https://blog.pytoshka.me/en/tags/rules/Recent content in Rules on pyToshka's DevSecOps BlogHugoen-USping@pytoshka.me (pyToshka)ping@pytoshka.me (pyToshka)Wed, 15 Apr 2026 10:36:10 +0400https://blog.pytoshka.me/en/post/wazuh-static-analysis-rules/Sat, 28 Mar 2026 00:00:00 +0000ping@pytoshka.me (pyToshka)https://blog.pytoshka.me/en/post/wazuh-static-analysis-rules/<p><strong>&ldquo;Wazuh Static Analysis&rdquo; series:</strong></p> <ul> <li><a href="https://blog.pytoshka.me/en/post/wazuh-static-analysis-decoders/">Part 1: Decoders</a> - decoder XML validation</li> <li><strong>Part 2: Rules</strong> (you are here) - rule validation and cross-type checking</li> </ul> <p>In <a href="https://blog.pytoshka.me/en/post/wazuh-static-analysis-decoders/">Part 1</a> we built a linter for Wazuh decoder XML files - a tool that validates structure, regex/order consistency, and parent-child decoder chains. But decoders are only half of the event processing pipeline. Decoders extract fields from raw logs, while rules decide what to do with those fields: generate an alert, escalate a threat level, or trigger an automated response. An error in a rule - a missed alert or a false positive - can be more dangerous than a decoder misconfiguration.</p>