commit 45509c286fe1e6dde7c17e43d1118017aa2fb9bd
Author: arthur <arthur@wazuh.ccicm.lan>
Date:   Wed Feb 11 12:05:22 2026 +0100

    first commit

diff --git a/3cx_Rules.xml b/3cx_Rules.xml
new file mode 100644
index 0000000..42ac8a7
--- /dev/null
+++ b/3cx_Rules.xml
@@ -0,0 +1,110 @@
+<!-- Toute erreur CallFlow -->
+<group name="3cx,">
+ <rule id="100200" level="8">
+  <decoded_as>3cx-parent-datetime</decoded_as>
+  <field name="level">Erro</field>
+  <description>3CX CallFlow error</description>
+  <group>3cx,callflow,error,</group>
+ </rule>
+</group>
+
+<!-- “Route failed” explicite -->
+<group name="3cx,">
+ <rule id="100201" level="10">
+  <decoded_as>3cx-parent-datetime</decoded_as>
+  <match>Route failed</match>
+  <description>3CX routing failure - Appel sortant impossible</description>
+  <group>3cx,callflow,routing,</group>
+ </rule>
+</group>
+
+<!-- Regroupement : >=5 échecs en 60s = route failed -->
+<group name="3cx,">
+ <rule id="100205" level="12" frequency="5" timeframe="60">
+  <if_matched_sid>100201</if_matched_sid>
+  <description>3CX Route failed  — communication externe impossible</description>
+  <group>3cx,callflow,outage,provider,</group>
+ </rule>
+</group>
+
+<!-- ParentConnectionTerminated (fort signal opérateur/trunk) -->
+<group name="3cx,">
+ <rule id="100202" level="10">
+  <decoded_as>3cx-parent-datetime</decoded_as>
+  <field name="result">ParentConnectionTerminated</field>
+  <description>3CX: parent connection terminated (likely trunk/provider issue)</description>
+  <group>3cx,callflow,trunk,provider,outage,</group>
+ </rule>
+</group>
+
+
+<!-- Regroupement : >=5 échecs en 60s = panne possible -->
+<group name="3cx,">
+ <rule id="100203" level="12" frequency="5" timeframe="60">
+  <if_matched_sid>100202</if_matched_sid>
+  <description>3CX widespread routing failures  — probable provider outage</description>
+  <group>3cx,callflow,outage,provider,</group>
+ </rule>
+</group>
+
+
+<!-- 100207 : FCM unauthorized (unitaire) -->
+<group name="3cx,">
+  <rule id="100207" level="7">
+    <decoded_as>3cx-parent-datetime</decoded_as>
+    <match>Got Unauthorized from FCM</match>
+    <description>3CX Push: FCM unauthorized (apps mobile non fonctionnel)</description>
+    <group>3cx,push,notification,fcm,</group>
+  </rule>
+</group>
+
+<!-- 100208 : FCM unauthorized répété = incident -->
+<group name="3cx,">
+  <rule id="100208" level="10" frequency="3" timeframe="900">
+    <if_matched_sid>100207</if_matched_sid>
+    <description>3CX Push: multiples FCM unauthorized (probable panne notifications mobiles)</description>
+    <group>3cx,push,notification,fcm,outage,</group>
+  </rule>
+</group>
+
+<!-- 100209 : (CRM) Erreur HTTP client (unitaire) -->
+<group name="3cx,">
+  <rule id="100209" level="8">
+    <if_sid>100200</if_sid>
+    <match>_3CX.HttpClient</match>
+    <field name="message">failed</field>
+    <description>3CX Integration: requête HTTP échouée (CRM)</description>
+    <group>3cx,integration,http,</group>
+  </rule>
+</group>
+
+<!-- 100210 : Rafale d'échecs HTTP = panne d’intégration -->
+<group name="3cx,">
+  <rule id="100210" level="9" frequency="5" timeframe="600">
+    <if_matched_sid>100209</if_matched_sid>
+    <description>3CX Integration: multiples requêtes HTTP échouées (panne probable du service tiers)</description>
+    <group>3cx,integration,http,outage,</group>
+  </rule>
+</group>
+
+<!-- 100211 : DBProvPostgress erreur (unitaire) -->
+<group name="3cx,">
+  <rule id="100211" level="9">
+    <if_sid>100200</if_sid>
+    <match>DBProvPostgress</match>
+    <regex type="pcre2">(BatchUpdate|INSERT FAILED)</regex>
+    <description>3CX DB: erreur critique PostgreSQL (BatchUpdate/INSERT)</description>
+    <group>3cx,db,postgres,error,</group>
+  </rule>
+</group>
+
+<!-- 100212 : DB erreurs répétées = incident majeur -->
+<group name="3cx,">
+  <rule id="100212" level="12" frequency="3" timeframe="300">
+    <if_matched_sid>100211</if_matched_sid>
+    <description>3CX DB: erreurs PostgreSQL répétées (instabilité probable)</description>
+    <group>3cx,db,postgres,outage,</group>
+  </rule>
+</group>
+
+
diff --git a/Brut-force-VPN.xml b/Brut-force-VPN.xml
new file mode 100644
index 0000000..f09f476
--- /dev/null
+++ b/Brut-force-VPN.xml
@@ -0,0 +1,12 @@
+<!-- Modify it at your will. -->
+<group name="authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+    <rule id="81615" level="15" frequency="10" timeframe="45" ignore="240" overwrite="yes">
+        <if_matched_sid>81614</if_matched_sid>
+        <same_field>data.remip</same_field>
+        <description>Fortigate: Multiple firewall SSL VPN failed login events from same source.</description>
+        <mitre>
+            <id>T1110</id>
