Wazuh

MOCs

• Overview
• Tips and Tricks
• Installation
• Agent Management
• Rule and Decoders Management
• Log and Event Analysis
• File Integrity Monitoring (FIM)
• Vulnerability Detection
• Compliance Checks
• Wazuh API

Overview

Wazuh is an open-source security monitoring tool that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides an all-in-one solution for monitoring and alerting on security threats.

Documentation

Documentation

Tips and Tricks

• Integrating with Elastic Stack: For enhanced log analysis and visualization, integrate Wazuh with Elastic Stack.
• Keeping Wazuh Updated: Regularly update your Wazuh installation to benefit from the latest features and security patches.
• Utilizing Wazuh for Compliance: Leverage Wazuh’s compliance checking features to ensure your systems adhere to required standards.

Installation

Wazuh is composed of multiple components that need to be installed and configured. The primary components are the Wazuh server, Wazuh agent, and the Elastic Stack (comprising Elasticsearch, Logstash, Kibana).

• Wazuh Server: Handles data received from Wazuh agents and renders the Wazuh Kibana app.
• Wazuh Agent: Installed on monitored systems, collecting data and reporting back to the Wazuh server.

Agent Management

• Registering an Agent:

/var/ossec/bin/manage_agents

• Listing Agents:

/var/ossec/bin/agent_control -l

• Removing an Agent:

/var/ossec/bin/manage_agents -r <agent-id>

Rule and Decoders Management

Wazuh uses rules and decoders to analyze and process gathered data. Rules allow Wazuh to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, etc.

• Adding Custom Rules:
  Custom rules can be added in /var/ossec/etc/rules/local_rules.xml.

• Adding Custom Decoders:
  Custom decoders can be added in /var/ossec/etc/decoders/local_decoder.xml.

Log and Event Analysis

Wazuh provides detailed analysis of logs and events collected from various sources, including operating systems, applications, and network devices.

• Viewing Alerts:
  Alerts are stored in /var/ossec/logs/alerts/alerts.json.

File Integrity Monitoring (FIM)

Wazuh’s FIM system watches selected files and triggers alerts when those files are modified. This feature is crucial for detecting potential malicious activities.

• Configuring FIM:
  FIM settings can be configured in /var/ossec/etc/ossec.conf.

Vulnerability Detection

Wazuh integrates with vulnerability databases to identify vulnerable software installed on the agent’s operating system.

• Running Vulnerability Detection:
  Vulnerability detection is automatically performed, but its configuration can be customized in /var/ossec/etc/ossec.conf.

Compliance Checks

Wazuh supports compliance checks against CIS benchmarks, PCI DSS, ISO 27001, and other standards.

• Configuring Compliance Checks:
  Compliance checks can be configured in /var/ossec/etc/ossec.conf.

Wazuh API

The Wazuh API allows for remote management and configuration of the Wazuh installation. It provides endpoints for querying agent data, managing rules and decoders, and much more.

• Accessing the API:
  The API is accessible at https://<wazuh-server-ip>:55000 by default.