Integrating Wazuh Alerts Correlation and Graphs with OpenSearch Dashboards

Table of contents#

Overview#

Integrating Wazuh-Manager 4.12.0 with OpenSearch 2.19.2 and OpenSearch Dashboards 2.19.2 for alert correlation and visualization involves several key components working together. This comprehensive guide provides the complete solution for setting up this integration with proper correlation capabilities and graphical representations.

Architecture Components#

The complete setup consists of:

Wazuh Manager 4.12.0: Collects and analyzes security events
Filebeat: Ships data from Wazuh to OpenSearch
OpenSearch 2.19.2: Stores and indexes security data
OpenSearch Dashboards 2.19.2: Provides visualization and correlation analysis

Step 1: Setting Up the Core Infrastructure#

Installing and Configuring Wazuh Manager 4.12.0#

First, install Wazuh Manager on your designated server:

1
# Add Wazuh repository
2
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
3
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
4
apt-get update
5

6
# Install Wazuh Manager
7
apt-get install wazuh-manager
8
systemctl daemon-reload
9
systemctl enable wazuh-manager
10
systemctl start wazuh-manager

Configuring OpenSearch 2.19.2#

Install and configure OpenSearch to work with Wazuh:

1
# Download and install OpenSearch
2
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.19.2/opensearch-2.19.2-linux-x64.tar.gz
3
tar -xzf opensearch-2.19.2-linux-x64.tar.gz
4
cd opensearch-2.19.2
5

6
# Configure opensearch.yml
7
echo "cluster.name: wazuh-cluster
8
node.name: wazuh-node-1
9
path.data: /var/lib/opensearch
10
path.logs: /var/log/opensearch
11
network.host: 0.0.0.0
12
http.port: 9200
13
discovery.type: single-node
14
compatibility.override_main_response_version: true
15
plugins.security.ssl.http.enabled: true
16
plugins.security.ssl.transport.enabled: true" > config/opensearch.yml

Step 2: Configuring Filebeat Integration#

Installing Filebeat#

1
# Install Filebeat
2
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.10.0-linux-x86_64.tar.gz
3
tar xzvf filebeat-8.10.0-linux-x86_64.tar.gz
4
cd filebeat-8.10.0-linux-x86_64

Filebeat Configuration for Wazuh-OpenSearch Integration#

Create the Filebeat configuration file (/etc/filebeat/filebeat.yml):

1
# Wazuh - Filebeat configuration file
2
filebeat.inputs:
3
  - type: filestream
4
    id: wazuh-alerts
5
    paths:
6
      - /var/ossec/logs/alerts/alerts.json
7
    parser:
8
      format: json
9

10
  - type: filestream
11
    id: wazuh-archives
12
    paths:
13
      - /var/ossec/logs/archives/archives.json
14
    parser:
15
      format: json
16

17
output.elasticsearch:
18
  hosts: ["localhost:9200"]
19
  protocol: https
20
  username: ${username}
21
  password: ${password}
22
  ssl.certificate_authorities:
23
    - /etc/filebeat/certs/root-ca.pem
24
  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
25
  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
26

27
setup.template.json.enabled: true
28
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
29
setup.template.json.name: "wazuh"
30
setup.ilm.enabled: false
31

32
processors:
33
  - add_host_metadata:
34
      when.not.contains.tags: forwarded
35
  - add_docker_metadata: ~
36
  - add_kubernetes_metadata: ~

Creating Wazuh Index Template#

Download and configure the Wazuh template for OpenSearch:

1
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.12.0/extensions/elasticsearch/7.x/wazuh-template.json
2

3
# Modify index patterns in template
4
sed -i 's/"wazuh-alerts-4.x-\*"/"wazuh-alerts-4.x-*", "wazuh-archives-4.x-*"/g' /etc/filebeat/wazuh-template.json