+            <id>T1133</id>
+        </mitre>
+    </rule>
+</group> 
\ No newline at end of file
diff --git a/Brut-force-linux.xml b/Brut-force-linux.xml
new file mode 100644
index 0000000..f199a38
--- /dev/null
+++ b/Brut-force-linux.xml
@@ -0,0 +1,23 @@
+<!-- Brut force SSH-tty PAM -->
+
+<group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="100153" level="15" frequency="8" timeframe="180">
+    <if_matched_sid>5503</if_matched_sid>
+    <same_field>srcip</same_field>
+    <description>Brut force Linux</description>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+</group>
+
+<group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="100154" level="15" frequency="8" timeframe="180">
+    <if_matched_sid>5503</if_matched_sid>
+    <same_field>tty</same_field>
+    <description>Brut force Linux</description>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+</group>
\ No newline at end of file
diff --git a/Connexion-admin.xml b/Connexion-admin.xml
new file mode 100644
index 0000000..7a96df8
--- /dev/null
+++ b/Connexion-admin.xml
@@ -0,0 +1,94 @@
+<!-- Alerte si connexion Administrateur -->
+
+<!-- Alerte si connexion Administrateur (local)-->
+<group name="Co-Windows">
+  <rule id="100002" level="3">
+    <if_sid>60106</if_sid>
+    <field name="data.win.eventdata.targetUserName">administrateur</field>
+    <description>Windows Logon Sucess Admin</description>
+    <options>no_full_log</options>
+    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
+  </rule>
+</group>
+
+<!-- Règle de base wazuh - Overwrite -->
+<!-- Co RDP -->
+<group name="windows,rdp,authentication_success,">  
+  <rule id="92653" level="2" overwrite="yes">
+    <if_sid>92651</if_sid>
+    <field name="win.eventdata.logonType" type="pcre2">10</field>
+    <description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
+    <mitre>
+      <id>T1021.001</id>
+      <id>T1078.002</id>
+    </mitre>
+  </rule>
+</group>
+
+<!-- Co avec privilège admin -->
+<group name="windows,auth,privileged,">  
+  <rule id="67028" level="3" overwrite="yes">
+    <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^4672$</field>
+    <field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
+    <description>Special privileges assigned to new logon.</description>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Co utilisateur -->
+<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="60106" level="1" overwrite="yes">
+    <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
+    <description>Windows Logon Success</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
+ 
+<!-- Déco utilisateur -->
+<group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">  
+  <rule id="60137" level="1" overwrite="yes">
+    <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
+    <description>Windows User Logoff</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+ <!-- Règle alerte RDP 
+<group name="windows,rdp,authentication_success,">
+  <rule id="100003" level="10">
+    <field name="win.system.eventID">1149</field>
+    <description>Connexion RDP réussie détectée (1149)</description>
+    <group>rdp,windows,authentication_success,</group>
+  </rule>
+</group>
+-->
+
+<!-- Règle alerte RDP - co entre 0:00 et 5:00-->  
+<group name="windows,auth,privileged,quiet_hours,">
+  <rule id="100300" level="12">
+    <if_sid>67028</if_sid>
+    <time>00:00-05:00</time>
+    <description>Privileged logon during quiet hours (00:00–05:00 local)</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+ 
+ <!-- Alerte si déconnexion Administrateur -->
+<group name="Co-Windows">
+  <rule id="100005" level="3">
+    <if_sid>60137</if_sid>
+    <field name="data.win.eventdata.targetUserName">administrateur</field>
+    <description>Windows Logoff Admin</description>
+    <options>no_full_log</options>
+    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
+  </rule>
+</group>
\ No newline at end of file
diff --git a/Logon-failure-win.xml b/Logon-failure-win.xml
new file mode 100644
index 0000000..65e1b07
--- /dev/null
+++ b/Logon-failure-win.xml
@@ -0,0 +1,27 @@
+<!-- Overwrite règles de base wazuh logon failure - Add event 4771 -->
+  
+<group name="authentication_failed,windows,windows_security,">  
+  <rule id="60105" level="5" overwrite="yes">
+    <if_sid>60104</if_sid>
+    <field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$|^4771$</field>
+    <description>Windows Logon Failure</description>
+    <options>no_full_log</options>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
+
+<group name="authentication_failed,windows,windows_security,">
+  <rule id="60122" level="5" overwrite="yes">
+    <if_sid>60105</if_sid>
