Skip to content

Wazuh Ruleset 3.9.0
Compare
Choose a tag to compare
@albertomn86 albertomn86 released this 02 May 21:04
· 748 commits to master since this release
v3.9.0
48eae91
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Added

  • Adapt Sysmon rules to new Windows eventchannel format. (#285)
  • Added ruleset for the SCA module. (#288)
  • Added policy files in YAML format for the SCA module. (#288)
  • Added the policy cis_win2012r2_memberL2_rcl.yml for SCA. (#289) (Thanks to @Bob-Andrews)
  • Improved rules for the docker listener. (#293) (#307)
  • New options same_field and not_same_field to correlate dynamic fields in rules. (#302)
  • New rule to catch a logon success from a Windows workstation. (#304)
  • Added rules about Application and System channels for the Windows eventchannel format. (#325)
  • Added PCI-DSS and GDPR mapping to rules for the docker listener. (#333)

Changed

  • Changed the eventchannel field names in rules. (#299)
  • Redistribute the eventchannel rules by incoming channel. (#325)
  • Prevent events invoked by AWS Internal from flooding alerts. (#351)

Fixed

  • Fixed the bruteforce attack rules for Windows Eventchannel. (#302)
  • Updated links for Windows rules. (#311) (Credits to @atomicturtle (#1675))
  • Several fixes for Windows rules for the eventlog format. (Thanks to @branchnetconsulting)
    • Fixed SID regexes for eventlog Windows rules. (#197)
    • Fixed the matched string of rule 18270. (#219)
    • Fixed Sysmon rule when the destination port is empty. (#229)
    • Fixed the description for rule 18260. (#232)
    • Generalize description for rule 83201. (#241)
  • Fixed the flow for Windows rule 18230. (#253) (Thanks to @wiredaem0n)
Assets 2
Loading