<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Andrea Termine</title>
    <description>The latest articles on DEV Community by Andrea Termine (@andreicscs).</description>
    <link>https://dev.to/andreicscs</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4011299%2F3d0fbebd-ba3c-4988-8eea-a556c1c4ddd7.png</url>
      <title>DEV Community: Andrea Termine</title>
      <link>https://dev.to/andreicscs</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/andreicscs"/>
    <language>en</language>
    <item>
      <title>Integrating HoneyWire with Wazuh SIEM</title>
      <dc:creator>Andrea Termine</dc:creator>
      <pubDate>Wed, 01 Jul 2026 19:18:00 +0000</pubDate>
      <link>https://dev.to/andreicscs/integrating-honeywire-with-wazuh-siem-1lhp</link>
      <guid>https://dev.to/andreicscs/integrating-honeywire-with-wazuh-siem-1lhp</guid>
      <description>&lt;p&gt;Wazuh is a powerful SIEM, but like many traditional security platforms, it often struggles with a high volume of false positive alerts generated by legitimate behavior, misconfigurations, and noisy environments. HoneyWire is a purpose-built deception engine designed to solve this. By deploying lightweight decoys that have zero legitimate business purpose, HoneyWire ensures that any interaction is intrinsically malicious. Feeding these high-fidelity deception alerts directly into Wazuh enables security teams to correlate threats and execute automated incident response with confidence.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqv4ee933ysr41dk0bj9u.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqv4ee933ysr41dk0bj9u.png" alt="Honeywire x Wazuh" width="800" height="400"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Integrating HoneyWire into a Wazuh deployment requires configuring a Syslog listener in Wazuh, implementing a custom decoder for payload extraction, defining custom correlation rules, and finally configuring the HoneyWire Hub to forward events. The following guide outlines the necessary configuration steps.&lt;/p&gt;

&lt;h2&gt;
  
  
  Configure the Wazuh Syslog Listener
&lt;/h2&gt;

&lt;p&gt;First, Wazuh must be configured to accept incoming Syslog streams from the HoneyWire Hub. Modify the manager configuration file located at &lt;code&gt;/var/ossec/etc/ossec.conf&lt;/code&gt; by appending the following &lt;code&gt;&amp;lt;remote&amp;gt;&lt;/code&gt; block inside the main &lt;code&gt;&amp;lt;ossec_config&amp;gt;&lt;/code&gt; section.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;  &lt;span class="nt"&gt;&amp;lt;remote&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;connection&amp;gt;&lt;/span&gt;syslog&lt;span class="nt"&gt;&amp;lt;/connection&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;port&amp;gt;&lt;/span&gt;514&lt;span class="nt"&gt;&amp;lt;/port&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;protocol&amp;gt;&lt;/span&gt;udp&lt;span class="nt"&gt;&amp;lt;/protocol&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;allowed-ips&amp;gt;&lt;/span&gt;{HONEYWIRE_HUB_IP}&lt;span class="nt"&gt;&amp;lt;/allowed-ips&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/remote&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;[!Note]&lt;br&gt;
Ensure the &lt;code&gt;&amp;lt;protocol&amp;gt;&lt;/code&gt; directive matches the transport protocol you plan to configure on the HoneyWire Hub. Additionally, verify that perimeter or host firewalls permit ingress traffic on the specified port originating from &lt;code&gt;{HONEYWIRE_HUB_IP}&lt;/code&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Implement Custom Decoders
&lt;/h2&gt;

&lt;p&gt;Wazuh's native Syslog parser does not natively support RFC-5424 header structures yet. To bypass this, we utilize a &lt;code&gt;prematch&lt;/code&gt; directive. This guarantees that the custom decoder intercepts the raw log payload and extracts the structured JSON telemetry before the default legacy syslog parser can drop it.&lt;/p&gt;

&lt;p&gt;Append the following decoder logic to &lt;code&gt;/var/ossec/etc/decoders/honeywire_decoders.xml&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;decoder&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"honeywire"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;prematch&amp;gt;&lt;/span&gt;honeywireSensor&lt;span class="nt"&gt;&amp;lt;/prematch&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;regex&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;trigger="([^"]+)" source="([^"]+)" target="([^"]+)" node="([^"]+)" sensor="([^"]+)" severity="([^"]+)" details=(\{.*?\})&lt;span class="nt"&gt;&amp;lt;/regex&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;order&amp;gt;&lt;/span&gt;hw_trigger, hw_source, hw_target, hw_node, hw_sensor, hw_severity, hw_details&lt;span class="nt"&gt;&amp;lt;/order&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Define Correlation Rules
&lt;/h2&gt;