+    <field name="win.system.eventID">^529$|^4625$|^4771$</field>
+    <description>Logon Failure - Unknown user or bad password</description>
+    <options>no_full_log</options>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1531</id>
+    </mitre>
+  </rule>
+</group>
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9f4c07e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,57 @@
+# Wazuh - Custom Rules (local_rules)
+
+Repo de gestion de version pour les **custom rules Wazuh** (et optionnellement decoders / lists).
+Objectif : versionner, documenter, tester, et déployer proprement sur un ou plusieurs Wazuh Manager.
+
+---
+
+## Contenu
+
+- `rules/` : règles locales (`local_rules.xml` ou fichiers découpés par thèmes)
+- `decoders/` : decoders locaux (si utilisés)
+- `lists/` : CDB lists (si utilisées)
+- `tests/` : exemples d'événements/logs de test
+- `scripts/` : scripts de validation / déploiement (optionnel)
+
+---
+
+## Prérequis
+
+- Accès au Wazuh Manager
+- Droits root / wazuh selon votre infra
+- Connaissance de base Wazuh ruleset (`<group>`, `<rule>`, `<if_sid>`, etc.)
+
+Chemins classiques sur le manager :
+- Rules locales : `/var/ossec/etc/rules/local_rules.xml`
+- Decoders locaux : `/var/ossec/etc/decoders/local_decoder.xml`
+- Lists : `/var/ossec/etc/lists/`
+
+---
+
+## Bonnes pratiques
+
+### 1) Règles : petites et lisibles
+- 1 règle = 1 objectif
+- Commenter les règles non triviales
+- Garder une logique de nommage
+
+Exemple de convention :
+- IDs : réserver une plage (ex: `100000` - `109999`) pour votre org
+- Groupes : `local,windows,authentication` / `local,linux,hardening` etc.
+
+### 2) Ne pas casser le pipeline
+- Toujours valider la syntaxe XML
+- Tester avec des logs réels/samples avant mise en prod
+- Éviter les conditions trop larges (sinon alert storm)
+
+### 3) Versionner ce qui est "source"
+- Versionner : règles, decoders, lists, samples de test
+- Ne pas versionner : secrets, exports complets, archives, fichiers temporaires
+
+---
+
+## Déploiement (manuel)
+
+### 1) Sauvegarde (recommandé)
+```bash
+sudo cp /var/ossec/etc/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml.bak.$(date +%F_%H%M)
diff --git a/Suricata.xml b/Suricata.xml
new file mode 100644
index 0000000..f345692
--- /dev/null
+++ b/Suricata.xml
@@ -0,0 +1,648 @@
+<!-- Custom rules suricata -->
+
+<!-- Overwrite règle de base pour debug
+<group name="ids, suricata">
+    <rule id="86601" level="3" overwrite="yes">
+        <if_sid>86600</if_sid>
+        <field name="event_type">^alert$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group> -->
+
+
+<!-- Enlève bruit "Not Suspicious Traffic" -->
+<group name="ids, suricata">
+    <rule id="100500" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.category">^Not Suspicious Traffic$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Enlève bruit "DNS" -->
+<group name="ids, suricata">
+    <rule id="100501" level="0">
+        <if_sid>86601</if_sid>
+        <field name="flow.dest_port">^53$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Enlève bruit : Alertes RST invalides isolées -->
+<group name="ids, suricata">
+    <rule id="100510" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM SHUTDOWN RST invalid ack$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Alertes RST invalides en masse -->
+<group name="ids, suricata">
+    <rule id="100511" level="10" frequency="10" timeframe="180">
+        <if_matched_sid>100510</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Bruit TCP : SYNACK resend avec ACK différent -->
+<group name="ids,suricata">
+  <rule id="100512" level="1">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED SYNACK resend with different ACK</field>
+    <description>Suricata: TCP handshake anomaly (retransmission/reordering/capture/offload) - noise reduction</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Escalade : burst de SYNACK resend anomalies depuis un même client -->
+<group name="ids,suricata">
+  <rule id="100513" level="12" frequency="25" timeframe="300">
+    <if_matched_sid>100512</if_matched_sid>
+    <same_field>flow.src_ip</same_field>
+    <description>Suricata: Repeated SYNACK resend anomalies from same host (possible evasion / broken TCP stack / capture issue)</description>
+    <mitre>
+        <id>T1046</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Enlève bruit : Accès SMB suspect
+<group name="ids, suricata">
+    <rule id="100504" level="2">
+        <if_sid>86601</if_sid>
+        <field name="alert.category">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group> -->
+
+<!-- Alertes SMB executable quiet hour : 0h00 5h00
+<group name="ids, suricata">
+    <rule id="100505" level="10">
+        <if_sid>100504</if_sid>