Step 3: Setting Up OpenSearch Dashboards 2.19.2#

Installation and Configuration#

1
# Download OpenSearch Dashboards
2
wget https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.19.2/opensearch-dashboards-2.19.2-linux-x64.tar.gz
3
tar -xzf opensearch-dashboards-2.19.2-linux-x64.tar.gz
4
cd opensearch-dashboards-2.19.2
5

6
# Configure opensearch_dashboards.yml
7
echo "server.host: 0.0.0.0
8
server.port: 5601
9
opensearch.hosts: ['https://localhost:9200']
10
opensearch.ssl.verificationMode: certificate
11
opensearch.username: admin
12
opensearch.password: admin
13
opensearch.requestHeadersWhitelist: ['securitytenant','Authorization']
14
opensearch_security.multitenancy.enabled: false
15
opensearch_security.readonly_mode.roles: ['kibana_read_only']
16
server.ssl.enabled: true
17
server.ssl.key: /path/to/server-key.pem
18
server.ssl.certificate: /path/to/server.pem" > config/opensearch_dashboards.yml

Step 4: Implementing Alert Correlation#

Creating Correlation Rules in Wazuh#

Wazuh supports several correlation mechanisms. Here’s an example of creating a correlation rule for detecting brute force attacks followed by successful logins:

1
<!-- Custom correlation rules in /var/ossec/etc/rules/local_rules.xml -->
2
<group name="correlation,attack,">
3

4
  <!-- Rule for multiple failed logins -->
5
  <rule id="100001" level="7" frequency="5" timeframe="300">
6
    <if_matched_sid>5710</if_matched_sid>
7
    <same_source_ip />
8
    <description>Multiple SSH authentication failures from same source IP</description>
9
    <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,</group>
10
  </rule>
11

12
  <!-- Rule for successful login after failures -->
13
  <rule id="100002" level="12">
14
    <if_matched_sid>5715</if_matched_sid>
15
    <same_source_ip />
16
    <if_matched_sid>100001</if_matched_sid>
17
    <description>Successful SSH login after multiple failures - Possible brute force attack</description>
18
    <group>correlation,attack,pci_dss_10.2.4,</group>
19
  </rule>
20

21
</group>

Advanced Correlation Example#

For more complex scenarios involving multiple systems:

1
<group name="correlation,lateral_movement,">
2

3
  <!-- Detect suspicious network activity -->
4
  <rule id="100010" level="8" frequency="3" timeframe="600">
5
    <if_matched_group>network</if_matched_group>
6
    <field name="action">connection_established</field>
7
    <same_source_ip />
8
    <description>Multiple network connections from same source</description>
9
  </rule>
10

11
  <!-- Correlate with privilege escalation -->
12
  <rule id="100011" level="15">
13
    <if_matched_sid>100010</if_matched_sid>
14
    <if_matched_group>privilege_escalation</if_matched_group>
15
    <same_source_ip />
16
    <description>Privilege escalation after suspicious network activity - Possible lateral movement</description>
17
    <group>correlation,lateral_movement,attack,</group>
18
  </rule>
19

20
</group>

Step 5: Creating Correlation Visualizations in OpenSearch Dashboards#

Setting Up Index Patterns#

Access OpenSearch Dashboards at https://your-server:5601
Navigate to Management → Index Patterns
Create index patterns:
- wazuh-alerts-* for alerts
- wazuh-archives-* for archived events

Building Correlation Dashboards#

Create visualizations for correlation analysis:

1. Alert Correlation Timeline#

1
{
2
  "version": "2.19.2",
3
  "visualization": {
4
    "title": "Alert Correlation Timeline",
5
    "type": "line",
6
    "params": {
7
      "grid": { "categoryLines": false, "style": { "color": "#eee" } },
8
      "categoryAxes": [
9
        {
10
          "id": "CategoryAxis-1",
11
          "type": "category",
12
          "position": "bottom",
13
          "show": true,
14
          "style": {},
15
          "scale": { "type": "linear" },
16
          "labels": { "show": true, "truncate": 100 },
17
          "title": {}
18
        }
19
      ],
20
      "valueAxes": [
21
        {
22
          "id": "ValueAxis-1",
23
          "name": "LeftAxis-1",
24
          "type": "value",
25
          "position": "left",
26
          "show": true,
27
          "style": {},
28
          "scale": { "type": "linear", "mode": "normal" },
29
          "labels": {
30
            "show": true,
31
            "rotate": 0,
32
            "filter": false,
33
            "truncate": 100
34
          },
35
          "title": { "text": "Alert Count" }
36
        }
37
      ],
38
      "seriesParams": [
39
        {
40
          "show": true,
41
          "type": "line",
42
          "mode": "normal",
43
          "data": { "label": "Alert Count", "id": "1" },
44
          "valueAxis": "ValueAxis-1",
45
          "drawLinesBetweenPoints": true,
46
          "showCircles": true
47
        }
48
      ]
49
    },
50
    "aggs": [
51
      {
52
        "id": "1",
53
        "enabled": true,
54
        "type": "count",
55
        "schema": "metric",
56
        "params": {}
57
      },
58
      {
59
        "id": "2",
60
        "enabled": true,
61
        "type": "date_histogram",
62
        "schema": "segment",
63
        "params": {
64
          "field": "@timestamp",
65
          "interval": "auto",
66
          "customInterval": "2h",
67
          "min_doc_count": 1,
68
          "extended_bounds": {}
69
        }
70
      }
71
    ]
72
  }
73
}

2. Correlation Graph Visualization#

OpenSearch Dashboards 2.19.2 includes built-in correlation graph capabilities:

Navigate to Security Analytics → Correlations
Create correlation rules that define relationships between different log types
Use the correlation graph to visualize relationships between findings

Example Correlation Rule Configuration#

1
{
2
  "name": "Brute Force to Success Correlation",
3
  "queries": [
4
    {
5
      "index": "wazuh-alerts-*",
6
      "query": {
7
        "bool": {
8
          "must": [
9
            { "match": { "rule.groups": "authentication_failed" } },
10
            { "range": { "@timestamp": { "gte": "now-1h" } } }
11
          ]
12
        }
13
      }
14
    },
15
    {
16
      "index": "wazuh-alerts-*",
17
      "query": {
18
        "bool": {
19
          "must": [
20
            { "match": { "rule.groups": "authentication_success" } },
21
            { "range": { "@timestamp": { "gte": "now-1h" } } }
22
          ]
23
        }
24
      }
25
    }
26
  ],
27
  "time_window": "10m"
28
}

Step 6: Advanced Correlation Features#

Using OpenSearch Alerting for Correlation#

Set up OpenSearch alerting to trigger on correlation patterns:

1
{
2
  "name": "Correlation Alert Monitor",
3
  "type": "monitor",
4
  "monitor_type": "query_level_monitor",
5
  "enabled": true,
6
  "schedule": {
7
    "period": {
8
      "interval": 5,
9
      "unit": "MINUTES"
10
    }
11
  },
12
  "inputs": [
13
    {
14
      "search": {
15
        "indices": ["wazuh-alerts-*"],
16
        "query": {
17
          "bool": {
18
            "must": [
19
              { "match": { "rule.groups": "correlation" } },
20
              { "range": { "@timestamp": { "gte": "now-10m" } } }
21
            ]
22
          }
23
        }
24
      }
25
    }
26
  ],
27
  "triggers": [
28
    {
29
      "name": "High Priority Correlation",
30
      "severity": "1",
31
      "condition": {
32
        "script": {
33
          "source": "ctx.results[0].hits.total.value > 0"
34
        }
35
      },
36
      "actions": [
37
        {
38
          "name": "Send Email Alert",
39
          "destination_id": "email-destination-id",
40
          "message_template": {
41
            "source": "Alert: Correlation detected - {{ctx.results.0.hits.hits.0._source.rule.description}}"
42
          }
43
        }
44
      ]
45
    }
46
  ]
47
}

