diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5de100f40..3bff288ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,12 @@
# Change Log
All notable changes to this project will be documented in this file.
+## [v3.13.0]
+
+### Added
+
+- Added Mac OS sshd rules and decoders ([#593](https://github.com/wazuh/wazuh-ruleset/pull/593))
+
## [v3.12.0]
### Added
diff --git a/decoders/0500-macos-sshd_decoders.xml b/decoders/0500-macos-sshd_decoders.xml
new file mode 100644
index 000000000..7c2f6bd8f
--- /dev/null
+++ b/decoders/0500-macos-sshd_decoders.xml
@@ -0,0 +1,74 @@
+
+ syslog
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d\d\d \S+ sshd[\d+]:
+
+
+
+ macos-date-format-sshd
+ ^Accepted \S+
+ ^for (\S+) from (\S+) port (\d+)
+ user, srcip, srcport
+ name, user, location
+
+
+
+
+ macos-date-format-sshd
+ Broken pipe|Bad protocol version
+ from (\S+) port (\S+)
+ srcip, srcport
+
+
+
+ macos-date-format-sshd
+ but this does not map back
+ Address (\S+) maps to \S+,
+ srcip
+
+
+
+ macos-date-format-sshd
+ reverse mapping
+ for (\S+) [(\S+)]
+ srcuser, srcip
+
+
+
+ macos-date-format-sshd
+ Connection reset
+ (\S+) (\S+) port (\d+)
+ user, srcip, srcport
+
+
+
+ macos-date-format-sshd
+ Disconnected from user
+ ^(\S+) (\S+) port (\d+)
+ srcuser,srcip,srcport
+
+
+
+ macos-date-format-sshd
+ Did not receive
+ from (\S+) port (\S+)
+ srcip, srcport
+
+
+
+ macos-date-format-sshd
+ Connection closed
+ by (\S+) port (\S+)
+ srcip, srcport
+
+
+
+ macos-date-format-sshd
+ user (\S+) from (\S+)|for (\S+) from (\S+)
+ srcuser, srcip
+
+
+
+ macos-date-format-sshd
+ port (\d+)
+ srcport
+
diff --git a/rules/0685-macos-sshd_rules.xml b/rules/0685-macos-sshd_rules.xml
new file mode 100644
index 000000000..f583b37a5
--- /dev/null
+++ b/rules/0685-macos-sshd_rules.xml
@@ -0,0 +1,107 @@
+
+
+
+ macos-date-format-sshd
+ Grouping macos sshd rules.
+
+
+
+ 64250
+ illegal user
+ sshd: Attempt to login using a non-existent user.
+ invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,
+
+
+
+
+ 64251
+ sshd: brute force trying to get access to
+ the system.
+
+ authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,
+
+
+
+ 64250
+ Failed password|Failed keyboard|authentication error
+ sshd: authentication failed.
+ authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
+
+
+
+ 64250
+ error: maximum authentication attempts
+ Maximum authentication attempts exceeded.
+ authentication_failed,gpg13_7.1,
+
+
+
+ 64250
+ Connection closed|Disconnected from user
+ sshd: ssh connection closed.
+ pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
+
+
+
+ 64250
+ Accepted
+ sshd: authentication success
+ authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
+
+
+
+ 64250
+ Did not receive identification string from
+ sshd: insecure connection attempt (scan).
+ recon,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,
+
+
+
+ 64250
+ Broken pipe
+ sshd: Failed write due to one host disappearing.
+
+
+
+ 64250
+ Connection reset
+ sshd: connection reset
+
+
+
+ 64250
+ not listed in AllowUsers|listed in DenyUsers
+ sshd: Attempt to login using a denied user
+ invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
+
+
+
+ 64260
+ sshd: Multiple access attempts using a denied user.
+ invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,
+
+
+
+ 64250
+ reverse mapping|but this does not map back
+ sshd: Reverse lookup error (bad ISP or attack).
+ pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,
+
+
+
+ 64262
+
+ sshd: Possible breakin attempt
+ (high number of reverse lookup errors).
+ pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,
+
+
+
+ 64250
+ Bad protocol version identification
+ sshd: Possible attack on the ssh server
+ (or version gathering).