+        <time>00:00-05:00</time>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group> -->
+
+<!-- Alerte SCAN RESEAU -->
+<group name="ids, suricata">
+    <rule id="100520" level="15" frequency="10" timeframe="60" ignore="300">
+        <if_matched_sid>86601</if_matched_sid>
+        <field type="pcre2" name="alert.signature">(Applayer Mismatch|malformed request|unable to match|Sipvicious|SCAN)</field>
+        <!-- <field name="alert.signature">^ET SCAN Possible Nmap User-Agent Observed$</field> -->
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Reduction bruit TCP overlaps suspect -->
+<group name="ids, suricata">
+    <rule id="100530" level="2">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM reassembly overlap with different data$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Alerte TCP Overlaps répété depuis même IP -->
+<group name="ids, suricata">
+    <rule id="100531" level="12" frequency="20" timeframe="600">
+        <if_matched_sid>100530</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Reduction bruit TCP avec ack invalide -->
+<group name="ids, suricata">
+    <rule id="100532" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM Packet with invalid ack$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple TCP ack invalide -->
+<group name="ids, suricata">
+    <rule id="100533" level="12" frequency="50" timeframe="300">
+        <if_matched_sid>100532</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - Multiple TCP ack invalides - Possible ataque TCP</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Reduction bruit TLS Fail -->
+<group name="ids, suricata">
+    <rule id="100540" level="2">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^ET INFO TLS Handshake Failure$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Alerte TLS Fail répété depuis même IP -->
+<group name="ids, suricata">
+    <rule id="100541" level="12" frequency="50" timeframe="300">
+        <if_matched_sid>100540</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Reduction bruit NSCI Microsoft -->
+<group name="ids, suricata">
+    <rule id="100550" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^ET INFO Microsoft Connection Test$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Alerte NCSI répété depuis même IP -->
+<group name="ids, suricata">
+    <rule id="100551" level="12" frequency="20" timeframe="600">
+        <if_matched_sid>100550</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - NCSI excessif - Problème réseau</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Reduction bruit Timestamp invalid -->
+<group name="ids, suricata">
+    <rule id="100560" level="2">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM Packet with invalid timestamp$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple Timestamps invalies -->
+<group name="ids, suricata">
+    <rule id="100561" level="12" frequency="100" timeframe="300">
+        <if_matched_sid>100560</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - Multiple timestamps invalides - Possible évasion IDS</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Reduction bruit FIN anormaux -->
+<group name="ids, suricata">
+    <rule id="100570" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM FIN out of window$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple FIN Anormaux -->
+<group name="ids, suricata">
+    <rule id="100571" level="12" frequency="30" timeframe="600">
+        <if_matched_sid>100570</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - Multiple FIN Anormaux - Possible problème réseau ou attaque</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Reduction bruit FIN invalid -->
+<group name="ids, suricata">
+    <rule id="100572" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple FIN invalid -->
+<group name="ids, suricata">
+    <rule id="100573" level="12" frequency="30" timeframe="600">
+        <if_matched_sid>100572</if_matched_sid>
+        <field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Reduction bruit UDPv6 invalid Unifi-->
+<group name="ids, suricata">
+    <rule id="100580" level="2">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
+        <field name="dest_port">5353</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple UDPv6 invalid -->
+<group name="ids, suricata">
+    <rule id="100581" level="12" frequency="20" timeframe="300">
+        <if_matched_sid>86601</if_matched_sid>
+        <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
+        <same_field>flow.src_ip</same_field>
+        <description>Suricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum)</description>
+        <mitre>
+            <id>T1046</id>