Custom Correlation Dashboards#

Create comprehensive dashboards combining multiple correlation views:

1
# Dashboard Configuration
2
dashboard:
3
  title: "Security Alert Correlation Analysis"
4
  panels:
5
    - title: "Alert Volume by Source IP"
6
      type: "data_table"
7
      query: "rule.groups:correlation AND agent.ip:*"
8

9
    - title: "Correlation Timeline"
10
      type: "line_chart"
11
      timeframe: "24h"
12

13
    - title: "Geographic Distribution"
14
      type: "map"
15
      field: "geoip.location"
16

17
    - title: "Top Correlation Rules"
18
      type: "pie_chart"
19
      field: "rule.id"

Step 7: Performance Optimization and Troubleshooting#

Index Lifecycle Management#

Configure ILM policies for optimal performance:

1
{
2
  "policy": {
3
    "phases": {
4
      "hot": {
5
        "actions": {
6
          "rollover": {
7
            "max_size": "10gb",
8
            "max_age": "1d"
9
          }
10
        }
11
      },
12
      "warm": {
13
        "min_age": "2d",
14
        "actions": {
15
          "allocate": {
16
            "number_of_replicas": 0
17
          }
18
        }
19
      },
20
      "cold": {
21
        "min_age": "7d",
22
        "actions": {
23
          "allocate": {
24
            "number_of_replicas": 0
25
          }
26
        }
27
      },
28
      "delete": {
29
        "min_age": "30d"
30
      }
31
    }
32
  }
33
}

Common Issues and Solutions#

Connection Issues: Ensure proper SSL certificates and network connectivity
Index Pattern Problems: Verify index patterns match your data structure
Performance Issues: Implement proper sharding and replica strategies

Code Examples and Implementation#

Python Script for Custom Correlation#

1
#!/usr/bin/env python3
2
import json
3
import requests
4
from datetime import datetime, timedelta
5

6
class WazuhCorrelationEngine:
7
    def __init__(self, opensearch_host, username, password):
8
        self.opensearch_host = opensearch_host
9
        self.auth = (username, password)
10

11
    def search_alerts(self, query, time_range="1h"):
12
        """Search for alerts in OpenSearch"""
13
        endpoint = f"{self.opensearch_host}/wazuh-alerts-*/_search"
14

15
        search_body = {
16
            "query": {
17
                "bool": {
18
                    "must": query,
19
                    "filter": {
20
                        "range": {
21
                            "@timestamp": {
22
                                "gte": f"now-{time_range}"
23
                            }
24
                        }
25
                    }
26
                }
27
            },
28
            "size": 100,
29
            "sort": [{"@timestamp": {"order": "desc"}}]
30
        }
31

32
        response = requests.post(endpoint,
33
                               json=search_body,
34
                               auth=self.auth,
35
                               verify=False)
36
        return response.json()
37

38
    def correlate_events(self, rule_config):
39
        """Correlate events based on rule configuration"""
40
        correlations = []
41

42
        for rule in rule_config:
43
            # Search for first event type
44
            primary_events = self.search_alerts(rule['primary_query'])
45

46
            for event in primary_events['hits']['hits']:
47
                source_ip = event['_source'].get('data', {}).get('srcip')
48
                if source_ip:
49
                    # Search for correlated events from same IP
50
                    correlated_query = rule['secondary_query']
51
                    correlated_query.append({"term": {"data.srcip": source_ip}})
52

53
                    secondary_events = self.search_alerts(correlated_query, "30m")
54

55
                    if secondary_events['hits']['total']['value'] > 0:
56
                        correlations.append({
57
                            'primary_event': event,
58
                            'correlated_events': secondary_events['hits']['hits'],
59
                            'correlation_rule': rule['name'],
60
                            'severity': rule['severity']
61
                        })
62

