Threatscape Vault
Threatscape Vault

Wazuh SIEM & XDR

Wazuh SIEM & XDR is the free open source hero.

w01v3r w01v3r included in Siem Projects
  About 900 words 5 minutes 
/cyberblog/wazuh/wazuh.jpg

Background story first

Hello there👋, welcome again to one of my blogs. This time we are going to talk about Wazuh SIEM. Here is a bit of a background as to what it is.

Wazuh SIEM or as more professionally called a Security Identity and Event Management platform / system that aggregates and collects all logs from different sources across the organization’s network and and various assets to consolidate it into a single central dashboard for easy management and monitoring along with easier remedeation and faster repsonse times to alerts and attacks. It is a very well known SIEM platform among other solutions in the infosec industry.

The inner works of Wazuh

So to learn more I am going to explain it’s main features and were it shines compared to the others in the industry. Also, where it may fall short and might be improved.

Wazuh works by installing agents on different operating systems with very small footprint. Those agents are configured during installation to connect back to a central component of the Wazuh platform called Wazuh Manager this is a very high level overview of how it basically works.

There are three different main components that are required to be present in order for the Wazuh SIEM to function as intended to alert and protect your environment.

  • Wazuh Server
  • Wazuh Dashboard
  • Wazuh Indexer

Wazuh Indexer, What is it?

The Wazuh indexer is a highly scalable, full-text search and analytics engine. A Wazuh core component that indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities.

Wazuh Indexer
Wazuh Indexer

Wazuh Dashboard, What the wolf sees…

The Wazuh dashboard is where you will see all the alerts and notifications about your environment. You will get to interact with what matters if any asset is missing compliance or vulnerable to some critical CVE. You will have a bird-eye view super power🦅.

Wazuh Dashboard
Wazuh Dashboard

PCI-DSS Monitoring

As you can see from the above image of the Wazuh Dashboard you might have noticed the PCI DSS word up there, yes you are not dreaming🤯. One of the main features of Wazuh SIEM is the ability to monitor compliance for your environment mapping to different frameworks such as NIST one of the most popular main cybersecurity frameworks and PCI-DSS for the payment card industry. Making it easy to monitor and stay compliant and effective at minimizing efforts of your cyber force.

Vulnerability Detection

Another neat feature of Wazuh SIEM is the vulnerability detection module. This module handles the auto detection of vulnerabilities from a locally fetched database image of the NVD (National Vulnerability Database). You can of course set the update interval and the date range vulnerabilities to fetch. The module detects operating system vulnerabilities and it’s currently installed applications on it.

Wazuh Vuln Dashboard
Wazuh Vuln Dashboard

You can move forward and invesitigate all the agents with Critical and high vulnerabilities to limit your exposure to cyber attacks. This will highly reduce the attack surface specially because it scans all installed applications on the systems the agent is installed on.

File Integrity Monitoring

Another specially neat feature is the full system monitoring feature which monitors all specified important and critical directories and files for any modifications. Any slight change or moditication to the system file or other files or directories you specify for it monitor will be monitored by generating a hash of it. One of the main pillars of cyber security triad CIA is integrity which can be achieved by monitoring any changes to the file system by using hashing algorithms were applicable. Here in our case hashing is used to monitor each and every file for modifications, as any slight change will change the hash completely.

Wazuh FIM Module
Wazuh FIM Module

Integrations

There are many other features to talk about but I will not be covering them all as this will be quite the extensive blog. But another good thing that wazuh possess is the ability to integrate with other well known security vendors for enhanced work flow or abilities using powerfull APIs. Some of these integrations are Virustotal, Slack, PagerDuty, Shuffle, or you can make your own custom integration if you can program the API to do so😉. If you do a little search about all the previously mentioned API integrations you will notice something, and that is all of these integrations will help automate and create a full network of sorts for the cyber team to be more and well integrated to automatically notice and respond to alerts generated by the wazuh SIEM streamlining the process.

Conclusion

We didnt discuss all it’s feature set since this will take a lot of time and the blog would extend more. However, this open-source SIEM solution is very convenient for companies that don’t want to dish out a ton of budget or are limited with funds contraint when implementing a SIEM solution to protect their environment, this doesn’t subtract from it’s outstanding performance and feature set. If you need a wolf to watch over your environment for cyber and malicious network packets or file modifications you don’t have to think hard this is good, give it a try for yourself. Until we meet next time in another blog post👋. A roaming wolf that seeks its target 🐺.

wolf

Updated on 2024-04-10 
Blue Teaming
Back | Home
0%