Introduction
Integrating Wazuh SIEM with MARK (Mitigation Anomaly Revelation Keeper) enables automated threat detection and enriches security alerts with intelligence data. This guide walks you through setting up a custom integration for enhanced SOC operations.
Prerequisites
Before starting, ensure you have:
- Wazuh Manager installed and running
- Access to MARK API endpoint
- Root or sudo access to Wazuh server
- Basic knowledge of XML configuration
Step-by-Step Integration Guide
Step 1: Clone the Repository
Start by cloning the repository that contains the integration script:
git clone https://github.com/pyToshka/wazuh-mark-integration.git
Step 2: Deploy the Integration Script
Copy the integration script (custom-integration-mark.py) to the Wazuh integrations directory:
cp custom-integration-mark.py /var/ossec/integrations
Step 3: Configure Script Permissions
Set the required permissions and ownership to ensure the integration script can be executed securely:
chmod 750 /var/ossec/integrations/custom-integration-mark.py
chown root:wazuh /var/ossec/integrations/custom-integration-mark.py
Configuring Wazuh Rules
Step 4: Update Wazuh Rules
Modify the local_rules.xml file to include custom rules for monitoring specific events, such as failed SSH authentication attempts. For example:
<group name="local,syslog,sshd,">
<rule id="100004" level="10">
<if_sid>5760</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100005" level="10">
<if_sid>5710</if_sid>
<match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
<description>sshd: Authentication failed from a public IP address > $(srcip).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="local,syslog,sshd,">
<rule id="100007" level="10">
<field name="mark.srcip">\.+</field>
<description>[MARK] IP address $(mark.srcip) trying to connect to the network.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
Step 5: Configure the Integration in ossec.conf
Add the integration to the ossec.conf file to connect Wazuh with MARK’s API. Example configuration:
<!-- MARK Integration -->
<integration>
<name>custom-integration-mark.py</name>
<hook_url>https://mark-api.opennix.org</hook_url>
<level>10</level>
<rule_id>110004,110005</rule_id>
<alert_format>json</alert_format>
</integration>
Activation and Testing
Step 6: Restart the Wazuh Manager
After applying the changes, restart the Wazuh Manager to activate the integration:
systemctl restart wazuh-manager
Step 7: Verify the Integration
Test the setup by triggering events (e.g., failed SSH login attempts) and check if the alerts are sent to MARK via the integration.
Conclusion
By following these steps, you can establish a seamless integration between Wazuh and MARK, enabling enhanced monitoring and security insights. This integration provides:
- Automated threat intelligence enrichment
- Real-time IP reputation checking
- Enhanced incident response capabilities
- Centralized security monitoring
For advanced automation scenarios, consider combining this with Wazuh LLM for AI-powered security analysis.
Related Reading
- Mitigation Anomaly Revelation Keeper (MARK) - Learn more about MARK security platform
- Enhancing Wazuh with Ollama: Part 1 - AI integration with Wazuh
- Applying RAG for Wazuh Documentation: Part 1 - Documentation enhancement
- Boosting Container Image Security Using Wazuh and Trivy - Container security monitoring