+        </mitre>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Reduction bruit SMB too many transaction - FS17101 -->
+<group name="ids, suricata">
+    <rule id="100590" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
+        <field type="pcre2" name="flow.dest_ip">(10.171.101.36|10.172.101.113)</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Reduction bruit SMB too many transaction - FS17101 -->
+<group name="ids, suricata">
+    <rule id="100591" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
+        <field type="pcre2" name="flow.src_ip">(10.171.101.36|10.172.101.113)</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Possible SMB enumération or ransomware activity -->
+<group name="ids, suricata">
+    <rule id="100592" level="12" frequency="10" timeframe="600">
+        <if_matched_sid>100591</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <field name="flow.dest_ip" negate="yes">10.171.101.36</field>
+        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
+        <description>Suricata : Possible SMB enumeration or ransomware activity</description>
+        <mitre>
+            <id>T1021.002</id>
+        </mitre>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Filtrage Executable file SMB -->
+<group name="ids, suricata">
+    <rule id="100592" level="0">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
+        <description>Suricata: Filtrage executable file SMB</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Filtrage Executable file SMB -->
+<group name="ids, suricata">
+    <rule id="100593" level="7">
+        <if_sid>100592</if_sid>
+        <field name="smb.filename">.+</field>
+        <description>Suricata: Filtrage executable file SMB</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Exception métier : Sphinx exécuté depuis SMB -->
+<group name="ids,suricata">
+  <rule id="100594" level="0">
+    <if_sid>100593</if_sid>
+    <regex type="pcre2" field="smb.filename">(?i)Systeme.*\.exe</regex>
+    <description>
+      Suricata: Known business software (Sphinx) executed from SMB share
+    </description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Alertes critic : Executable file - Autre que fichier lambda -->
+<group name="ids, suricata">
+    <rule id="100595" level="12">
+        <if_sid>100593</if_sid>
+        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
+        <regex type="pcre2" negate="yes" field="smb.filename">(?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar)</regex>
+        <description>Suricata: Fichier executable dans dossier partagé</description>
+        <!-- <options>no_full_log</options> -->
+    </rule>
+</group>
+
+
+
+<!-- Executable sur SMB
+<group name="ids, suricata">
+    <rule id="100596" level="12">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
+        <regex type="pcre2" field="smb.filename">(?i)\.(exe|dll|bat|cmd|ps1|vbs|js|msi|scr|pif|com)([^\\\/]|$)</regex>
+        <description>Suricata : Executable lancer sur dossier partagé</description>
+        <mitre>T1021.002</mitre>
+        <options>no_full_log</options>
+    </rule>
+</group> -->
+
+
+<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
+<group name="ids, suricata">
+    <rule id="100597" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
+        <field name="dest_ip">10.171.101.36</field>
+        <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
+<group name="ids, suricata">
+    <rule id="100598" level="10">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
+        <field name="dest_ip" negate="yes">10.171.101.36</field>
+        <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Bruit SMB : lecture normale de fichier dossier partagé (file overlap) -->
+<group name="ids,suricata">
+  <rule id="100599" level="1">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA SMB file overlap</field>
+    <description>Suricata: SMB file overlap (normal SMB read behaviour)</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- Reduction bruit DNS over HTTPS (DOH) -->
+<group name="ids, suricata">
+        <rule id="100600" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.metadata.tag">DoH</field>
+        <description>Suricata : DNS over HTTPS</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- DOH sur VLAN ADMINSYS -->
+<group name="ids, suricata">
+    <rule id="100601" level="12">
+        <if_sid>100600</if_sid>
+        <regex field="src_ip">^10\.172\.253\.</regex>
+        <description>Suricata DNS over HTTPS VLAN ADMINSYS</description>
+        <mitre>
+            <id>T1071.004</id>
+        </mitre>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+<!-- Reduction bruit Bad Windows update -->
+<group name="ids, suricata">
