-
Wazuh & Keycloak using OpenID
Use case: Set up Keycloak (Version 26.0.5) for Authentication using the OpenID protocol in Wazuh (Version 4.9.1). Keycloak Configuration: Wazuh indexer configuration: Wazuh Dashboard configuration: Demo:
-
Anonymous Authentication Wazuh
USE CASE: Allow a team to access your Wazuh SIEM with read only privileges and without providing credentials. Wazuh Dashboard Configuration: Navigate to Server management > Security, and then Roles mapping, then create a Create Role mapping and complete the empty fields with the following parameters: For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration…
-
SSO failed after Upgrading Opensearch or Wazuh 4.9.0 : failed parsing SAML config Or 500 internal error
In the latest versions (Wazuh 4.9.0 & OpenSearch 2.10*), SSO has updated the exchange_key format requirements (see: exchange key settings), now mandating it to be 64 characters long. This guide outlines three methods to generate the exchange key. If one method doesn’t resolve the issue, proceed to the next. Apply the change to the /etc/wazuh-indexer/opensearch-security/config.yml…
-
Forward Windows events using Rsyslog to Wazuh
Pre-requisites: Wazuh Configuration: Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it: Add a rule to capture the logs : Note that for simplicity, I am using only a rule…
-
Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)
Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…
-
Monitor Docker Containers Resources using Wazuh
Use case: Monitor CPU and memory usage of docker containers using Wazuh. Wazuh Configuration: Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add: The above command will be executed every minute to send an update about the resources to the Wazuh manager. Then add the decoders and rules to parse…
-
Test Logstash Pipelines/Filters Before Implementation
Use case: Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases. Logstash configuration & testing: Suppose that we have the following log files representing both cases described above: Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of…
-
Elevate Security with Anomaly Detection in Wazuh
The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…
-
Configure Emails in Wazuh Docker (Docker compose + Outlook SMTP)
Prerequisites: Docker Compose Configuration: To allow Wazuh to have the capability to authenticate to the outlook SMTP, I will leverage the use of a Postfix image from https://github.com/juanluisbaptiste/docker-postfix. Wazuh configuration: Note that, you have generic and granular options to configure the emails https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html?highlight=email#configuring-email-alerts . Hope you find it useful 🙂
-
Wazuh Endpoints Inventory Packages in one Dashboard
Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…