Wazuh is an open-source security monitoring platform that provides real-time threat detection, log analysis, and vulnerability monitoring. It helps organizations detect security incidents, ensure compliance with regulations, and respond to potential threats effectively. Setting up and practicing with Wazuh is valuable because it allows hands-on experience with a powerful tool that integrates seamlessly with other security solutions like the Elastic Stack, enabling a comprehensive view of security data. This experience is crucial for improving skills in monitoring, incident response, and maintaining a strong security posture across diverse environments.
- Advanced understanding of SIEM concepts and practical application.
- Proficiency in analyzing and interpreting network logs.
- Ability to generate and recognize attack signatures and patterns.
I have to download an OS that Wazuh can sit on. Looking at their documentation, I will choose Ubuntu. However, you could choose which ever option you are more comfortable with.
Next, I had to reformat a USB using Disk part on Windows due to the drive having been used for something else.
Note Make sure to run as admin first
Now that the drive has been reformatted back to its original state, I will use Balena Etcher to make the drive into a bootable USB.
The USB has now been formatted into a bootable drive
I then plug the bootable drive into my minipc and install Ubuntu on it. I went ahead and skipped gathering screenshots for this, however, I did enable RDP on the Ubuntu desktop to be able to continue the process of documentation.
I then checked to make sure the OS is fully updated and does not have any updates pending.
Now that everything has been checked and working as expected, its time to install the Wazuh manager on this system.
Looking at the documentation, its time to run through the first step in which is installing Wazuh. I do the first command which is: "curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a"
Wazuh is now getting configured and we just play the waiting game until it is ready
The setup is now complete. Take note of the login credentials provided at the end of the install
In order to get to the Wazuh dashboard, it’s going to be the local IP of the endpoint you installed it on
Once you put the IP in the URL and navigate to the dashboard, you are met with the login screen. Go ahead and put those provided credentials you got from the previous step and enter them in here.
Once you login, you are not met with the Wazuh dashboard
I wanted to install an agent to talk back with the manager to start sending logs to it, so I navigated to Server Management>Endpoints Summary> then clicked on deploy new agent
I am installing this on a Windows machine, so I just fill out the information required to get the PowerShell command at the end to install it
I now head back over to my Windows desktop and launch PowerShell as admin and load up the script
I then started the service as well
Now that the service has started, I head back over to the Wazuh manager to see if the agent is checking in.
Looks like the agent is successfully checking in with the Wazuh manager now
I now let the agent sit on the desktop to start collecting telemetry about the desktop and it looks like its already logging Windows event logs by showing my login activity
The agent is now reporting in a ton of data such as: Vulnerabilities, Registry key modifications, CIS benchmarks to harden the OS and even the MITRE ATT&CK Top tactics
Looking at the events for registry key modifications, we can see there have been some registry keys that were deleted
Here is a screenshot that has more information about a specific row
We also can see vulnerabilities found on the machine
We can also see events such as authentication failures and successful logins
Wazuh is an amazing tool and you can get really specific with it. I went ahead and modified the config file on the windows host machine (located at C:\Users\Your username here\Program Files x86\ossec-agent then look for the ossec.conf file) to look at specific directories for any type of changes.
Now that the Desktop and Documents directory is being watched, lets change the syscheck time to report the alert much faster than the standard 12 hours. In this screenshot, I set the time to 120 seconds.
Now, lets create a txt file on our desktop and see the results in Wazuh. I named the txt file "Can you see this"
Now, we head back over to our Wazuh manager to see the modification come in. Navigate to File integrity monitoring and select the events tab. As you can see, we can see the newly created txt document.
Now, let’s modify the file to see if Wazuh catches that as well.
Now, let’s go back to Wazuh to see if it can find the file modification now.
Looks like Wazuh did detect that as well!!
Now, let’s set up an integration to alert us. I will be using Slack for this project.
First, you will need to create a Slack account. Once created create a channel called "Wazuh" for example. Once you do this, click on "See more preferences" then connected accounts. Once here click on App management page.
Once you do this. Navigate to "Incoming Webhooks". From here, turn the feature on. Once on, take the Webhook URL and add it over to the Wazuh manager.
I went ahead and added the integration into the Wazuh manager. I am looking for specific rule.id's and a severity level to trigger. For exmaple, failed logins would trigger and then send back to Slack for an alert.
Conclusion: I have successfully installed Wazuh manager on a Ubuntu OS and downloaded an agent onto a Windows desktop to check in and start sending logs to the manager. Moreover, I added specific directories to be watched on the host agent as well as modified the time it takes to send an alert to the Wazuh manager. In addition, I added Slack integration to alert me of different severity levels and rule id's that are triggering.