+    <rule id="100610" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">SURICATA STREAM bad window update</field>
+        <description>Suricata : Network/offloading/capture noiseS</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple TCP Bad Windows update -->
+<group name="ids, suricata">
+    <rule id="100611" level="10" frequency="50" timeframe="300">
+        <if_matched_sid>100610</if_matched_sid>
+        <same_field>src_ip</same_field>
+        <description>High rate of TCP bad window updates from same host (possible local network stack/capture issue)</description>
+        <mitre>
+            <id>T1071.004</id>
+        </mitre>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+
+
+<!-- Réduction bruit UDP invalid checksum (QUIC/UDP443) -->
+<group name="ids, suricata">
+    <rule id="100620" level="1">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">SURICATA UDPv4 invalid checksum</field>
+        <description>Suricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+<!-- Multiple UDP invalid checksum from same source (possible malformed UDP flood) -->
+<group name="ids, suricata">
+    <rule id="100621" level="12" frequency="200" timeframe="60">
+        <if_matched_sid>100620</if_matched_sid>
+        <same_field>flow.src_ip</same_field>
+        <description>High rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Reduction bruit : TCP CLOSEWAIT FIN out of window (infra / supervision) -->
+<group name="ids,suricata">
+  <rule id="100630" level="1">
+    <if_sid>86601</if_sid>
+
+    <field name="alert.signature">
+      SURICATA STREAM CLOSEWAIT FIN out of window
+    </field>
+
+    <description>
+      Suricata: TCP CLOSEWAIT FIN anomaly on known supervision traffic (likely FP)
+    </description>
+
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- Escalade : TCP CLOSEWAIT FIN out of window flooding -->
+<!-- TCP Evasion, outils de scan bas niveau, fuzzing TCP, Stack TCP custom/malveillant -->
+<group name="ids,suricata">
+  <rule id="100631" level="12" frequency="30" timeframe="300">
+    <if_matched_sid>100630</if_matched_sid>
+
+    <same_field>src_ip</same_field>
+
+    <description>
+      Suricata: Repeated TCP CLOSEWAIT FIN anomalies from same host (possible evasion or broken TCP stack)
+    </description>
+    <mitre>
+        <id>T1046</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- Bruit TCP : packet out of window sur session établie -->
+<group name="ids,suricata">
+  <rule id="100632" level="1">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
+    <description>Suricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reduction</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- Escalade : burst de out-of-window depuis une même machine -->
+<!-- TCP Evasion, Hijack, scan bas niveau -->
+<group name="ids,suricata">
+  <rule id="100633" level="12" frequency="30" timeframe="300">
+    <if_matched_sid>100632</if_matched_sid>
+    <same_field>flow.src_ip</same_field>
+    <description>Suricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue)</description>
+    <mitre>
+        <id>T1046</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+
+
+<!-- STUN (WebRTC/VoIP) -->
+<group name="ids,suricata">
+  <rule id="100640" level="7">
+    <if_sid>86601</if_sid>
+    <match>ET INFO Session Traversal Utilities for NAT (STUN Binding Response)</match>
+    <description>Suricata: STUN binding response (likely WebRTC/VoIP)</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Bruit STUN (WebRTC/VoIP) -->
+<group name="ids,suricata">
+  <rule id="100641" level="1">
+    <if_sid>100640</if_sid>
+    <regex type="pcre2" field="flow.src_ip">192\.168\.12\.*</regex>
+    <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Bruit STUN (WebRTC/VoIP) -->
+<group name="ids,suricata">
+  <rule id="100642" level="1">
+    <if_sid>100640</if_sid>
+    <regex type="pcre2" field="flow.src_ip">10\.17[0-9]\.[1|2]\.</regex>
+    <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- STUN anormal : trop fréquent depuis le même host -->
+<!-- Attaque : Contournement P2P/WebRTC, outil de tunnelling, C2 -->
+<group name="ids,suricata">
+  <rule id="100643" level="12" frequency="80" timeframe="300">
+    <if_matched_sid>100640</if_matched_sid>
+    <same_field>flow.src_ip</same_field>
+    <description>Suricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P)</description>
+    <mitre>
+        <id>T1071</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- Réduction bruit saturation synchro PBS -->
+<!-- invalid ack - dest port 8007 -->
+<group name="ids,suricata,noise">
+  <rule id="100650" level="0">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