+ recon,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,
+
+
+
diff --git a/tools/rules-testing/tests/macos-sshd.ini b/tools/rules-testing/tests/macos-sshd.ini
new file mode 100644
index 000000000..fee459d3a
--- /dev/null
+++ b/tools/rules-testing/tests/macos-sshd.ini
@@ -0,0 +1,94 @@
+[SSHD Attempt to login using a non-existent user]
+log 1 pass = 2020-03-23 06:47:42.801612-0700 localhost sshd[3186]: error: PAM: unknown user for illegal user badguy from 192.168.33.1
+log 2 pass = 2020-03-23 08:14:02.777660-0700 localhost sshd[8981]: error: PAM: authentication error for illegal user badguy from 192.168.33.1
+
+rule = 64251
+alert = 5
+decoder = macos-date-format-sshd
+
+[SSHD Authentication error]
+log 1 pass = 2020-03-23 09:55:42.391078-0700 localhost sshd[17329]: error: PAM: authentication error for user from 192.168.33.1
+log 2 pass = 2020-03-24 08:38:42.344447-0700 localhost sshd[2519]: Failed password for user from 172.18.1.100 port 43042 ssh2
+log 3 pass = 2020-03-25 08:01:34.584936-0700 localhost sshd[1551]: Failed keyboard-interactive/pam for invalid user user from 172.18.1.1 port 32982 ssh2
+
+rule = 64253
+alert = 5
+decoder = macos-date-format-sshd
+
+[SSHD Maximum authentication attempts exceeded]
+log 1 pass = 2020-03-23 08:14:32.766049-0700 localhost sshd[8981]: error: maximum authentication attempts exceeded for invalid user badguy from 192.168.33.1 port 55146 ssh2 [preauth]
+log 2 pass = 2020-03-23 09:58:27.102292-0700 localhost sshd[18093]: error: maximum authentication attempts exceeded for user from 192.168.33.1 port 55764 ssh2 [preauth]
+
+rule = 64254
+alert = 8
+decoder = macos-date-format-sshd
+
+[SSHD Disconnect]
+log 1 pass = 2020-03-24 06:07:15.245255-0700 localhost sshd[195]: Connection closed by 10.0.2.2 port 55462 [preauth]
+log 2 pass = 2020-03-24 08:38:47.230409-0700 localhost sshd[2531]: Disconnected from user user 172.18.1.100 port 43042
+
+rule = 64255
+alert = 0
+decoder = macos-date-format-sshd
+
+[SSHD Authentication success]
+
+log 1 pass = 2020-03-24 06:07:50.998187-0700 localhost sshd[201]: Accepted publickey for user from 10.0.2.2 port 55468 ssh2: RSA SHA256:loremipsum
+log 2 pass = 2020-03-24 08:38:44.727732-0700 localhost sshd[2519]: Accepted password for user from 172.18.1.100 port 43042 ssh2
+log 3 pass = 2020-03-24 08:40:21.958634-0700 localhost sshd[2546]: Accepted keyboard-interactive/pam for user from 172.18.1.100 port 43044 ssh2
+
+rule = 64256
+alert = 3
+decoder = macos-date-format-sshd
+
+[SSHD insecure connection attempt]
+
+log 1 pass = 2020-03-24 10:32:31.672920-0700 localhost sshd[5374]: Did not receive identification string from 172.18.1.1 port 45824
+
+rule = 64257
+alert = 6
+decoder = macos-date-format-sshd
+
+[SSHD: Failed write]
+
+log 1 pass = 2020-03-25 08:31:48.061459-0700 localhost sshd[2024]: ssh_dispatch_run_fatal: Connection from 172.18.1.202 port 54392: Broken pipe [preauth]
+log 2 pass = 2020-03-23 06:08:41.939744-0700 localhost sshd[287]: fatal: ssh_packet_send_debug: Broken pipe
+
+rule = 64258
+alert = 0
+decoder = macos-date-format-sshd
+
+[SSHD: connection reset]
+
+log 1 pass = 2020-03-25 08:23:20.933154-0700 localhost sshd[9265]: Connection reset by authenticating user user 192.168.33.1 port 51772 [preauth]
+
+rule = 64259
+alert = 4
+decoder = macos-date-format-sshd
+
+[SSHD: denied user]
+
+log 1 pass = 2020-03-25 07:46:15.205351-0700 localhost sshd[6738]: User root from 192.168.33.1 not allowed because not listed in AllowUsers
+log 2 pass = 2020-03-31 13:15:57.368975-0700 localhost sshd[2440]: User root from 172.18.1.100 not allowed because listed in DenyUsers
+
+rule = 64260
+alert = 5
+decoder = macos-date-format-sshd
+
+[SSHD: Reverse lookup error]
+
+log 1 pass = 2020-03-25 09:01:30.852002-0700 localhost sshd[11885]: Address 192.168.33.1 maps to hostname, but this does not map back to the address.
+log 2 pass = 2020-03-25 09:18:41.510217-0700 localhost sshd[2549]: reverse mapping checking getaddrinfo for hostname [172.18.1.1] failed.
+
+rule = 64262
+alert = 5
+decoder = macos-date-format-sshd
+
+[SSHD: possible attack]
+
+log 1 pass = 2020-03-25 06:37:50.176931-0700 localhost sshd[852]: Bad protocol version identification 'ls' from 172.18.1.1 port 59920
+
+
+rule = 64264
+alert = 8
+decoder = macos-date-format-sshd