u/Ill-Market6508

Hello everyone!

For the past few weeks I have been trying to test some custom rules that would give me richer data from detections as well as some level of correlation/chaining between default/custom rules.

Originally I have created them with Claude, but later found out that it was chaining custom rules to wrong parent rules so many custom rules got silenced because they were essentially siblings to OG rules.

Here they are: https://github.com/captainobvious1911/wazuh_windows_rules

As I have also written in README, I would be thankful for feedback/suggestions on following:

• Are the brute-force thresholds (frequency="5" timeframe="120") reasonable or too noisy in your environment?
• Any common PS attack patterns missing from the 4104 rules?
• False positive suppressions you've needed beyond NT SERVICE / IIS AppPool / Azure AD Connect service accounts?
• Do you see any rules that are overkill and could be handled by default rules without hassle of spanning to another custom child rule?
• Ideas for dashboards and visualisations in AD environment with Windows Servers (RDS, NPS, SQL, and other "Classic" services)