Beginner Guidance Needed: Creating Custom Rules in Wazuh 4.14.3 (Educational Environment)
Muhammad Usman Ali
Hello everyone,
I recently deployed Wazuh 4.14.3 in our office environment and have successfully installed multiple agents (version 4.14.3) on endpoint systems. The agents are connected and visible on the Wazuh server, and the setup is working properly.
I am currently a beginner with Wazuh and would like to start working with custom rules. Since I am implementing this in an educational environment, I would appreciate guidance on the following:
Best practices for creating custom rules in Wazuh
Examples of useful custom rules suitable for an educational or university environment
Any recommended documentation, tutorials, or learning resources (manuals, videos, labs)
If anyone can share examples, learning materials, or practical advice for getting started with custom rules, it would be very helpful.
Thank you in advance for your support.
Best regards
Muhammad Usman Ali
Md. Nazmur Sakib
Hi Muhammad Usman,
You can read this document to understand how to create decoders from rules.
Creating decoders and rules from scratch
There is nothing like decoders and rules educational or university environment. Decoders and rules will depend on the type of logs you are collecting from your endpoints and the format of the logs.
To sum up, decoders and rules are written based on the log format.
You can use these documents to create decoders.
Custom decoders
Decoders
Regular Expression Syntax
You can use these documents to create rules:
Custom rules
You can use the ruleset test tool to test the logs if they match your custom decoders and rules.
Testing decoders and rules
You can search in our Google group to find example rules and decoders for different types of logs.
The best way to master writing decoders and rules is through trial and error. Please let me know if you need any further information or assistance.