+    <field name="dest_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata invalid ack between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- invalid ack - src port 8007 -->
+<group name="ids,suricata,noise">
+  <rule id="100651" level="0">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
+    <field name="src_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata invalid ack between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- out of window - dest port 8007 -->
+<group name="ids,suricata,noise">
+  <rule id="100652" level="0">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
+    <field name="dest_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata out of window between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<!-- out of window - src port 8007 -->
+<group name="ids,suricata,noise">
+  <rule id="100653" level="0">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
+    <field name="src_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata out of window between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
diff --git a/brut-force.xml b/brut-force.xml
new file mode 100644
index 0000000..529ed11
--- /dev/null
+++ b/brut-force.xml
@@ -0,0 +1,26 @@
+<!-- Alerte si erreur euthentification X10 en moins de 180 seconde -->
+<group name="windows,windows_security,">
+  <rule id="100150" level="15" frequency="10" timeframe="60">
+    <if_matched_sid>60122</if_matched_sid>
+    <same_field>win.eventdata.ipAddress</same_field>
+    <description>Brut force</description>
+  </rule>
+</group>
+
+<!-- Reduction bruit "Sandrine" Alerte si erreur euthentification X10 en moins de 180 seconde -->
+<group name="windows,windows_security,">
+  <rule id="100151" level="0">
+    <if_sid>100150</if_sid>
+    <field name="win.eventdata.targetUserName">^Sandrine$</field>
+    <description>Brut force</description>
+  </rule>
+</group>
+
+
+<group name="windows,windows_security,">
+  <rule id="100152" level="15" frequency="10" timeframe="60">
+    <same_field>win.eventdata.ipAddress</same_field>
+    <if_matched_sid>60105</if_matched_sid>
+    <description>Brut force</description>
+  </rule>
+</group>
\ No newline at end of file
diff --git a/local_rules.xml b/local_rules.xml
new file mode 100644
index 0000000..f671193
--- /dev/null
+++ b/local_rules.xml
@@ -0,0 +1,60 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+</group>
+
+<!-- Règle alerte lors de la modification d'un fichier -->
+<group name="windows,windows_security,">
+  <rule id="100146" level="9">
+    <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^4663$</field>
+    <description>Alerte fichier modifié</description>
+  </rule>
+</group>
+
+
+<!-- Règle alerte lors de la suppression d'un fichier -->
+<group name="windows,windows_security,">
+  <rule id="100147" level="9">
+    <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^4659$</field>
+    <description>Alerte fichier supprimé</description>
+  </rule>
+</group>
+
+
+<!-- Règle alerte lors de la suppression d'un fichier -->
+<group name="windows,windows_security,">
+  <rule id="100148" level="9">
+    <if_sid>100146</if_sid>
+    <field name="win.system.message">Écriture données (ou ajout fichier)</field>
+    <description>Alerte fichier Créé</description>
+  </rule>
+</group>
+
+<!-- Alerte si modif en masse de fichier par le même utilisateur -->
+<group name="windows,windows_security,">
+  <rule id="100149" level="15" frequency="50" timeframe="60" ignore="300">
+    <if_matched_sid>100146</if_matched_sid>
+    <same_field>win.eventdata.subjectUserName</same_field>
+    <description>Fichier modifier en masse</description>
+  </rule>
+</group>
+
+
+
diff --git a/unifi-rules.xml b/unifi-rules.xml
new file mode 100644
index 0000000..941dcba
--- /dev/null
+++ b/unifi-rules.xml
@@ -0,0 +1,175 @@
+<!-- =========================
+     UniFi custom rules (tagged logs)
+     IDs: 100400+
+     One group per rule
+     ========================= -->
+
+<group name="unifi,noise,">
+  <rule id="100400" level="0">
+    <decoded_as>unifi</decoded_as>
+    <match>reporter_save_config</match>
+    <description>UniFi noise: save_config</description>
+  </rule>
+</group>
+
+<group name="unifi,noise,">
+  <rule id="100401" level="0">
+    <decoded_as>unifi</decoded_as>
+    <match>need_cfg_save</match>
+    <description>UniFi noise: need_cfg_save</description>
+  </rule>
+</group>
+
+<group name="unifi,noise,dns,">
+  <rule id="100402" level="0">
+    <decoded_as>unifi</decoded_as>
+    <match>use cached dns record</match>
+    <description>UniFi noise: cached dns record</description>
+  </rule>
+</group>
+
+<group name="unifi,sensitive,">
+  <rule id="100403" level="0">
+    <decoded_as>unifi</decoded_as>
+    <match>authkey:</match>
