @@ -35,5 +35,5 @@ Endpoint security Threat intelligence Security op
regulatory-compliance
it-hygiene
container-security
cloud-workload-protection
posture-management
cloud-workload-protection
6 changes: 0 additions & 6 deletions source/user-manual/agents/remote-upgrading/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,9 @@
.. meta::
:description: From Wazuh 3.0.0 version onwards, agents can be upgraded remotely. Learn more about it in this section of the Wazuh documentation.

.. _remote-upgrading:

Remote upgrading
==================

.. warning::

Remote upgrade is temporarily unavailable in |WAZUH_CURRENT_MINOR|.

.. topic:: Contents

.. toctree::
Expand Down
2 changes: 2 additions & 0 deletions source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ The table below shows SCA policies pre-installed in Wazuh out-of-the-box. The Wa
+-----------------------------+------------------------------------------------------------+-------------------------------+
| cis_apple_macOS_13.x | CIS Checks for macOS 13.x | macOS 13.x (Ventura) |
+-----------------------------+------------------------------------------------------------+-------------------------------+
| cis_apple_macOS_14.0 | CIS Checks for macOS 14.0 | macOS 14.0 (Sonoma) |
+-----------------------------+------------------------------------------------------------+-------------------------------+
| web_vulnerabilities | System audit for web-related vulnerabilities | N/A |
+-----------------------------+------------------------------------------------------------+-------------------------------+
| cis_apache_24 | CIS Apache HTTP Server 2.4 Benchmark | Apache configuration files |
Expand Down
104 changes: 57 additions & 47 deletions source/user-manual/ruleset/ruleset-xml-syntax/rules.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@
.. meta::
:description: The Wazuh Ruleset is used to analyze incoming events and generate alerts when appropriate. Learn more about Rules syntax in this section.

.. _rules_syntax:

Rules Syntax
============

Expand Down Expand Up @@ -183,6 +181,44 @@ The **xml labels** used to configure ``rules`` are listed here.
| `var`_ | Name for the variable. Most used: `BAD_WORDS`_ | Defines a variable that can be used anywhere inside the same file. |
+-------------------------+---------------------------------------------------------------+------------------------------------------------------------------------------------------------------+

.. _rules_group:

group
^^^^^

Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard.

The default Wazuh ruleset already includes rules that use groups like ``syscheck,``, ``attack,``, and ``syslog,``. As an example, you can filter alerts for these categories by querying ``rule.groups: attack`` or ``rule.groups: (syscheck OR syslog)`` in the Wazuh dashboard.

Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the ``<group name="GROUP1_NAME,GROUP2_NAME,">`` element. For example:

.. code-block:: xml
:emphasize-lines: 1,7

<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
</rule>
</group>

You can also specify additional groups by including the ``<group>`` element within the rule definition. For example:

.. code-block:: xml
:emphasize-lines: 6

<group name="wazuh,">
<rule id="100234" level="3">
<if_sid>230</if_sid>
<field name="alert_type">normal</field>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
<group>syscheck,fim_db_state,</group>
</rule>
</group>

To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options.

.. _rules_rule:

rule
Expand Down Expand Up @@ -728,7 +764,7 @@ If ``user`` label is declared multiple times within the rule, the following rule
.. _rules_sys_name:

system_name
^^^^^^^^^^^^
^^^^^^^^^^^

Used as a requisite to trigger the rule. It will check the system name (decoded as ``system_name``).

Expand Down Expand Up @@ -2070,36 +2106,6 @@ Example:
<description>List of logged in users. It will not be alerted by default.</description>
</rule>

.. _rules_group:

group
^^^^^

Add additional groups to the alert. Groups are optional tags added to alerts.

They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.

Groups are variables that define behavior. When an alert includes that group label, this behavior will occur.

Example:

.. code-block:: xml

<rule id="3801" level="4">
<description>Group for rules related with spam.</description>
<group>spam,</group>
</rule>

Now, every rule with the line ``<group>spam,</group>`` will be included in that group.

It's a very useful label to keep the rules ordered.

+--------------------+------------+
| **Default Value** | n/a |
+--------------------+------------+
| **Allowed values** | Any String |
+--------------------+------------+

.. _rules_mitre:

mitre
Expand Down Expand Up @@ -2138,11 +2144,12 @@ Defines a variable that can be used in any place within the same file. It must b

Example:

.. code-block:: xml
.. code-block:: xml
:emphasize-lines: 1,7

<var name="joe_folder">/home/joe/</var>
<var name="joe_folder">/home/joe/</var>

<group name="local,">
<group name="local,">

<rule id="100001" level="5">
<if_sid>550</if_sid>
Expand All @@ -2151,26 +2158,29 @@ Example:
<group>ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>

</group>
</group>

BAD_WORDS
^^^^^^^^^
~~~~~~~~~

.. code-block:: xml

<var name="BAD_WORDS">error|warning|failure</var>
<var name="BAD_WORDS">error|warning|failure</var>

``BAD_WORDS`` is a very used use case of the ``<var>`` option.

It is used to include many words in the same variable. Later, this variable can be matched into the decoders to check if any of those words are in a caught event.

Example:

.. code-block:: xml
.. code-block:: xml
:emphasize-lines: 1,5

<var name="BAD_WORDS">error|warning|failure</var>
<var name="BAD_WORDS">error|warning|failure</var>

<group name="syslog,errors,">
<rule id="XXXX" level="2">
<match>$BAD_WORDS</match>
<description>Error found.</description>
</rule>
</group>
<group name="syslog,errors,">
<rule id="XXXX" level="2">
<match>$BAD_WORDS</match>
<description>Error found.</description>
</rule>
</group>