From 15327dc646f8b011dbcb4b45e544dd9a6d0f08e2 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:14:00 +0200
Subject: [PATCH 1/5] Create 0685-wazuh-api_rules.xml

---
 rules/0685-wazuh-api_rules.xml | 165 +++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 create mode 100644 rules/0685-wazuh-api_rules.xml

diff --git a/rules/0685-wazuh-api_rules.xml b/rules/0685-wazuh-api_rules.xml
new file mode 100644
index 000000000..6c9d8a089
--- /dev/null
+++ b/rules/0685-wazuh-api_rules.xml
@@ -0,0 +1,165 @@
+<!--
+  -  WazuhAPI rules
+  -  Author: Daniel Moreno
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2020, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<group name="wazuhapi">
+
+  <rule id="30000" level="0">
+    <decoded_as>wazuhapi</decoded_as>
+    <description></description>
+  </rule>
+
+<!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->
+  <rule id="30001" level="3">
+    <if_sid>30000</if_sid>
+    <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: [(\S+)] \w+ \S+ - \d+</regex>
+    <description>Wazuh API request received.</description>
+  </rule>
+
+  <!-- Childs -->
+
+    <rule id="30002" level="3">
+      <if_sid>30001</if_sid>
+      <match>GET</match>
+      <description>Wazuh API GET request received.</description>
+    </rule>
+
+      <rule id="30003" level="8">
+        <if_sid>30002</if_sid>
+        <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+      </rule>
+
+      <rule id="30004" level="3">
+        <if_sid>30003</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30005" level="7">
+      <if_sid>30001</if_sid>
+      <match>POST</match>
+      <description>Wazuh API request POST received.</description>
+    </rule>
+
+      <rule id="30006" level="7">
+        <if_sid>30005</if_sid>
+        <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+      </rule>
+
+      <rule id="30007" level="7">
+        <if_sid>30005</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30008" level="10">
+      <if_sid>30001</if_sid>
+      <match>DELETE</match>
+      <description>Wazuh API request DELETE received.</description>
+    </rule>
+
+      <rule id="30009" level="3">
+        <if_sid>30008</if_sid>
+        <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+      </rule>
+
+      <rule id="30010" level="3">
+        <if_sid>30008</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30011" level="7">
+      <if_sid>30001</if_sid>
+      <match>PUT</match>
+      <description>Wazuh API request PUT received.</description>
+    </rule>
+
+    <rule id="30012" level="3">
+        <if_sid>30011</if_sid>
+        <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+      </rule>
+
+    <rule id="30013" level="3">
+      <if_sid>30011</if_sid>
+      <field name="errorcode">0</field>
+      <description>Wazuh API request $(method) $(request)</description>
+    </rule>
+
+
+<!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
+  <!-- This is a generic exception log, the rule should work for every exception -->
+  <rule id="30014" level="12">
+    <if_sid>30000</if_sid>
+    <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: \.+: \d+</regex>
+    <description>An exception was given, the message is: $(exception_message)</description>
+  </rule>
+
+<!-- app.js logs -->
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->
+    <rule id="30015" level="9">
+      <if_sid>30000</if_sid>
+      <match>Authentication failed</match>
+      <description>Authentication with api from user $(apiuser) failed.</description>
+    </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->
+    <rule id="30016" level="9">
+      <if_sid>30000</if_sid>
+      <match>Authentication error</match>
+      <description>Authentication with api failed with the error $(auth_error) and the message: $(error_message).</description>
+    </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error -->
+    <rule id="30017" level="12">
+      <if_sid>30000</if_sid>
+      <match>Internal Error</match>
+      <description>Internal error detected in the API.</description>
+    </rule>
+
+    <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException -->
+      <rule id="30018" level="12">
+        <if_sid>30017</if_sid>
+        <match>Internal Error: uncaughtException</match>
+        <description>Internal error detected in the API, an uncaught exception was thrown.</description>
+      </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: Exiting... -->
+    <rule id="30019" level="10">
+      <if_sid>30000</if_sid>
+      <match>Exiting...</match>
+      <description>The API has just exited.</description>
+    </rule>
+
+    <!-- Childs -->
+
+      <rule id="30020" level="10">
+        <if_sid>30019</if_sid>
+        <match>Exiting... (SIGTERM)</match>
+        <description>The API has just exited. (SIGTERM)</description>
+      </rule>
+
+      <rule id="30021" level="10">
+        <if_sid>30019</if_sid>
+        <match>Exiting... (SIGINT)</match>
+        <description>The API has just exited. (SIGINT)</description>
+      </rule>
+  <!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->
+    <rule id="30022" level="3">
+      <if_sid>30000</if_sid>
+      <match>Listening on</match>
+      <description>Api is hearing at $(apiurl)</description>
+    </rule> 
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->
+    <rule id="30023" level="10">
+      <if_sid>30000</if_sid>
+      <match>Address in use</match>
+      <description>Another instance is using the port $(port)</description>
+    </rule>
+
+</group>

From 256db814c1d00b8a104150500779c22133b55cf6 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:12:14 +0200
Subject: [PATCH 2/5] Create 0495-wazuh-api_decoders.xml

---
 decoders/0495-wazuh-api_decoders.xml | 68 ++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 decoders/0495-wazuh-api_decoders.xml

diff --git a/decoders/0495-wazuh-api_decoders.xml b/decoders/0495-wazuh-api_decoders.xml
new file mode 100644
index 000000000..d10c0ad4a
--- /dev/null
+++ b/decoders/0495-wazuh-api_decoders.xml
@@ -0,0 +1,68 @@
+<!--
+  -  WazuhAPI decoders
+  -  Author: Daniel Moreno
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<decoder name="wazuhapi">
+  <prematch>WazuhAPI </prematch>
+</decoder>
+
+<!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->
+
+  <decoder name="wazuhapi_requests">
+    <parent>wazuhapi</parent>
+    <prematch>\d+-\d+-\d+ \d+:\d+:\d+ \S+: [\S+] \w+ \S+ - \d+</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): [(\S+)] (\w+) (\S+) - \d+ - error: '(\d+)'</regex>
+    <order>timestamp,apiuser,remoteaddress,method,request,errorcode</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
+  <!-- This is a generic exception log, the decoder should work for every exception -->
+  <decoder name="wazuhapi_exceptions">
+    <parent>wazuhapi</parent>
+    <prematch></prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): (\.+): \d+</regex>
+    <order>timestamp,apiuser,exception_message</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->
+
+  <decoder name="wazuhapi_listening">
+    <parent>wazuhapi</parent>
+    <prematch>Listening on</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : Listening on: (\.+)</regex>
+    <order>timestamp,apiurl</order>
+  </decoder>
+
+
+<!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->
+
+  <decoder name="wazuhapi_authfail">
+    <parent>wazuhapi</parent>
+    <prematch>Authentication failed</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+):\.+ Authentication failed</regex>
+    <order>timestamp,apiuser</order>
+  </decoder>
+
+
+
+<!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->
+
+  <decoder name="wazuhapi_porterror">
+    <parent>wazuhapi</parent>
+    <prematch>Address in use</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) Error: Address in use \(port "(\d+)"\)</regex>
+    <order>timestamp,port</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->
+
+  <decoder name="wazuhapi_autherror">
+    <parent>wazuhapi</parent>
+    <prematch>Authentication error</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : [\.+] Authentication error: (\d+) - (\.+)</regex>
+    <order>timestamp,auth_error,error_message</order>
+  </decoder>

From 85fda12089fd518aee76f186dd664e462daaa1ee Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:16:06 +0200
Subject: [PATCH 3/5] Create api.ini

---
 tools/rules-testing/tests/api.ini | 53 +++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 tools/rules-testing/tests/api.ini

diff --git a/tools/rules-testing/tests/api.ini b/tools/rules-testing/tests/api.ini
new file mode 100644
index 000000000..cd4f9817f
--- /dev/null
+++ b/tools/rules-testing/tests/api.ini
@@ -0,0 +1,53 @@
+[Request to the api with errorcode 0]
+log 1 pass = WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'.
+rule = 30004
+alert = 3
+decoder = wazuhapi
+
+[Generic exception message when the API is set in error mode]
+log 1 pass = WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions
+rule = 30014
+alert = 12
+decoder = wazuhapi
+
+[Incorrect login because of username]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed.
+rule = 30015
+alert = 9
+decoder = wazuhapi
+
+[Incorrect login because of error]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message
+rule = 30016
+alert = 9
+decoder=wazuhapi
+
+[Internal error from the API]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error
+rule = 30017
+alert = 12
+decoder=wazuhapi
+
+[The API is exiting]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Exiting...
+rule = 30019
+alert = 10
+decoder=wazuhapi
+
+[The API is now hearing]
+log 1 pass = WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000
+rule = 30022
+alert = 3
+decoder = wazuhapi
+
+[Error in the API because of the port]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port.
+rule = 30023
+alert = 10
+decoder = wazuhapi
+
+[Internal error in the API uncaught]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException
+rule = 30018
+alert = 12
+decoder=wazuhapi

