Wazuh
What is Wazuh?
Wazuh is a free open-source platform that can be used for threat identification and incident response. It is a comprehensive SIEM solution that will be applied to a Ubuntu virtual machine, supplying a Linux server as an agent. The infrastructure for this project is two bridged virtual machines both with manually configured static IP addresses.
UbuntuGUI - 8GB RAM, 2 Cores, 90GB of Storage, Bridged Network Adapter. Linux Server - 2GB RAM, 1 Core, 50GB of Storage, Bridged Network Adapter.
Wazuh Installation
Wazuh documentation demonstrates a quick start installation through an easy-to-follow guide: https://documentation.wazuh.com/current/quickstart.html
Upon the command being completed the installer will present a password which can be used to access https://localhost.com
logging in presents a feature full dashboard capable of a wide range of security options, before delving into it an agent will need to be added, this can be done via the dashboard and filling out the boxes will output a command that can be used client side.
after this, the daemon can be reset followed by enabling and restarting the wazuh-agents
returning to the dashboard one active agent can be seen, and more can be added but due to system requirements, it would be difficult to achieve.
returning to the Linux server I completed a successful and a failed sudo attempt to see the visualisation within the dashboard.
This is demonstrated as an authentication failure and can be seen as a timestamp and given a mitre att&ck id.
This is followed up by integrating Virus Total within the client, this will scan files as they are downloaded removing any threats instantly, by the creation of a bash script seen within the documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html.