+    <description>UniFi sensitive: authkey ignored</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_down,">
+  <rule id="100410" level="10">
+    <decoded_as>unifi</decoded_as>
+    <field name="link_state">down</field>
+    <field name="device_family">^USW</field>
+    <description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_down,">
+  <rule id="100411" level="10">
+    <decoded_as>unifi</decoded_as>
+    <field name="link_state">down</field>
+    <field name="device_family">^SW</field>
+    <description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_instability,flapping,">
+  <rule id="100412" level="12" frequency="3" timeframe="300">
+    <if_matched_sid>100410</if_matched_sid>
+    <same_field>site</same_field>
+    <same_field>device</same_field>
+    <same_field>port</same_field>
+    <description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_instability,flapping,">
+  <rule id="100413" level="12" frequency="3" timeframe="300">
+    <if_matched_sid>100411</if_matched_sid>
+    <same_field>site</same_field>
+    <same_field>device</same_field>
+    <same_field>port</same_field>
+    <description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_loop,stp,">
+  <rule id="100414" level="8">
+    <decoded_as>unifi</decoded_as>
+    <field name="device_family">^SW</field>
+    <field name="stp_to">Blocking</field>
+    <description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
+  </rule>
+</group>
+
+<group name="unifi,switch,network_loop,stp,">
+  <rule id="100415" level="8">
+    <decoded_as>unifi</decoded_as>
+    <field name="device_family">^USW</field>
+    <field name="stp_to">Blocking</field>
+    <description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
+  </rule>
+</group>
+
+<group name="unifi,dns,unifi_controller,">
+  <rule id="100420" level="8">
+    <decoded_as>unifi</decoded_as>
+    <field name="dns_host">.+</field>
+    <description>UniFi: DNS controller resolve failed for $(dns_host) (site=$(site), device=$(device))</description>
+  </rule>
+</group>
+
+<group name="unifi,unifi_controller,availability,">
+  <rule id="100421" level="11">
+    <decoded_as>unifi</decoded_as>
+    <field name="inform_error">.+</field>
+    <description>UniFi: Impossible de contacter le controlleur ($(inform_error)) url=$(inform_url) (site=$(site), device=$(device))</description>
+  </rule>
+</group>
+
+<group name="unifi,unifi_controller,availability,">
+  <rule id="100422" level="12">
+    <decoded_as>unifi</decoded_as>
+    <field name="state_to">Selfrun</field>
+    <description>UniFi: device switched to SELF-RUN (controller lost?) site=$(site) device=$(device)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,authentication_failed,">
+  <rule id="100430" level="2">
+    <decoded_as>unifi</decoded_as>
+    <field name="event_type">failure</field>
+    <description>UniFi WiFi: assoc/auth failure sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site) wpa_auth_failures=$(wpa_auth_failures)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,">
+  <rule id="100431" level="0">
+    <decoded_as>unifi</decoded_as>
+    <field name="wifi_event">disassociated</field>
+    <description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,">
+  <rule id="100432" level="0">
+    <decoded_as>unifi</decoded_as>
+    <field name="wifi_event">deauthenticated</field>
+    <description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,authentication_failed,correlation,">
+  <rule id="100433" level="10" frequency="5" timeframe="120">
+    <if_matched_sid>100430</if_matched_sid>
+    <same_field>site</same_field>
+    <same_field>sta_mac</same_field>
+    <description>UniFi WiFi: repeated auth failures (5x/2min) sta=$(sta_mac) site=$(site) vap=$(vap)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,site_issue,authentication_failed,">
+  <rule id="100434" level="12" frequency="30" timeframe="300">
+    <if_matched_sid>100430</if_matched_sid>
+    <same_field>site</same_field>
+    <description>UniFi WiFi: many auth failures on site (30x/5min) site=$(site)</description>
+  </rule>
+</group>
+
+
+<group name="unifi,wifi,radio,stability,">
+  <rule id="100440" level="10">
+    <decoded_as>unifi</decoded_as>
+    <field name="kernel_event">ath_bstuck_tasklet</field>
+    <description>UniFi WiFi: radio stuck beacon/reset (radio wifi répond pas = reset) (site=$(site)) msg=$(msg)</description>
+  </rule>
+</group>
+
+<group name="unifi,wifi,radio,stability,">
+  <rule id="100441" level="12" frequency="3" timeframe="600">
+    <if_matched_sid>100440</if_matched_sid>
+    <same_field>site</same_field>
+    <description>UniFi WiFi: repeated stuck beacon/reset (3x/10min) site=$(site)</description>
+  </rule>
+</group>