From c84e62ce927b99b127054375de8de46ae51f8018 Mon Sep 17 00:00:00 2001
From: odintree <odintree@protonmail.com>
Date: Fri, 22 May 2020 19:45:54 +0000
Subject: [PATCH 4/5] changed the group for api rules; change the id for rules;
 change the api decoder and rule filename

---
 ...coders.xml => 0520-wazuh-api_decoders.xml} |   0
 ...api_rules.xml => 0715-wazuh-api_rules.xml} | 127 +++++++++++-------
 tools/rules-testing/beforeruntest.sh          |  14 ++
 tools/rules-testing/tests/api.ini             |  18 +--
 4 files changed, 103 insertions(+), 56 deletions(-)
 rename decoders/{0495-wazuh-api_decoders.xml => 0520-wazuh-api_decoders.xml} (100%)
 rename rules/{0685-wazuh-api_rules.xml => 0715-wazuh-api_rules.xml} (52%)
 create mode 100755 tools/rules-testing/beforeruntest.sh

diff --git a/decoders/0495-wazuh-api_decoders.xml b/decoders/0520-wazuh-api_decoders.xml
similarity index 100%
rename from decoders/0495-wazuh-api_decoders.xml
rename to decoders/0520-wazuh-api_decoders.xml
diff --git a/rules/0685-wazuh-api_rules.xml b/rules/0715-wazuh-api_rules.xml
similarity index 52%
rename from rules/0685-wazuh-api_rules.xml
rename to rules/0715-wazuh-api_rules.xml
index 6c9d8a089..051ffc1de 100644
--- a/rules/0685-wazuh-api_rules.xml
+++ b/rules/0715-wazuh-api_rules.xml
@@ -8,158 +8,191 @@
 
 <group name="wazuhapi">
 
-  <rule id="30000" level="0">
+  <rule id="66500" level="0">
     <decoded_as>wazuhapi</decoded_as>
     <description></description>
   </rule>
 
 <!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->
-  <rule id="30001" level="3">
-    <if_sid>30000</if_sid>
+  <rule id="66501" level="3">
+    <if_sid>66500</if_sid>
     <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: [(\S+)] \w+ \S+ - \d+</regex>
     <description>Wazuh API request received.</description>
+    <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>
 
   <!-- Childs -->
 
-    <rule id="30002" level="3">
-      <if_sid>30001</if_sid>
+    <rule id="66502" level="3">
+      <if_sid>66501</if_sid>
       <match>GET</match>
       <description>Wazuh API GET request received.</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule>
 
-      <rule id="30003" level="8">
-        <if_sid>30002</if_sid>
+      <rule id="66503" level="8">
+        <if_sid>66502</if_sid>
         <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-      <rule id="30004" level="3">
-        <if_sid>30003</if_sid>
+      <rule id="66504" level="3">
+        <if_sid>66503</if_sid>
         <field name="errorcode">0</field>
         <description>Wazuh API request $(method) $(request)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-    <rule id="30005" level="7">
-      <if_sid>30001</if_sid>
+    <rule id="66505" level="7">
+      <if_sid>66501</if_sid>
       <match>POST</match>
       <description>Wazuh API request POST received.</description>
+      <mitre>
+        <id>T1492</id>
+      </mitre>
+      <group>pci_dss_10.6.1,pci_dss_10.2.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,hipaa_164.312.e</group>
     </rule>
 
-      <rule id="30006" level="7">
-        <if_sid>30005</if_sid>
+      <rule id="66506" level="7">
+        <if_sid>66505</if_sid>
         <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-      <rule id="30007" level="7">
-        <if_sid>30005</if_sid>
+      <rule id="66507" level="7">
+        <if_sid>66505</if_sid>
         <field name="errorcode">0</field>
         <description>Wazuh API request $(method) $(request)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-    <rule id="30008" level="10">
-      <if_sid>30001</if_sid>
+    <rule id="66508" level="10">
+      <if_sid>66501</if_sid>
       <match>DELETE</match>
       <description>Wazuh API request DELETE received.</description>
+      <mitre>
+        <id>T1492</id>
+      </mitre>
+      <group>pci_dss_10.6.1,pci_dss_10.2.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,hipaa_164.312.e</group>
     </rule>
 
