new: [wazuh-rule] Wazuh-rule

adulau · adulau · commit 9da3e9237f63 · 2026-03-25T10:10:30.000+01:00
diff --git a/wazuh-rule/definition.json b/wazuh-rule/definition.json
@@ -0,0 +1,152 @@
+{
+  "attributes": {
+    "wazuh-rule": {
+      "description": "Full Wazuh rule XML content.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "rule-id": {
+      "description": "Wazuh rule identifier from the rule id attribute.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "level": {
+      "description": "Wazuh alert level from the rule level attribute.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "Human-readable description of the rule.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "group": {
+      "description": "Wazuh group or groups associated with the rule.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "decoded_as": {
+      "description": "Decoder name required for the rule to match.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "if_sid": {
+      "description": "Parent or prerequisite rule ID list.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "if_group": {
+      "description": "Prerequisite group name.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "if_level": {
+      "description": "Prerequisite alert level.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "if_matched_sid": {
+      "description": "Previously matched rule ID required within a time window.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "if_matched_group": {
+      "description": "Previously matched group required within a time window.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "match": {
+      "description": "Regular expression or string used to match log content.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "field": {
+      "description": "Decoded field condition used by the rule.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "options": {
+      "description": "Additional Wazuh rule options.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "frequency": {
+      "description": "Number of times the rule must match before alerting.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "timeframe": {
+      "description": "Time window used with frequency-based matching.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "ignore": {
+      "description": "Time interval during which repeated alerts are ignored.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "noalert": {
+      "description": "Whether the rule suppresses alert generation.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "mitre-id": {
+      "description": "MITRE ATT&CK technique ID associated with the rule.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "reference": {
+      "description": "Reference or origin of the Wazuh rule.",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    },
+    "comment": {
+      "description": "Comment or analyst note about the Wazuh rule.",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "version": {
+      "description": "Version of Wazuh or ruleset associated with the rule.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "An object describing a Wazuh XML rule using common fields from the official Wazuh rule syntax.",
+  "meta-category": "misc",
+  "name": "wazuh-rule",
+  "requiredOneOf": [
+    "wazuh-rule",
+    "rule-id"
+  ],
+  "uuid": "5150952e-4a21-4011-aa20-204b6459e657",
+  "version": 1
+}
