Introduction
Integrating Wazuh SIEM with MARK (Mitigation Anomaly Revelation Keeper) enables automated threat detection and enriches security alerts with intelligence data. This guide walks you through setting up a custom integration for enhanced SOC operations.
Wazuh provides a flexible custom integration framework that allows security teams to connect external threat intelligence sources directly into their alert processing pipeline. By leveraging this framework with the MARK platform, organizations gain real-time IP reputation data that enhances the context of every security event. This integration is particularly valuable for teams managing internet-facing infrastructure where SSH brute-force attacks and unauthorized access attempts are a constant concern.
Prerequisites
Before starting, ensure you have:
- Wazuh Manager installed and running (version 4.x or later recommended)
- Access to MARK API endpoint
- Root or sudo access to Wazuh server
- Basic knowledge of XML configuration
- Python 3.6 or later installed on the Wazuh Manager host
- Network connectivity from the Wazuh Manager to the MARK API endpoint (outbound HTTPS)
Step-by-Step Integration Guide
Step 1: Clone the Repository
Start by cloning the repository that contains the integration script:
git clone https://github.com/pyToshka/wazuh-mark-integration.git
The repository contains the custom integration script along with example configurations and documentation. Review the repository README for any version-specific requirements or updates.
Step 2: Deploy the Integration Script
Copy the integration script (custom-integration-mark.py) to the Wazuh integrations directory:
cp custom-integration-mark.py /var/ossec/integrations
The /var/ossec/integrations directory is where Wazuh looks for custom integration scripts. Any script placed here can be referenced by name in the ossec.conf configuration file. The integration script handles the communication between Wazuh and the MARK API, sending source IP addresses from triggered alerts and receiving threat intelligence data in return.
Step 3: Configure Script Permissions
Set the required permissions and ownership to ensure the integration script can be executed securely:
chmod 750 /var/ossec/integrations/custom-integration-mark.py
chown root:wazuh /var/ossec/integrations/custom-integration-mark.py
These permissions ensure that only the root user and members of the wazuh group can execute the script. This is a security best practice that prevents unauthorized modification or execution of integration scripts.
Configuring Wazuh Rules
Step 4: Update Wazuh Rules
Modify the local_rules.xml file to include custom rules for monitoring specific events, such as failed SSH authentication attempts. For example:
<group name="local,syslog,sshd,">
<rule id="100004" level="10">
<if_sid>5760</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100005" level="10">
<if_sid>5710</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="local,syslog,sshd,">
<rule id="100007" level="10">
<field name="mark.srcip">\.+</field>
<description>[MARK] IP address $(mark.srcip) trying to connect to the network.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
The PCRE2 regex pattern in rules 100004 and 100005 specifically filters for public IP addresses by excluding private address ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x). This ensures that only authentication failures originating from external sources trigger the MARK lookup. Rule 100007 processes the response from MARK, creating a new alert whenever a known malicious IP is detected attempting to connect.
Step 5: Configure the Integration in ossec.conf
Add the integration to the ossec.conf file to connect Wazuh with MARK’s API. Example configuration:
<!-- MARK Integration -->
<integration>
<name>custom-integration-mark.py</name>
<hook_url>https://mark-api.opennix.org</hook_url>
<level>10</level>
<rule_id>110004,110005</rule_id>
<alert_format>json</alert_format>
</integration>
The level parameter defines the minimum alert severity that triggers the integration. Setting it to 10 ensures that only significant events are sent to MARK, avoiding unnecessary API calls for low-severity alerts. The alert_format must be set to json to ensure the integration script receives structured data it can parse correctly.
Activation and Testing
Step 6: Restart the Wazuh Manager
After applying the changes, restart the Wazuh Manager to activate the integration:
systemctl restart wazuh-manager
Step 7: Verify the Integration
Test the setup by triggering events (e.g., failed SSH login attempts) and check if the alerts are sent to MARK via the integration.
To verify that the integration is functioning correctly, follow these steps:
- Check the integration log: Monitor
/var/ossec/logs/integrations.logfor entries related to MARK. Successful API calls will appear with response status codes. - Trigger a test event: From an external host, attempt an SSH connection with invalid credentials to generate a failed authentication alert.
- Review the Wazuh dashboard: Navigate to the Security Events module and filter for rule IDs 100004, 100005, or 100007 to confirm that MARK-enriched alerts are appearing.
- Validate API connectivity: Run a manual test using curl to confirm the Wazuh Manager can reach the MARK API endpoint:
curl -s https://mark-api.opennix.org/api/v1/health
Troubleshooting Common Issues
If the integration is not producing the expected results, consider the following troubleshooting steps:
- Permission errors: Verify that the integration script has the correct ownership (root:wazuh) and permissions (750). Incorrect permissions are the most frequent cause of integration failures.
- API connectivity: Ensure that the Wazuh Manager host can reach
mark-api.opennix.orgon port 443. Firewall rules or proxy configurations may block outbound HTTPS traffic. - Rule mismatch: Confirm that the rule IDs specified in the
ossec.confintegration block match the rule IDs defined inlocal_rules.xml. A mismatch will prevent the integration from triggering. - Log analysis: Examine
/var/ossec/logs/ossec.logfor error messages related to the integration. Common issues include Python dependency errors or malformed XML configuration. - JSON parsing errors: Ensure that the MARK API response format matches what the integration script expects. API version updates may introduce changes to the response structure.
Conclusion
By following these steps, you can establish a seamless integration between Wazuh and MARK, enabling enhanced monitoring and security insights. This integration provides:
- Automated threat intelligence enrichment
- Real-time IP reputation checking
- Enhanced incident response capabilities
- Centralized security monitoring
For advanced automation scenarios, consider combining this with Wazuh LLM for AI-powered security analysis.
Related Reading
- Mitigation Anomaly Revelation Keeper (MARK) - Learn more about MARK security platform
- Enhancing Wazuh with Ollama: Part 1 - AI integration with Wazuh
- Applying RAG for Wazuh Documentation: Part 1 - Documentation enhancement
- Boosting Container Image Security Using Wazuh and Trivy - Container security monitoring