Merge pull request #7663 from wazuh/enhancement/2937-update-leveragin…

…g-llms-poc Update Leveraging LLMs for alert enrichment POC
wazuh · Aug 12, 2024 · 10ba306 · 10ba306
2 parents b86fde7 + 0c81c71
commit 10ba306
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 23 deletions.
diff --git a/source/images/poc/chatgpt-active-response-windows-alert.png b/source/images/poc/chatgpt-active-response-windows-alert.png
diff --git a/source/images/poc/chatgpt_response-none-windows-alert.png b/source/images/poc/chatgpt_response-none-windows-alert.png
diff --git a/source/images/poc/chatgpt_response-windows-alert.png b/source/images/poc/chatgpt_response-windows-alert.png
diff --git a/source/proof-of-concept-guide/leveraging-llms-for-alert-enrichment.rst b/source/proof-of-concept-guide/leveraging-llms-for-alert-enrichment.rst
@@ -345,7 +345,7 @@ Perform the following steps to install Python, YARA, and download YARA rules.
           if response.status_code == 200:
               return response.json()['choices'][0]['message']['content']
           elif response.status_code == 401:  # Unauthorized (invalid API key)
-              log_message("wazuh-yara: ERROR - Invalid ChatGPT API key")
+              log_message("wazuh-YARA: ERROR - Invalid ChatGPT API key")
               return None
           else:
               log_message(f"Error querying ChatGPT: {response.status_code} {response.text}")
@@ -370,19 +370,19 @@ Perform the following steps to install Python, YARA, and download YARA rules.
               if description:
                   chatgpt_response = query_chatgpt(description)
                   if chatgpt_response:
-                      combined_output = f"wazuh-yara: INFO - Scan result: {yara_output} | chatgpt_response: {chatgpt_response}"
+                      combined_output = f"wazuh-YARA: INFO - Scan result: {yara_output} | chatgpt_response: {chatgpt_response}"
                       log_message(combined_output)
                   else:
                       # Log the Yara scan result without the ChatGPT response
-                      log_message(f"wazuh-yara: INFO - Scan result: {yara_output} | chatgpt_response: None")
+                      log_message(f"wazuh-YARA: INFO - Scan result: {yara_output} | chatgpt_response: None")
 
                   # Delete the scanned file if a description is found
                   try:
                       os.remove(syscheck_file_path)
                       if not os.path.exists(syscheck_file_path):
-                          log_message(f"wazuh-yara: INFO - Successfully deleted {syscheck_file_path}")
+                          log_message(f"wazuh-YARA: INFO - Successfully deleted {syscheck_file_path}")
                       else:
-                          log_message(f"wazuh-yara: INFO - Unable to delete {syscheck_file_path}")
+                          log_message(f"wazuh-YARA: INFO - Unable to delete {syscheck_file_path}")
                   except Exception as e:
                       log_message(f"Error deleting file: {str(e)}")
               else:
@@ -416,7 +416,7 @@ Perform the following steps to install Python, YARA, and download YARA rules.
 
    .. code-block:: xml
 
-      <directories realtime="yes">C:\users</directories>
+      <directories realtime="yes">C:\Users\*\Downloads</directories>
 
 #. Restart the Wazuh agent to apply the configuration changes:
 
@@ -531,7 +531,7 @@ Perform the following steps on the Wazuh server to configure custom rules, decod
         <order>YARA.file_not_deleted</order>
       </decoder>
 
-#. Add the following rules to the ``/var/ossec/etc/rules/local_rules.xml`` file. The rules detect FIM events in the monitored directory. This triggers the YARA Active response script to delete a file if identified as a malicious file. Replace ``<USER_NAME>`` with the username of the endpoint:
+#. Add the following rules to the ``/var/ossec/etc/rules/local_rules.xml`` file. The rules detect FIM events in the monitored directory. This triggers the YARA Active response script to delete a file if identified as a malicious file.
 
    .. code-block:: xml
 
@@ -549,39 +549,38 @@ Perform the following steps on the Wazuh server to configure custom rules, decod
         </rule>
         <rule id="100302" level="5">
           <if_sid>550</if_sid>
-          <field name="file">C:\\Users\\</field>
-          <description>File modified in C:\Users\ directory.</description>
+          <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
+          <description>File modified in the downloads directory.</description>
         </rule>
 
         <rule id="100303" level="5">
           <if_sid>554</if_sid>
-          <field name="file">C:\\Users\\</field>
-          <description>File added to C:\Users\ directory.</description>
+          <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
+          <description>File added to the downloads directory.</description>
         </rule>
-
       </group>
 
       <group name="yara,">
         <rule id="108000" level="0">
-          <decoded_as>yara_decoder</decoded_as>
-          <description>Yara grouping rule</description>
+          <decoded_as>YARA_decoder</decoded_as>
+          <description>YARA grouping rule</description>
         </rule>
         <rule id="108001" level="10">
           <if_sid>108000</if_sid>
-          <match>wazuh-yara: INFO - Scan result: </match>
-          <description>File "$(yara.scanned_file)" is a positive match for YARA rule: $(yara.rule_name)</description>
+          <match>wazuh-YARA: INFO - Scan result: </match>
+          <description>File "$(YARA.scanned_file)" is a positive match for YARA rule: $(YARA.rule_name)</description>
         </rule>
 
         <rule id="108002" level="5">
           <if_sid>108000</if_sid>
           <field name="yara.file_deleted">\.</field>
-          <description>Active response successfully removed malicious file "$(yara.file_deleted)"</description>
+          <description>Active response successfully removed malicious file "$(YARA.file_deleted)"</description>
         </rule>
 
         <rule id="108003" level="12">
           <if_sid>108000</if_sid>
-          <field name="yara.file_not_deleted">\.</field>
-          <description>Active response unable to delete malicious file "$(yara.file_not_deleted)"</description>
+          <field name="YARA.file_not_deleted">\.</field>
+          <description>Active response unable to delete malicious file "$(YARA.file_not_deleted)"</description>
         </rule>
       </group>
 
@@ -663,13 +662,13 @@ The below image shows an example of an alert triggered when the provided ChatGPT
 Windows 11 endpoint
 ^^^^^^^^^^^^^^^^^^^
 
-Run the following commands via PowerShell to download malware samples to the monitored ``C:\Users\`` directory:
+Run the following commands via PowerShell to download malware samples to the monitored ``C:\Users\*\Downloads`` directory:
 
 .. code-block:: powershell
 
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" -o c:\users\mirai
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" -o c:\users\xbash
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" -o c:\users\webshell
+   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" -o   $env:USERPROFILE\Downloads\mirai
+   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" -o   $env:USERPROFILE\Downloads\xbash
+   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" -o $env:USERPROFILE\Downloads\webshell
 
 You can visualize the alert data in the Wazuh dashboard. To do this, go to the **Security events** module and add the filter in the search bar to query the alerts.