mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-10-23 00:02:11 +00:00
43 lines
1.5 KiB
XML
43 lines
1.5 KiB
XML
<group name="socfortress,">
|
|
<rule id="200980" level="1">
|
|
<field name="integration">custom-socfortress</field>
|
|
<description>SOCFortress IoC</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200981" level="1">
|
|
<if_sid>200980</if_sid>
|
|
<field name="socfortress.status_code">^404$</field>
|
|
<description>No matching IoC Detected</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200982" level="3">
|
|
<if_sid>200980</if_sid>
|
|
<field name="socfortress.status_code">^503$</field>
|
|
<description>$(socfortress.message)</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200983" level="12">
|
|
<if_sid>200980</if_sid>
|
|
<field name="socfortress.status_code">^200$</field>
|
|
<description>IoC Detected: $(socfortress.value)</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200984" level="10">
|
|
<if_sid>200980</if_sid>
|
|
<field name="socfortress.status_code">^403$</field>
|
|
<description>Forbidden - Make sure you have configured a proper API Key</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200985" level="10">
|
|
<if_sid>200980</if_sid>
|
|
<field name="socfortress.status_code">^429$</field>
|
|
<description>Rate Quota Limit Exceeded</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
<rule id="200986" level="3">
|
|
<field name="integration">custom-socfortress-knowledgebase</field>
|
|
<description>SOCFortress KnowledgeBase</description>
|
|
<options>no_full_log</options>
|
|
</rule>
|
|
</group>
|