kuberenetes ruleset

[CRIZ]

Hi,
Anyone integrated Kubernetes logs to wazuh, both system and Audit logs.
Could you please help me with the ruleset.
Thanks in advance

[Md. Nazmur Sakib]

Hello,

You can follow this document for monitoring Kubernetes audit logs with webhook.

https://wazuh.com/blog/auditing-kubernetes-with-wazuh/

You can also check this document; this blog explores two effective strategies for deploying the Wazuh agent within a Kubernetes cluster to enable reliable and continuous security monitoring in dynamic containerized environments.
https://wazuh.com/blog/wazuh-agent-deployment-strategies-for-a-kubernetes-environment/


If you need to create decoders and rules to trigger, follow this document:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html

Let me know if you need any further information.

[CRIZ]

Hi Nazmir,

 I am reaching out to ask whether anyone has a pre-verified ruleset available for this integration. If you have worked with this setup before, I would appreciate any guidance or resources you can share. The current Wazuh ruleset does not appear to cover any security-related rules, so any prior configurations or recommendations would be very helpful.  

Regards,
CRIZ

[Md. Nazmur Sakib]

I cannot find any other custom rules other than the one I have already shared with the document. As I mentioned before, you can make custom rules and decoders following this Data analysis document. You can also check this document to get an idea about the structure of the decoders and rules. Creating decoders and rules from scratch This is an old blog post, but the structure and architectire is the same. Follow the Data analysis document for more details on decoders and rules syntax. If you face any issues while making decoders and rules, let me know. I will try to guide you.