Create 100030-amazon_aws_cloudwatch.xml

AWS/100030-amazon_aws_cloudwatch.xml

@@ -0,0 +1,15 @@
+<group name="amazon,aws,cloudwatch,">
+  <rule id="100030" level="3">
+    <decoded_as>json</decoded_as>
+    <location>Wazuh-AWS$</location>
+    <options>no_full_log</options>
+    <description>Wazuh AWS Integration</description>
+  </rule>
+  <rule id="100031" level="3">
+    <if_sid>100030</if_sid>
+    <field name="httpSourceName">^ALB$</field>    
+    <options>no_full_log</options>
+    <description>AWS WAF Event - WAF Action $(action) By Rule Type: $(terminatingRuleType)</description>
+    <group>awswaf,</group>
+  </rule>
+</group>