Wazuh Rule Writing With CoPilot AI Module

SOCFortress
2 min readMay 16, 2024

--

Managing security alerts in Wazuh can be a daunting task, especially when facing alert flooding. The introduction of the CoPilot AI Module offers a promising solution to this challenge by evaluating alerts and providing compliant PCRE2 regex matches. This article explores how CoPilot AI can help you handle your Wazuh alert flooding.

🤖 Get started with CoPilot at https://github.com/socfortress/CoPilot

Understanding the Challenge: Alert Flooding in Wazuh

Before delving into the solution, it’s crucial to understand the problem at hand:

  • High Volume of Alerts: Wazuh can generate a vast amount of data and alerts, which can overwhelm SOC team members.
  • Complexity of Alerts: Each alert needs to be evaluated to determine its legitimacy and relevance, adding layers of complexity to security management.
  • Need for Precision: Incorrect handling of alerts can lead to missed threats or wasted resources on false positives.

Integration of PCRE2 Regex

  • Customized Filtering: Utilizes PCRE2 (Perl Compatible Regular Expressions) to create tailored regex patterns that match complex alert criteria.
  • Enhanced Compliance: Ensures that the regex matches are compliant with the latest security standards, safeguarding against potential vulnerabilities.
  • See Wazuh PCRE2

Getting Started with CoPilot AI Module

To add the AI module to your CoPilot environment follow the bellow steps:

❗ You must have a valid OpenAI API key that can use the gpt-4-turbo module❗

  1. docker compose down — stop the CoPilot application
  2. Open the `docker-compose.yml` file and add the copilot-ai-module as a service:
version: "2"

services:
copilot-backend:
image: ghcr.io/socfortress/copilot-backend:latest
# Expose the Ports for Graylog Alerting and Docs
ports:
- "5000:5000"
volumes:
- ./data/copilot-backend-data/logs:/opt/logs
# Mount the copilot.db file to persist the database
- ./data/data:/opt/copilot/backend/data
env_file: .env
depends_on:
- copilot-mysql

copilot-frontend:
image: ghcr.io/socfortress/copilot-frontend:latest
environment:
- SERVER_HOST=${SERVER_HOST:-localhost} # Set the domain name of your server
ports:
- "80:80"
- "443:443"

copilot-mysql:
image: mysql:5.7
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: copilot
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
ports:
- "3306:3306"
volumes:
- mysql-data:/var/lib/mysql

copilot-ai-module:
image: ghcr.io/socfortress/copilot-ai-module:latest
env_file: .env

volumes:
mysql-data:

networks:
default:
driver: bridge
# In case you need to set the MTU
#driver_opts:
# com.docker.network.driver.mtu: "1450"

3. Add your OPENAI_API_KEY to the .env file

4. docker compose pull — update CoPilot

5. docker compose up -d

🔼See video linked at the beginning of this article regarding how to use the new module🔼

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).