Post

Building a Wazuh S1EM

Posted Updated
Preview Image
By lr2t9iz 2 min read

The Wazuh Security Information and Event Management (SIEM) solution is a centralized platform for aggregating and analyzing telemetry in real time for threat detection and compliance.

For our cybersecurity threat detection, we will use Wazuh as our S1EM, we will use the collectors mentioned in the previous post to test our detection rules and we will use slack for the alerts.

image

Wazuh S1EM Installation

We can follow this detailed guide.

Or user the custom wazuh docker compose.

Wazuh Manager Configuration

This repository will be updated in the following posts

1
2
3
4
5
6

<integration>
  <name>slack</name>
  <hook_url>SLACK_HOOK</hook_url> <!-- lr2 Replace WEBHOOK_URL with your Slack hook URL -->
  <alert_format>json</alert_format>
  <level>12</level>
</integration>

Endpont Event Source

Windows configuration

  • ≡ > Agents management > Groups > Add new group
  • Group Name: windows_sources, for windows and use the next configuration, windows event source
  • ≡ > Agents management > Summary > Deploy new agent
  • Select windows package, change the server address with your host ip, select the windows group, then copy the commmand
1
2
3
4

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.11.0-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='<HOST-IP>' WAZUH_REGISTRATION_PASSWORD='<AGENT-PASSWORD>' WAZUH_AGENT_GROUP='windows_sources' 

# start agent
NET START WazuhSvc

Linux configuration

  • ≡ > Agents management > Groups > Add new group
  • Group Name: linux_sources, for linux and use the next configuration, linux event source
  • ≡ > Agents management > Summary > Deploy new agent
  • Select linux package, change the server address with your host ip, select the windows group, then copy the commmand.
1
2
3
4
5
6

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.0-1_amd64.deb && sudo WAZUH_MANAGER='<HOST-IP>' WAZUH_REGISTRATION_PASSWORD=$'<AGENT-PASSWORD>' WAZUH_AGENT_GROUP='windows_sources' dpkg -i ./wazuh-agent_4.11.0-1_amd64.deb

# start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Detection Rules

We will use the following rule repository for our alerts.

Alert Notification

We will use slack for our alert notification.

  • Create an alert channel in your Slack workspace.
  • To add an incoming webhook, navigate to https://<workspace-name>.slack.com/apps, search for ‘incoming webhooks’ and click to Add to slack.
  • Choose your channel and click on Add Incoming WebHooks integration, then copy the Webhook URL
  • Locate the Slack integration section in the wazuh configuration and replace SLACK_HOOK with your Webhook URL.
    1
2
3
4
5
6
7

    <!-- wi000 + Slack integration + + + + + -->
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/ASDF43/ADSF/ADFSADFAS</hook_url>
  <alert_format>json</alert_format>
  <group>al3rt</group>
</integration>

S1EM Result

  • Agent monitoring image
  • Download Eicar, a malicious file on windows, it will generate an alert. image
  • Checking the alert image
BlueOps, Monitoring
difficulty:easy siem:wazuh
This post is licensed under CC BY 4.0 by the author.