What is Wazuh?

Wazuh is a free open-source platform that can be used for threat identification and incident response. It is a comprehensive SIEM solution that will be applied to a Ubuntu virtual machine, supplying a Linux server as an agent. The infrastructure for this project is two bridged virtual machines both with manually configured static IP addresses.

UbuntuGUI - 8GB RAM, 2 Cores, 90GB of Storage, Bridged Network Adapter. Linux Server - 2GB RAM, 1 Core, 50GB of Storage, Bridged Network Adapter.

Wazuh Installation

Wazuh documentation demonstrates a quick start installation through an easy-to-follow guide: https://documentation.wazuh.com/current/quickstart.html

image

Upon the command being completed the installer will present a password which can be used to access https://localhost.com

image

logging in presents a feature full dashboard capable of a wide range of security options, before delving into it an agent will need to be added, this can be done via the dashboard and filling out the boxes will output a command that can be used client side.

image

after this, the daemon can be reset followed by enabling and restarting the wazuh-agents

image

returning to the dashboard one active agent can be seen, and more can be added but due to system requirements, it would be difficult to achieve.

image

image

returning to the Linux server I completed a successful and a failed sudo attempt to see the visualisation within the dashboard.

image image

This is demonstrated as an authentication failure and can be seen as a timestamp and given a mitre att&ck id.

image image image image

image

image

This is followed up by integrating Virus Total within the client, this will scan files as they are downloaded removing any threats instantly, by the creation of a bash script seen within the documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html.


<
Previous Post
Active Directory Helpdesk Setup
>
Next Post
Home Lab Asset Creation