-      <rule id="30009" level="3">
-        <if_sid>30008</if_sid>
+      <rule id="66509" level="3">
+        <if_sid>66508</if_sid>
         <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-      <rule id="30010" level="3">
-        <if_sid>30008</if_sid>
+      <rule id="66510" level="3">
+        <if_sid>66508</if_sid>
         <field name="errorcode">0</field>
         <description>Wazuh API request $(method) $(request)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-    <rule id="30011" level="7">
-      <if_sid>30001</if_sid>
+    <rule id="66511" level="7">
+      <if_sid>66501</if_sid>
       <match>PUT</match>
       <description>Wazuh API request PUT received.</description>
+      <mitre>
+        <id>T1492</id>
+      </mitre>
+      <group>pci_dss_10.6.1,pci_dss_10.2.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,hipaa_164.312.e</group>
     </rule>
 
-    <rule id="30012" level="3">
-        <if_sid>30011</if_sid>
+    <rule id="66512" level="3">
+        <if_sid>66511</if_sid>
         <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-    <rule id="30013" level="3">
-      <if_sid>30011</if_sid>
+    <rule id="66513" level="3">
+      <if_sid>66511</if_sid>
       <field name="errorcode">0</field>
       <description>Wazuh API request $(method) $(request)</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule>
 
 
 <!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
   <!-- This is a generic exception log, the rule should work for every exception -->
-  <rule id="30014" level="12">
-    <if_sid>30000</if_sid>
+  <rule id="66514" level="12">
+    <if_sid>66500</if_sid>
     <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: \.+: \d+</regex>
     <description>An exception was given, the message is: $(exception_message)</description>
+    <group>pci_dss_10.6.1,pci_dss_10.6.3,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>
 
 <!-- app.js logs -->
   <!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->
-    <rule id="30015" level="9">
-      <if_sid>30000</if_sid>
+    <rule id="66515" level="9">
+      <if_sid>66500</if_sid>
       <match>Authentication failed</match>
       <description>Authentication with api from user $(apiuser) failed.</description>
+      <group>pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,hipaa_164.312.d,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
   <!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->
-    <rule id="30016" level="9">
-      <if_sid>30000</if_sid>
+    <rule id="66516" level="9">
+      <if_sid>66500</if_sid>
       <match>Authentication error</match>
       <description>Authentication with api failed with the error $(auth_error) and the message: $(error_message).</description>
+      <group>pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,hipaa_164.312.d,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
   <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error -->
-    <rule id="30017" level="12">
-      <if_sid>30000</if_sid>
+    <rule id="66517" level="12">
+      <if_sid>66500</if_sid>
       <match>Internal Error</match>
       <description>Internal error detected in the API.</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule>
 
     <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException -->
-      <rule id="30018" level="12">
-        <if_sid>30017</if_sid>
+      <rule id="66518" level="12">
+        <if_sid>66517</if_sid>
         <match>Internal Error: uncaughtException</match>
         <description>Internal error detected in the API, an uncaught exception was thrown.</description>
+        <group>pci_dss_10.6.1,pci_dss_10.6.3,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
   <!-- WazuhAPI 2019-03-18 16:08:13 user: Exiting... -->
-    <rule id="30019" level="10">
-      <if_sid>30000</if_sid>
+    <rule id="66519" level="10">
+      <if_sid>66500</if_sid>
       <match>Exiting...</match>
       <description>The API has just exited.</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule>
 
     <!-- Childs -->
 
-      <rule id="30020" level="10">
-        <if_sid>30019</if_sid>
+      <rule id="66520" level="10">
+        <if_sid>66519</if_sid>
         <match>Exiting... (SIGTERM)</match>
         <description>The API has just exited. (SIGTERM)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
 
-      <rule id="30021" level="10">
-        <if_sid>30019</if_sid>
+      <rule id="66521" level="10">
+        <if_sid>66519</if_sid>
         <match>Exiting... (SIGINT)</match>
         <description>The API has just exited. (SIGINT)</description>
+        <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
       </rule>
   <!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->
-    <rule id="30022" level="3">
-      <if_sid>30000</if_sid>
+    <rule id="66522" level="3">
+      <if_sid>66500</if_sid>
       <match>Listening on</match>
       <description>Api is hearing at $(apiurl)</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule> 
 
