Review "How to integrate Wazuh with YARA" Wazuh active response use case documentation

[mcarmona99]

This issue was opened after reviewing the How to integrate Wazuh with YARA active response use case guide in the active response manual tests issue (Wazuh 4.3.0). The full review of the guide can be found at https://github.com/wazuh/wazuh/issues/12870#issuecomment-1084643157.

This issue aims to review the documentation page for this use case.

In the Wazuh agent configuration section, the ownership is wrong:

Note: Make sure that you have jq installed, and that the yara.sh file ownership is root:ossec and the permissions are 750.

The ownership must be root:wazuh instead.

Apart from fixing this error, we should add a better introduction to the Malware detection section. We should mention that the Yara rules should be inside the same single file, and /path/to/rules in the manager configuration should be the path to the rule file including the rule file name.

Also, mention a basic FIM configuration and explain the flow. In the Wazuh alerts section, JSON alerts are shown but the user does not know how they were created. These rules were created by active response, as it used the YARA executable and logged the result. The YARA scan was done after rules 550 or 554, but there were no mention on how to configure FIM for this rules to generate alerts. Mentioning the configuration of FIM and saying that the file monitored is the one scanned by YARA is necessary before showing the Wazuh alerts generated.

FIM -> AR (YARA) -> CUSTOM ALERT FOR YARA

[javimed]

From v4.8.0-alpha2 tests it doesn't seem to be an issue any longer. Closing this issue should be considered now.