How to use Opensearch Machine Learning in Wazuh

[Utkarsh Bhargava]

Hi Community,

I am new to machine learning and trying to figure out how we can use OpenSearch's Machine Learning capabilities in Wazuh.

regards

Utkarsh

[antonio....@wazuh.com]

Hello Uktarsh

Wazuh doesn't come with OpenSearch ML engine enabled by default, as Wazuh only OpenSearch to index the data once it's processed by the Wazuh manager, searching for specific patterns in logs and files and triggering the alerts based on those patterns that are specified in the Wazuh ruleset.  So the data that OpenSearch stores are already processed by the Wazuh manager.

I have been looking at the OpenSearch documentation and it seems that it has some algorithms to perform anomaly detection and forecasting. These kinds of capabilities may help you detect outliers in the data (for example ssh connection from outside your network), but in most cases, you can set up a rule that will trigger an alert in that use case.

Anyway, if you want to try, I will leave some of the documents that I have been reading:
- https://www.elastic.co/blog/improve-security-analytics-with-the-elastic-stack-wazuh-and-ids

- https://opensearch.org/docs/2.0/ml-commons-plugin/algorithms/

- https://opensearch.org/docs/latest/ml-commons-plugin/index/