&lt;p&gt;Next, define the alerting thresholds mapped to HoneyWire's severity classifications. Append the following rule group to &lt;code&gt;/var/ossec/etc/rules/honeywire_rules.xml&lt;/code&gt;:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;[!Warning]&lt;br&gt;
Verify that the chosen rule IDs (&lt;code&gt;115001&lt;/code&gt; - &lt;code&gt;115006&lt;/code&gt;) do not collide with existing active rules in your Wazuh environment.&lt;br&gt;
&lt;/p&gt;
&lt;/blockquote&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;group&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"honeywire,"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115001"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"3"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;decoded_as&amp;gt;&lt;/span&gt;honeywire&lt;span class="nt"&gt;&amp;lt;/decoded_as&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115002"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"3"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;if_sid&amp;gt;&lt;/span&gt;115001&lt;span class="nt"&gt;&amp;lt;/if_sid&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;field&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"hw_severity"&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;(?i)^info$&lt;span class="nt"&gt;&amp;lt;/field&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire Info: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115003"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"5"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;if_sid&amp;gt;&lt;/span&gt;115001&lt;span class="nt"&gt;&amp;lt;/if_sid&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;field&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"hw_severity"&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;(?i)^low$&lt;span class="nt"&gt;&amp;lt;/field&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire Low: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115004"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"7"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;if_sid&amp;gt;&lt;/span&gt;115001&lt;span class="nt"&gt;&amp;lt;/if_sid&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;field&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"hw_severity"&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;(?i)^med$|^medium$&lt;span class="nt"&gt;&amp;lt;/field&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire Warning: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115005"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"10"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;if_sid&amp;gt;&lt;/span&gt;115001&lt;span class="nt"&gt;&amp;lt;/if_sid&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;field&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"hw_severity"&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;(?i)^high$&lt;span class="nt"&gt;&amp;lt;/field&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire High: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

  &lt;span class="nt"&gt;&amp;lt;rule&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;"115006"&lt;/span&gt; &lt;span class="na"&gt;level=&lt;/span&gt;&lt;span class="s"&gt;"12"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;if_sid&amp;gt;&lt;/span&gt;115001&lt;span class="nt"&gt;&amp;lt;/if_sid&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;field&lt;/span&gt; &lt;span class="na"&gt;name=&lt;/span&gt;&lt;span class="s"&gt;"hw_severity"&lt;/span&gt; &lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"pcre2"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;(?i)^crit$|^critical$&lt;span class="nt"&gt;&amp;lt;/field&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;description&amp;gt;&lt;/span&gt;HoneyWire CRITICAL: $(hw_trigger) from $(hw_source) on $(hw_node)&lt;span class="nt"&gt;&amp;lt;/description&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;options&amp;gt;&lt;/span&gt;alert_by_email&lt;span class="nt"&gt;&amp;lt;/options&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/rule&amp;gt;&lt;/span&gt;

&lt;span class="nt"&gt;&amp;lt;/group&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Apply Configuration
&lt;/h2&gt;

&lt;p&gt;Restart the Wazuh manager daemon to compile and load the new decoders and rulesets:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;systemctl restart wazuh-manager
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Configure HoneyWire SIEM Forwarding
&lt;/h2&gt;

&lt;p&gt;Now that Wazuh is listening and ready to parse incoming events, you need to configure your HoneyWire Hub to forward alerts. In the HoneyWire Sentinel dashboard, navigate to &lt;strong&gt;Settings -&amp;gt; SIEM Forwarding&lt;/strong&gt;. Enter the IP address and port (default 514) of your Wazuh manager, select your preferred protocol (&lt;code&gt;tcp&lt;/code&gt; or &lt;code&gt;udp&lt;/code&gt;), and save the configuration.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhilpqhw8mbpd3m5niac0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhilpqhw8mbpd3m5niac0.png" alt="honeywire config" width="800" height="380"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Verify Telemetry Flow
&lt;/h2&gt;

&lt;p&gt;To validate the integration pipeline, trigger a mock event against a HoneyWire sensor (e.g., execute an unauthorized SSH login attempt, or by running &lt;code&gt;honeywire firedrill&lt;/code&gt; if using the HoneyWire CLI tool). Monitor the Wazuh alert logs to confirm the event was successfully parsed and indexed:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo tail&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; /var/ossec/logs/alerts/alerts.json | &lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-i&lt;/span&gt; honeywire
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Once validated, the normalized telemetry will populate in your Wazuh security dashboards:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ff6pt4375zntwyipzmb4z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ff6pt4375zntwyipzmb4z.png" alt="wazuh events" width="799" height="328"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Investigating specific alerts will reveal the custom HoneyWire attributes cleanly mapped into Wazuh's structured fields:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqettj9drijfcmj7lvlfm.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqettj9drijfcmj7lvlfm.png" alt="wazuh event details" width="800" height="728"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Troubleshooting Pipeline Issues
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Missing Ingress Traffic:&lt;/strong&gt; Execute &lt;code&gt;tcpdump -i any port 514&lt;/code&gt; on the manager node to verify Syslog packets are traversing the network. If no packets are captured, audit upstream firewalls and routing tables.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Decoder Failures:&lt;/strong&gt; Utilize the &lt;code&gt;wazuh-logtest&lt;/code&gt; binary to ingest a raw HoneyWire Syslog payload. This allows you to simulate the pipeline and ensure the payload matches the custom decoder and triggers the appropriate rule.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;— — —&lt;br&gt;
GitHub Repo: &lt;a href="https://github.com/andreicscs/HoneyWire" rel="noopener noreferrer"&gt;https://github.com/andreicscs/HoneyWire&lt;/a&gt;&lt;br&gt;
Official Website: &lt;a href="https://honeywire.dev/" rel="noopener noreferrer"&gt;https://honeywire.dev/&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  References
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html" rel="noopener noreferrer"&gt;Wazuh Syslog Data Collection&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html" rel="noopener noreferrer"&gt;Wazuh Custom Decoders&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html" rel="noopener noreferrer"&gt;Wazuh Custom Rules&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>cyberdeception</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