   <!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->
-    <rule id="30023" level="10">
-      <if_sid>30000</if_sid>
+    <rule id="66523" level="10">
+      <if_sid>66500</if_sid>
       <match>Address in use</match>
       <description>Another instance is using the port $(port)</description>
+      <group>pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
     </rule>
 
 </group>
+
diff --git a/tools/rules-testing/beforeruntest.sh b/tools/rules-testing/beforeruntest.sh
new file mode 100755
index 000000000..67b92f349
--- /dev/null
+++ b/tools/rules-testing/beforeruntest.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+WAZUH_MANAGER_DIR="/var/ossec"
+WAZUH_REPO_DIR="/home/vagrant/wazuh-ruleset"
+rm -rf ${WAZUH_MANAGER_DIR}/ruleset/rules/*
+rm -rf ${WAZUH_MANAGER_DIR}/ruleset/decoders/*
+cp -r ${WAZUH_REPO_DIR}/rules/* ${WAZUH_MANAGER_DIR}/ruleset/rules
+cp -r ${WAZUH_REPO_DIR}/decoders/* ${WAZUH_MANAGER_DIR}/ruleset/decoders
+chown -R root:ossec ${WAZUH_MANAGER_DIR}/ruleset/rules
+chown -R root:ossec ${WAZUH_MANAGER_DIR}/ruleset/decoders
+chmod 644 ${WAZUH_MANAGER_DIR}/ruleset/rules/0015-ossec_rules.xml
+rm -rf ${WAZUH_MANAGER_DIR}/ruleset/rules/log-entries
+rm -rf ${WAZUH_MANAGER_DIR}/ruleset/rules/translated
+cd ${WAZUH_REPO_DIR}/tools/rules-testing/
+./runtests.py
diff --git a/tools/rules-testing/tests/api.ini b/tools/rules-testing/tests/api.ini
index cd4f9817f..aa42ae49b 100644
--- a/tools/rules-testing/tests/api.ini
+++ b/tools/rules-testing/tests/api.ini
@@ -1,53 +1,53 @@
 [Request to the api with errorcode 0]
 log 1 pass = WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'.
-rule = 30004
+rule = 66504
 alert = 3
 decoder = wazuhapi
 
 [Generic exception message when the API is set in error mode]
 log 1 pass = WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions
-rule = 30014
+rule = 66514
 alert = 12
 decoder = wazuhapi
 
 [Incorrect login because of username]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed.
-rule = 30015
+rule = 66515
 alert = 9
 decoder = wazuhapi
 
 [Incorrect login because of error]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message
-rule = 30016
+rule = 66516
 alert = 9
 decoder=wazuhapi
 
 [Internal error from the API]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error
-rule = 30017
+rule = 66517
 alert = 12
 decoder=wazuhapi
 
 [The API is exiting]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Exiting...
-rule = 30019
+rule = 66519
 alert = 10
 decoder=wazuhapi
 
 [The API is now hearing]
 log 1 pass = WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000
-rule = 30022
+rule = 66522
 alert = 3
 decoder = wazuhapi
 
 [Error in the API because of the port]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port.
-rule = 30023
+rule = 66523
 alert = 10
 decoder = wazuhapi
 
 [Internal error in the API uncaught]
 log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException
-rule = 30018
+rule = 66518
 alert = 12
 decoder=wazuhapi

From 90bc303da6793e8bb33d3ebfa591e8ca8b04b731 Mon Sep 17 00:00:00 2001
From: Do Tuan Anh Tran <odintree@protonmail.com>
Date: Fri, 22 May 2020 22:09:02 +0200
Subject: [PATCH 5/5] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index abbc1cd38..8985d4ab5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 - Added rules and decoders for macOS sshd logs ([#593](https://github.com/wazuh/wazuh-ruleset/pull/593))
 - Added TSC/SOC compliance mapping ([#613](https://github.com/wazuh/wazuh-ruleset/pull/613))
 - Added rules and decoders for PaloAlto logs ([#658](https://github.com/wazuh/wazuh-ruleset/pull/658))
+- Added groups for Wazuh-api rules ([#675](https://github.com/wazuh/wazuh-ruleset/pull/675))
 
 
 ### Changed