Wazuh Rule Writing With CoPilot AI Module

Managing security alerts in Wazuh can be a daunting task, especially when facing alert flooding. The introduction of the CoPilot AI Module offers a promising solution to this challenge by evaluating alerts and providing compliant PCRE2 regex matches. This article explores how CoPilot AI can help you handle your Wazuh alert flooding.

🤖 Get started with CoPilot at https://github.com/socfortress/CoPilot

Understanding the Challenge: Alert Flooding in Wazuh

Before delving into the solution, it’s crucial to understand the problem at hand:

• High Volume of Alerts: Wazuh can generate a vast amount of data and alerts, which can overwhelm SOC team members.
• Complexity of Alerts: Each alert needs to be evaluated to determine its legitimacy and relevance, adding layers of complexity to security management.
• Need for Precision: Incorrect handling of alerts can lead to missed threats or wasted resources on false positives.

Integration of PCRE2 Regex

• Customized Filtering: Utilizes PCRE2 (Perl Compatible Regular Expressions) to create tailored regex patterns that match complex alert criteria.
• Enhanced Compliance: Ensures that the regex matches are compliant with the latest security standards, safeguarding against potential vulnerabilities.
• See Wazuh PCRE2

Getting Started with CoPilot AI Module

To add the AI module to your CoPilot environment follow the bellow steps:

❗ You must have a valid OpenAI API key that can use the gpt-4-turbo module❗

1. docker compose down — stop the CoPilot application
2. Open the `docker-compose.yml` file and add the copilot-ai-module as a service:

version: "2"

services:
    copilot-backend:
        image: ghcr.io/socfortress/copilot-backend:latest
        # Expose the Ports for Graylog Alerting and Docs
        ports:
            - "5000:5000"
        volumes:
            - ./data/copilot-backend-data/logs:/opt/logs
            # Mount the copilot.db file to persist the database
            - ./data/data:/opt/copilot/backend/data
        env_file: .env
        depends_on:
            - copilot-mysql

    copilot-frontend:
        image: ghcr.io/socfortress/copilot-frontend:latest
        environment:
            - SERVER_HOST=${SERVER_HOST:-localhost} # Set the domain name of your server
        ports:
            - "80:80"
            - "443:443"

    copilot-mysql:
        image: mysql:5.7
        environment:
            MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
            MYSQL_DATABASE: copilot
            MYSQL_USER: ${MYSQL_USER}
            MYSQL_PASSWORD: ${MYSQL_PASSWORD}
        ports:
            - "3306:3306"
        volumes:
            - mysql-data:/var/lib/mysql

    copilot-ai-module:
       image: ghcr.io/socfortress/copilot-ai-module:latest
       env_file: .env

volumes:
    mysql-data:

networks:
    default:
        driver: bridge
        # In case you need to set the MTU
        #driver_opts:
        #    com.docker.network.driver.mtu: "1450"

3. Add your OPENAI_API_KEY to the .env file

4. docker compose pull — update CoPilot

5. docker compose up -d

🔼See video linked at the beginning of this article regarding how to use the new module🔼