Wazuh Decoders and Rules Training

COURSE GOAL

Learn to understand and customize decoders and rules in Wazuh. Use the power of Regex to decode more logs and detect events more accurately

WHO SHOULD ATTEND?

This course is designed for Security Analysts / Engineers, SOC Operators and who are responsible for managing a Wazuh deployment.

PREREQUISITES

Working knowledge of Wazuh, understanding of network and application logs and IT Security basics. Also a basic knowledge of Linux command line is needed.

DURATION – 1 Day

COURSE TOPICS

  • Log Sources and Formats
  • Introduction to Decoders and Rules
  • XML and JSON
  • Working with Regex
  • Decoding Phases
  • Traditional and Dynamic Decoders
  • Atomic and Composite Rules
  • Customizing and Testing Decoders and Rules

COURSE OBJECTIVES

  • Understand different log sources and how logs are collected
  • Familiarize with different log formats
  • Learn the role of decoders in Wazuh
  • Know the difference between traditional and dynamic decoders
  • Understand how rules work in Wazuh
  • Learn the difference in atomic and composite rules
  • Learn the Regex patterns and how to use them
  • Know the tools used to write and test patterns
  • Understand the need to customize decoders and rules
  • Learn how to modify and test decoders and rules

LAB EXERCISES

  • Observing multiple log formats
  • Analyzing existing decoders and rules
  • Making simple modifications in decoders and rules
  • Working with Regex patterns to match strings
  • Generating own traffic and logging it
  • Creating or modifying decoders and rules to alert on above traffic