Getting started with Wazuh SIEM
Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, inventory management, intrusion prevention and active response.
In the context of blue team operations, Wazuh is a SIEM (Security Information Event Management) system that is used to collect, aggregate, index and analyze security-related data consequently allowing you to detect intrusions, attacks, vulnerabilities, and malicious activity.
Wazuh consists of the following components:
Wazuh agent – Cross platform endpoint security agent that is installed on the system/host you would like to monitor.
Wazuh server – Analyzes the data received from the Wazuh agents, process this data and matches it against rule-sets to identify indicators of compromise (IOCs).
Elastic stack – Displays and indexes the alerts generated by the Wazuh server and provides users with robust data visualization and analysis functionality.
Wazuh Deployment
Wazuh can be deployed in two ways:
- All-in-one – Wazuh server and ELK stack are installed and configured on the same system. Wazuh provides users with a pre-built all in one OVA file that you can setup on your local network.
- Distributed – Each component is setup on a separate server. This is typically suitable for larger environments for the purpose of scalability.
The system requirements to deploy wazuh on local system are pretty high, so we will leverage the free Wazuh Cloud trial to setup our environment.
Wazuh Deployment on Cloud
I deployed wazuh on wazuh cloud instance, which provides a free 14 day trial that is great for learning Wazuh and getting started (no credit card is required). Signup to Wazuh Cloud and use the free cloud deployment to follow along.
Wazuh Manager
After deploying Wazuh on Cloud (or through any preferred method), we are presented with the Wazuh Manager GUI, which is built on top of the ELK Stack. The Wazuh Manager is the system that analyzes the data received from all registered systems (Wazuh Agents) and triggers alerts when an event coincides with a rule. Let’s take a look around some common features that we’ll utilize.
Wazuh GUI (Wazuh Cloud Instance)
- There are various modules for SIEM, Auditing, Threat Detection, Compliance etc.
- Through the Agents options under main menu, we can deploy wazuh agents on systems we would like to monitor.
- Configuration file is stored in Configuration section under Management tab.
- Reports (if made, any) are stored in Reporting section under Management tab.
Wazuh Agents
Wazuh Agent is a multi-platform service that runs on the host systems that the user wants to monitor through Wazuh Manger. Wazuh Agents run as services in both windows and linux systems.
The agents tab shows status of all available agents (whether active or disconnected) ,Details, and their evolution status.
“Deploy new agent” section allows us to add more agents into our instance
We are prompted with all necessary instructions, details, and commands to deploy new agent.
Selecting an agent provides us the capability to manage and monitor security events for that system, Integrity monitoring, Auditing, Vulnerability scan etc.
All options have the ability to visualize produced data.
We can search based upon filters.
We can save the report for an agent using “Generate report” option in the top right corner.
Time taken to generate report depends upon the quantity of logs to be processed.
Once generated, the report is saved under Wazuh Menu > Management > Reporting.
Please note that if filters are active then report will be generated for the selected filters only.
Wazuh Configuration File
The Wazuh configuration (ossec.conf) file can be accessed from Wazuh Menu > Management > Configuration.
It is the global XML configuration file for making changes to the Wazuh Manager or Individual agents that Wazuh monitors.
It can be used to enable, disable, add, remove or modify changes pertaining to Auditing and Policy Monitoring, Incident Response, Log collection and analysis, Cloud security monitoring, etc. In addition to the global configurations, wazuh also stores configuration file in the local directories of installed wazuh agents.
In linux agents, it is stored under - “/var/ossec/etc/ossec.conf”
In windows agent, it is stored under - “C:\Program Files (x86)\ossec-agent\ossec.conf”
Wazuh Rule Sets
Wazuh Rule Sets are used by the system to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies, or security policy violations. The default rules are maintained by the Wazuh community and receive periodic updates. In addition to the default rules, Wazuh provides the flexibility to define custom rules.
Currently, Wazuh supports more than 3k rules.
Wazuh rules can be accessed from Wazuh Menu under Management Tab.
The search option can be used to search for specific rules. Custom rules can be added from upper right corner.
Each rule is defined in a XML file having a unique rule ID.
In the Wazuh Manager and Wazuh agents, the ruleset directory is structured as follows:
/var/ossec/
├─ etc/
│ ├─ decoders/
| | └─ local_decoder.xml
│ └─ rules/
| └─ local_rules.xml
└─ ruleset/
├─ decoders/
└─ rules/
Since v4.2 Wazuh is delivered with the latest ruleset on each release. Thus, default rules can not be modified in their original rules file. To make custom changes to a default rule the local_rules.xml file has to be used.
That’s it for this today. In later articles, we will use the core WAZUH functionalities for Active Response, Log Collection, Integrity Monitoring, Intrusion Prevention and more to see how robust and powerful Wazuh is in respect to Blue Team operations.