To create a custom integration between Wazuh and MARK, follow these steps:
Step 1: Clone the Repository
Start by cloning the repository that contains the integration script:
git clone https://github.com/pyToshka/wazuh-mark-integration.git
Step 2: Deploy the Integration Script
Copy the integration script (custom-integration-mark.py) to the Wazuh integrations directory:
cp custom-integration-mark.py /var/ossec/integrations
Step 3: Configure Script Permissions
Set the required permissions and ownership to ensure the integration script can be executed securely:
chmod 750 /var/ossec/integrations/custom-integration-mark.py
chown root:wazuh /var/ossec/integrations/custom-integration-mark.py
Step 4: Update Wazuh Rules
Modify the local_rules.xml file to include custom rules for monitoring specific events, such as failed SSH authentication attempts. For example:
<group name="local,syslog,sshd,">
<rule id="100004" level="10">
<if_sid>5760</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100005" level="10">
<if_sid>5710</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="local,syslog,sshd,">
<rule id="100007" level="10">
<field name="mark.srcip">\.+</field>
<description>[MARK] IP address $(mark.srcip) trying to connect to the network.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
Step 5: Configure the Integration in ossec.conf
Add the integration to the ossec.conf file to connect Wazuh with MARKβs API. Example configuration:
<!-- MARK Integration -->
<integration>
<name>custom-integration-mark.py</name>
<hook_url>https://mark-api.opennix.org</hook_url>
<level>10</level>
<rule_id>110004,110005</rule_id>
<alert_format>json</alert_format>
</integration>
Step 6: Restart the Wazuh Manager
After applying the changes, restart the Wazuh Manager to activate the integration:
systemctl restart wazuh-manager
Step 7: Verify the Integration
Test the setup by triggering events (e.g., failed SSH login attempts) and check if the alerts are sent to MARK via the integration.
By following these steps, you can establish a seamless integration between Wazuh and MARK, enabling enhanced monitoring and security insights.
Useful links
See also
- Applying RAG for Working with Wazuh Documentation: A Step-by-Step Guide (Part 2)
- Applying RAG for Wazuh Documentation: A Step-by-Step Guide (Part 1)
- Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 4)
- Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 3)
- Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 2)