RADAR rules are custom Wazuh detection rules designed to identify anomalous behavior and security threats in real-time. These rules are deployed to /var/ossec/etc/rules/ during the Ansible automation process and work in conjunction with custom decoders to extract and analyze event data.
radar/scenarios/rules/
└── /
└── *.xml
Each scenario has its own subdirectory containing XML rule files that are automatically deployed based on the selected scenario.
Purpose: Detect anomalous increases in log volume that may indicate attacks, system issues, or data exfiltration attempts.
How it works:
Rules:
| Rule ID | Level | Description | Trigger Condition |
|---|---|---|---|
100300 |
5 | OpenSearch AD alert received | Any alert from OpenSearch AD module with opensearch_ad decoder |
100309 |
12 | Log Volume Growth Detected | Specific AD alert matching “LogVolume-Growth-Detected” |
Alert Flow:
1. OpenSearch AD detects anomaly
2. Wazuh receives AD alert
3. Rule 100300 catches all AD alerts (level 5)
4. Rule 100309 escalates if "LogVolume-Growth-Detected" (level 12)
Purpose: Detect and block authentication attempts from non-whitelisted geographic locations.
How it works:
radar-helper/var/ossec/etc/lists/whitelist_countries)Rules:
| Rule ID | Level | Description | Trigger Condition |
|---|---|---|---|
100900 |
10 | Connection from non-whitelist country | Authentication success + radar_country field not in whitelist |
100901 |
10 | Connection from non-whitelist country | Authentication success + source GeoIP not in EU Greater Region |
Alert Flow:
1. Authentication success event
2. Custom decoder extracts `radar_country` field
3. Rule 100900 checks against whitelist_countries list
4. Rule 100901 checks against hardcoded countries
5. Alert if country not whitelisted
Whitelist mechanism:
etc/lists/whitelist_countriessrcgeoip fieldNote: The country list is subject for change according to needs.
Purpose: Detect credential-based attacks including brute force attempts and impossible travel scenarios.
How it works:
radar-helperRules:
| Rule ID | Level | Description | Trigger Condition | Timeframe |
|---|---|---|---|---|
210012 |
8 | Failed-burst brute force | ≥5 failed SSH logins from same source user | 60 seconds |
210013 |
8 | Failed-burst brute force | ≥5 failed SSH logins from same destination user | 60 seconds |
210020 |
10 | Impossible travel (with success) | Auth success + country change + velocity ≥900 km/h | N/A |
210021 |
10 | Impossible travel (with failure) | Auth failure + country change + velocity ≥900 km/h | N/A |
Alert Flow - Brute Force:
1. SSH authentication failure
2. If ≥5 failures in 60 seconds from same user
3. Alert: Failed-burst brute force attack
Alert Flow - Impossible Travel:
1. Authentication event (success or failure)
2. RADAR helper identifies: `radar_country_change_i` (1 if country changed, 0 otherwise) and `radar_geo_velocity_kmh` (km/h between previous and current login)
3. Rule 210020/210021 checks:
- Country changed? (radar_country_change_i == 1)
- Velocity >= 900 km/h? (physically impossible travel)
Wazuh loads rule files from the configured rule directory in alphabetical order by filename. This is why we use deterministic prefixes such as a1_*, a2_*, a3_*.
Wazuh evaluates rules in a tree/layer model:
Independent rules (no if_sid / if_matched_sid) are evaluated in the order they are read/loaded.
Child rules (if_sid) are evaluated after their parent matches, and in the order they are defined. The first child rule that matches triggers; subsequent child rules are not evaluated (“first-match” logic). Groups Google
When multiple rules can match within the same layer/parent context, Wazuh uses a deterministic precedence:
Important clarification for our documentation: Wazuh does not inherently sort by rule ID. In RADAR, “lower ID matches first” is true because we intentionally place rules in ascending ID order within files, and we control file loading order via filename prefixes. So the effective priority becomes “lower ID first” only as a consequence of our ordering strategy (read order).
Placed first to normalize OpenSearch AD alerts into Wazuh events early, and because it is self-contained (parent + specific child rule in the same pack).
Placed second because it represents a baseline policy violation (“successful auth from non-whitelist country”) and is designed to be the primary classification when multiple geolocation-related conditions could apply.
Placed third because it contains more advanced behavioral logic (frequency correlation and enriched geo-velocity conditions). It is intentionally evaluated after baseline policy checks to avoid duplicate or competing alerts for the same authentication event.
RADAR rules provide scenario-specific threat detection capabilities:
Rules are automatically deployed via Ansible, and generate alerts indexed in OpenSearch for analysis and response.