From de116dd966222ef1dcbd86a6ba508a415a2bf6d4 Mon Sep 17 00:00:00 2001
From: Carlos Romero <98657335+carom93@users.noreply.github.com>
Date: Mon, 23 Mar 2026 13:35:53 -0600
Subject: [PATCH 1/3] Update workflow to deploy rulesets to Wazuh Cloud

---
 .github/workflows/integrate_rulesets.yml | 45 ++++++++++++------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/integrate_rulesets.yml b/.github/workflows/integrate_rulesets.yml
index 6d14502..27c3b29 100644
--- a/.github/workflows/integrate_rulesets.yml
+++ b/.github/workflows/integrate_rulesets.yml
@@ -1,30 +1,31 @@
-name: Update Rulesets on SIEM
+name: Deploy Rulesets to Wazuh Cloud
+
 on:
   push:
-    branches: [ "main" ]
-    paths: ["**.xml"]
+    branches: ["main"]
+    paths: ["rules/**.xml", "decoders/**.xml"]
   workflow_dispatch:
 
 jobs:
-
-  DaaC:
+  deploy:
     runs-on: ubuntu-latest
+
     steps:
-      - name: Apply modified or new decoders and rules to SIEM
-        uses: appleboy/ssh-action@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
         with:
-          host: ${{ secrets.HOST }}
-          username: ${{ secrets.USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.PORT }}
-          script: |
-            sudo bash -c '
-            cd /var/ossec/etc/
-            git pull origin main
-            chown wazuh:wazuh /var/ossec/etc/decoders/* && chmod 660 /var/ossec/etc/decoders/*
-            chown wazuh:wazuh /var/ossec/etc/rules/* && chmod 660 /var/ossec/etc/rules/*
-            sudo systemctl restart wazuh-manager \
-            && echo "Ruleset apply SUCCESS!!! - Wazuh manager restarted successfully." \
-            || echo "Ruleset apply FAILURE!!! - Wazuh manager failed to restart, check ruleset for error..."
-            sudo systemctl status wazuh-manager -l --no-pager
-            '
\ No newline at end of file
+          python-version: "3.10"
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Deploy rules and decoders to Wazuh Cloud
+        env:
+          WAZUH_API_URL: ${{ secrets.WAZUH_API_URL }}
+          WAZUH_USER: ${{ secrets.WAZUH_API_USER }}
+          WAZUH_PASSWORD: ${{ secrets.WAZUH_API_PASSWORD }}
+        run: |
+          python deploy_to_wazuh.py

From 47f2d7904de596d928678bf5bbb899deb26e9178 Mon Sep 17 00:00:00 2001
From: Carlos Romero <98657335+carom93@users.noreply.github.com>
Date: Mon, 23 Mar 2026 13:39:11 -0600
Subject: [PATCH 2/3] Add script to deploy rules and decoders to Wazuh

---
 deploy_to_wazuh.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 deploy_to_wazuh.py

diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py
new file mode 100644
index 0000000..55ea918
--- /dev/null
+++ b/deploy_to_wazuh.py
@@ -0,0 +1,58 @@
+import os
+import requests
+import base64
+from pathlib import Path
+
+WAZUH_URL = os.environ["WAZUH_API_URL"]
+USER = os.environ["WAZUH_USER"]
+PASSWORD = os.environ["WAZUH_PASSWORD"]
+
+# Disable SSL warnings if using self-signed cert (Wazuh Cloud uses valid certs, so this is optional)
+requests.packages.urllib3.disable_warnings()
+
+def get_token():
+    response = requests.get(
+        f"{WAZUH_URL}/security/user/authenticate",
+        auth=(USER, PASSWORD),
+        verify=True
+    )
+    response.raise_for_status()
+    return response.json()["data"]["token"]
+
+def upload_file(token, endpoint, filename, content):
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/octet-stream"
+    }
+    params = {"filename": filename, "overwrite": True}
+    response = requests.post(
+        f"{WAZUH_URL}/{endpoint}",
+        headers=headers,
+        params=params,
+        data=content.encode("utf-8"),
+        verify=True
+    )
+    if response.status_code == 200:
+        print(f"✅ Uploaded {filename}")
+    else:
+        print(f"❌ Failed to upload {filename}: {response.status_code} - {response.text}")
+        raise Exception(f"Upload failed for {filename}")
+
+def main():
+    token = get_token()
+    print("🔐 Authenticated with Wazuh API")
+
+    # Upload rules
+    for rule_file in Path("rules").glob("*.xml"):
+        content = rule_file.read_text()
+        upload_file(token, "rules/files", rule_file.name, content)
+
+    # Upload decoders
+    for decoder_file in Path("decoders").glob("*.xml"):
+        content = decoder_file.read_text()
+        upload_file(token, "decoders/files", decoder_file.name, content)
+
+    print("\n🎉 All rulesets deployed successfully.")
+
+if __name__ == "__main__":
+    main()

From 1161a515898fd27d6f399904f4384efec5cf4985 Mon Sep 17 00:00:00 2001
From: Carlos Romero <98657335+carom93@users.noreply.github.com>
Date: Mon, 23 Mar 2026 13:49:01 -0600
Subject: [PATCH 3/3] Add RaC test rule

---
 rules/test_rule.xml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 rules/test_rule.xml

diff --git a/rules/test_rule.xml b/rules/test_rule.xml
new file mode 100644
index 0000000..0a06fc6
--- /dev/null
+++ b/rules/test_rule.xml
@@ -0,0 +1,6 @@
+<group name="test_rac,">
+  <rule id="100500" level="3">
+    <description>RaC test rule - safe to delete</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
\ No newline at end of file