This article draws inspiration from the Wazuh blog post on enhancing container image security with Wazuh and Trivy.

Containerization has revolutionized software development and deployment, offering scalability and efficiency.

However, this agility can introduce security risks if container images aren’t properly secured.

Vulnerabilities within these images can expose your entire system to threats. This is where the combined power of Wazuh and Trivy comes in.

These open-source tools provide a comprehensive solution for boosting your container image security, ensuring your applications are protected from the ground up.

Applying RAG for Working with Wazuh Documentation: A Step-by-Step Guide (Part 2)

Preparing for Code Development

For local code development for RAG, you will need to install the following tools:

• Ollama
• Python v3.9+
• Basic Python knowledge
• Wazuh documentation in PDF format

Running and Configuring Ollama

1. Install Ollama
2. Obtain the necessary models: llama3.2 and nomic-embed-text.

Developing a Mechanism for Loading PDF Documentation

For development, we will use the following tools:

• LangChain - for creating data processing chains.
• Ollama - for running and configuring models.
• Python - as the main programming language.
• ChromaDB - as a vector store.

Install the dependencies:

Applying RAG for Wazuh Documentation: A Step-by-Step Guide (Part 1)

Introduction to RAG

Retrieval-Augmented Generation (RAG) is a method that allows the use of information from various sources to generate more accurate and useful responses to questions.

In the context of Wazuh, RAG can be used to automate data processing, optimize access to information, and improve information retrieval.

Preparing for RAG Integration

Before integrating RAG with the Wazuh documentation, you need to complete the following steps:

Continuing the Series: Integrating a Wazuh Cluster with Ollama — Part 4. Configuration and Implementation

In the previous section, we explored the core principles of building integrations. Now, it’s time to bring all the pieces together and finalize the integration of Wazuh with Ollama.

Complete Code for Ollama Integration

Let’s start by installing the essential dependencies required for Ollama.

/var/ossec/framework/python/bin/pip3 install ollama

Earlier, I walked you through setting up Wazuh using Docker Compose, but simply launching it won’t suffice.

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration. Интеграции с внешними системами могут быть двух видов:

• External API integrations: This method enables interaction with external systems via APIs to automate tasks. The data obtained can be used to create events in Wazuh or trigger other automated actions, enhancing the efficiency of threat monitoring and response.
• Command: This method allows you to schedule commands or scripts for the automatic creation of events in Wazuh. I often use this approach when I need to gather data from sources that aren’t supported by default. It helps expand monitoring capabilities and integrate with non-standard systems.

To integrate with Ollama, we will use the External API integrations method.

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

The fastest and easiest way to deploy a Wazuh cluster is by using Docker Compose.

Start by cloning the official wazuh-docker repository:

git clone -b v4.11.0 https://github.com/wazuh/wazuh-docker && cd wazuh-docker/multi-node

The next step is to create certificates for the configuration.

docker compose -f generate-indexer-certs.yml run --rm generator

Once the certificates are generated, you can start the Wazuh cluster.

Introduction

Welcome to the first part of our guide on enhancing Wazuh with Ollama!

In this post, we’ll dive into integrating Wazuh — a powerful open-source security platform — with Ollama, a tool for running large language models (LLMs) locally.

This combination will help improve threat detection, automate security workflows, and simplify incident response with the magic of artificial intelligence. Ready to take your cybersecurity to the next level? Let’s break down the benefits and walk through the setup process step by step.

To create a custom integration between Wazuh and MARK, follow these steps:

Step 1: Clone the Repository

Start by cloning the repository that contains the integration script:

git clone https://github.com/pyToshka/wazuh-mark-integration.git  

Step 2: Deploy the Integration Script

Copy the integration script (custom-integration-mark.py) to the Wazuh integrations directory:

cp custom-integration-mark.py /var/ossec/integrations  

Step 3: Configure Script Permissions

Set the required permissions and ownership to ensure the integration script can be executed securely:

Overview

Mitigation Anomaly Revelation Keeper (MARK) is an advanced security platform designed to proactively defend against cyber threats by leveraging cutting-edge IP reputation analysis and machine learning. With a focus on identifying and neutralizing malicious actors, MARK offers unparalleled insight into attacker behavior and statistical trends to fortify your organization’s defenses.

Core Features

• IP reputation
  • Real-time scoring and categorization of IP addresses to distinguish legitimate traffic from malicious activity.
  • Comprehensive reputation history, enabling visibility into recurring threat patterns and behavior anomalies.
• Machine learning-Powered Thread detection
  • AI-driven algorithms analyze vast datasets to uncover hidden patterns and emerging threats.
  • Continual learning adapts to new attack vectors, ensuring robust and up-to-date defense mechanisms.
• Attacker Statistics and Insights
  • Detailed reports on attacker origins, methods, and targets, offering actionable intelligence.
  • Visualized trends and metrics to support strategic security planning and operational resilience.

Why Choose MARK?

MARK stands at the forefront of cybersecurity innovation, combining intelligent data processing with actionable insights. By focusing on IP reputation and attacker behavior, MARK empowers organizations to stay ahead of evolving threats and mitigate risks effectively.

Introduction

To dive into attack research and build a database of potential attackers, I thought it’d be a great idea to set up my own infrastructure for analyzing security events.

Tech Stack:

Virtualization:

• Proxmox (I’m not concerned about VM stability here)

Container Platform:

• Kubernetes

Analytics Platform:

• Dataiku
• n8n
• MinIO (works perfectly as a temporary storage solution, so scaling isn’t a priority)

Cloud Providers:

• Yandex Cloud
• VK Cloud
• Hetzner Cloud
• OVH
• Various VPS providers

Networking: