wazuh/wazuh-ruleset v3.9.0

Wazuh Ruleset 3.9.0

on GitHub

Added

• Adapt Sysmon rules to new Windows eventchannel format. (#285)
• Added ruleset for the SCA module. (#288)
• Added policy files in YAML format for the SCA module. (#288)
• Added the policy cis_win2012r2_memberL2_rcl.yml for SCA. (#289) (Thanks to @Bob-Andrews)
• Improved rules for the docker listener. (#293) (#307)
• New options same_field and not_same_field to correlate dynamic fields in rules. (#302)
• New rule to catch a logon success from a Windows workstation. (#304)
• Added rules about Application and System channels for the Windows eventchannel format. (#325)
• Added PCI-DSS and GDPR mapping to rules for the docker listener. (#333)

Changed

• Changed the eventchannel field names in rules. (#299)
• Redistribute the eventchannel rules by incoming channel. (#325)
• Prevent events invoked by AWS Internal from flooding alerts. (#351)

Fixed

• Fixed the bruteforce attack rules for Windows Eventchannel. (#302)
• Updated links for Windows rules. (#311) (Credits to @atomicturtle (#1675))
• Several fixes for Windows rules for the eventlog format. (Thanks to @branchnetconsulting)
  • Fixed SID regexes for eventlog Windows rules. (#197)
  • Fixed the matched string of rule 18270. (#219)
  • Fixed Sysmon rule when the destination port is empty. (#229)
  • Fixed the description for rule 18260. (#232)
  • Generalize description for rule 83201. (#241)
• Fixed the flow for Windows rule 18230. (#253) (Thanks to @wiredaem0n)