63
        return correlations
64

65
# Usage example
66
correlation_rules = [
67
    {
68
        'name': 'Brute Force to Success',
69
        'primary_query': [{"match": {"rule.groups": "authentication_failed"}}],
70
        'secondary_query': [{"match": {"rule.groups": "authentication_success"}}],
71
        'severity': 'high'
72
    }
73
]
74

75
engine = WazuhCorrelationEngine('https://localhost:9200', 'admin', 'admin')
76
correlations = engine.correlate_events(correlation_rules)
77
print(json.dumps(correlations, indent=2))

Bash Script for Automated Setup#

1
#!/bin/bash
2

3
# Automated Wazuh-OpenSearch Integration Setup
4
set -e
5

6
OPENSEARCH_VERSION="2.19.2"
7
WAZUH_VERSION="4.12.0"
8
OPENSEARCH_HOST="localhost"
9
OPENSEARCH_PORT="9200"
10

11
echo "Setting up Wazuh-OpenSearch Integration..."
12

13
# Function to check service status
14
check_service() {
15
    if systemctl is-active --quiet $1; then
16
        echo "✓ $1 is running"
17
    else
18
        echo "✗ $1 is not running"
19
        return 1
20
    fi
21
}
22

23
# Setup index templates
24
setup_index_templates() {
25
    echo "Setting up index templates..."
26

27
    curl -X PUT "${OPENSEARCH_HOST}:${OPENSEARCH_PORT}/_template/wazuh" \
28
        -H 'Content-Type: application/json' \
29
        -d @/etc/filebeat/wazuh-template.json \
30
        --user admin:admin -k
31

32
    echo "Index templates configured successfully"
33
}
34

35
# Create correlation dashboards
36
setup_dashboards() {
37
    echo "Setting up correlation dashboards..."
38

39
    # Download Wazuh dashboards for OpenSearch
40
    wget -O /tmp/wazuh-dashboards.ndjson \
41
        "https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-dashboards.ndjson"
42

43
    # Import dashboards
44
    curl -X POST "${OPENSEARCH_HOST}:5601/api/saved_objects/_import" \
45
        -H "osd-xsrf: true" \
46
        -H "Content-Type: application/json" \
47
        --form file=@/tmp/wazuh-dashboards.ndjson \
48
        --user admin:admin -k
49

50
    echo "Dashboards imported successfully"
51
}
52

53
# Main execution
54
main() {
55
    echo "Starting Wazuh-OpenSearch integration setup..."
56

57
    # Check prerequisites
58
    check_service wazuh-manager
59
    check_service opensearch
60
    check_service opensearch-dashboards
61
    check_service filebeat
62

63
    # Setup components
64
    setup_index_templates
65
    setup_dashboards
66

67
    echo "Integration setup completed successfully!"
68
    echo "Access OpenSearch Dashboards at: https://${OPENSEARCH_HOST}:5601"
69
}
70

71
main "$@"

Conclusion#

This comprehensive integration enables powerful security event correlation and visualization capabilities by combining Wazuh’s threat detection with OpenSearch’s analytical power and visualization features. The solution provides:

Real-time alert correlation across multiple data sources
Interactive dashboards for security analysis
Custom correlation rules for specific threat scenarios
Graph-based visualization of security events and their relationships
Automated alerting on correlation patterns

The integration leverages Wazuh’s built-in correlation engine while extending capabilities through OpenSearch’s advanced search and aggregation features. This creates a robust security monitoring platform capable of detecting complex, multi-stage attacks through event correlation and providing intuitive visual representations of security threats.

By following this guide, security teams can implement a comprehensive SIEM solution that not only detects individual security events but also identifies patterns and relationships between events, significantly enhancing threat detection capabilities and reducing false positives through intelligent correlation analysis.