Post

Building a Wazuh S1EM

Posted Updated
Preview Image
By lr2t9iz 2 min read

The Wazuh Security Information and Event Management (SIEM) solution is a centralized platform for aggregating and analyzing telemetry in real time for threat detection and compliance.

For our cybersecurity threat detection, we will use Wazuh as our S1EM, we will use the collectors mentioned in the previous post to test our detection rules and we will use slack for the alerts.

image

Wazuh S1EM Installation

We can follow this detailed guide

Wazuh Manager Configuration

This repository will be updated in the following posts

1
2
3
4
5

git clone https://github.com/lr2t9iz/wazuh-usecases-integrator.git

# For the wazuh manager, we can use the following organized configuration
# > ../wazuh-usecases-integrator/resources/manager/manager.conf
## -> update SLACK_HOOK for slack integration

Endpont Event Source

Windows configuration

  • Wazuh ﹀ Management > Groups > Deploy new group
  • Group Name: w1ndows_s0urces, for windows and use the next configuration, windows event source
  • Wazuh ﹀ Agents > Deploy new agent
  • Select windows package, change the server address with your host ip, select the windows group, then copy the commmand.
1
2
3
4

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.3-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='<HOST-IP>' WAZUH_REGISTRATION_PASSWORD='pass********' WAZUH_AGENT_GROUP='w1ndows_s0urces' WAZUH_REGISTRATION_SERVER='<HOST-IP>' 

# start agent
NET START WazuhSvc

Linux configuration

  • Wazuh ﹀ Management > Groups > Deploy new group
  • Group Name: l1nux_s0urces, for linux and use the next configuration, linux event source
  • Wazuh ﹀ Agents > Deploy new agent
  • Select linux package, change the server address with your host ip, select the windows group, then copy the commmand.
1
2
3
4
5
6

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb && sudo WAZUH_MANAGER='<HOST-IP>' WAZUH_REGISTRATION_PASSWORD=$'pass******' WAZUH_AGENT_GROUP='l1nux_s0urces' dpkg -i ./wazuh-agent_4.7.3-1_amd64.deb

# start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

To update the event sources run the following scripts found in the repository cloned above

1
2

bash update_windows_sources.sh
bash update_linux_sources.sh

Detection Rules

We will use the following rule repository for our alerts.

To update the rules run the following scripts found in the repository cloned above

1
2

bash update_windows_rules.sh
bash update_linux_rules.sh

Alert Notification

We will use slack for our alert notification.

  • Create an alert channel in your Slack workspace.
  • To add an incoming webhook, navigate to https://<workspace-name>.slack.com/apps, search for ‘incoming webhooks’ and click to Add to slack.
  • Choose your channel and click on Add Incoming WebHooks integration, then copy the Webhook URL
  • Locate the Slack integration section in the wazuh configuration and replace SLACK_HOOK with your Webhook URL.
    1
2
3
4
5
6
7

    <!-- wi000 + Slack integration + + + + + -->
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/ASDF43/ADSF/ADFSADFAS</hook_url>
  <alert_format>json</alert_format>
  <group>al3rt</group>
</integration>

S1EM Result

  • Agent monitoring image
  • Download Eicar, a malicious file on windows, it will generate an alert. image
  • Checking the alert image
blueteam, monitoring
difficulty:low tools
This post is licensed under CC BY 4.0 by the author.