Category: SIEM

  • Wazuh & Keycloak using OpenID

    Wazuh & Keycloak using OpenID

    Use case: Set up Keycloak (Version 26.0.5) for Authentication using the OpenID protocol in Wazuh (Version 4.9.1). Keycloak Configuration: Wazuh indexer configuration: Wazuh Dashboard configuration: Demo:

  • Anonymous Authentication Wazuh

    Anonymous Authentication Wazuh

    USE CASE: Allow a team to access your Wazuh SIEM with read only privileges and without providing credentials. Wazuh Dashboard Configuration: Navigate to Server management > Security, and then Roles mapping, then create a Create Role mapping and complete the empty fields with the following parameters: For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration…

  • Forward Windows events using Rsyslog to Wazuh

    Forward Windows events using Rsyslog to Wazuh

    Pre-requisites: Wazuh Configuration: Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it: Add a rule to capture the logs : Note that for simplicity, I am using only a rule…

  • Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)

    Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)

    Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…

  • Monitor Docker Containers Resources using Wazuh

    Monitor Docker Containers Resources using Wazuh

    Use case: Monitor CPU and memory usage of docker containers using Wazuh. Wazuh Configuration: Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add: The above command will be executed every minute to send an update about the resources to the Wazuh manager. Then add the decoders and rules to parse…

  • Test Logstash Pipelines/Filters Before Implementation

    Test Logstash Pipelines/Filters Before Implementation

    Use case: Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases. Logstash configuration & testing: Suppose that we have the following log files representing both cases described above: Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of…

  • Elevate Security with Anomaly Detection in Wazuh

    Elevate Security with Anomaly Detection in Wazuh

    The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…

  • Configure Emails in Wazuh Docker (Docker compose + Outlook SMTP)

    Prerequisites: Docker Compose Configuration: To allow Wazuh to have the capability to authenticate to the outlook SMTP, I will leverage the use of a Postfix image from https://github.com/juanluisbaptiste/docker-postfix. Wazuh configuration: Note that, you have generic and granular options to configure the emails https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html?highlight=email#configuring-email-alerts . Hope you find it useful 🙂

  • Wazuh Endpoints Inventory Packages in one Dashboard

    Wazuh Endpoints Inventory Packages in one Dashboard

    Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…

  • Wazuh & eBPF: Monitor TCP connections effectively

    Wazuh & eBPF: Monitor TCP connections effectively

    Network monitoring can be a powerful method for gaining insights into your server environment, but it is often a complex and resource-intensive task. The Extended Berkeley Packet Filter (eBPF) technology solves these challenges by providing pre-configured resources, including the bcc-tools package with its pre-built eBPF programs. In this blog post, I will showcase the eBPF…