tum
запушил(а) main в tum/soc
395c5c7e78 disk space reduction, rule fixes, and dashboard query alignment
- wazuh_manager.conf: disable logall_json (was 14 GB of archives.json growth);
add log rotation block (daily, 7-day retention, compressed)
- OpenSearch ISM policy applied externally (wazuh-alerts-* / wazuh-archives-*,
delete after 30d)
- soc-a2/a3/a4, soc-c1-c3 rules: fix if_sid chaining (if_group=fortigate broken
in Wazuh 4.x), add production profile rules (110xxx range), align with real
archive field names (srccountry, dstport, logonType, etc.)
- local_decoder.xml: decoder updates to support new field extractions
- appendix-c dashboard: fix query rule.id:1005* → rule.groups: appendix_c
(old query matched simulation IDs only, returned nothing for prod rules)
- appendix-ab dashboard: narrow query soc_prod* → appendix_a OR appendix_b
(excludes C1/C2/C3 rules from A+B panels)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3 часов назад
