-
Wazuh & Keycloak using OpenID
Use case: Set up Keycloak (Version 26.0.5) for Authentication using the OpenID protocol in Wazuh (Version 4.9.1). Keycloak Configuration: Wazuh indexer configuration: Wazuh Dashboard configuration: Demo:
-
Anonymous Authentication Wazuh
USE CASE: Allow a team to access your Wazuh SIEM with read only privileges and without providing credentials. Wazuh Dashboard Configuration: Navigate to Server management > Security, and then Roles mapping, then create a Create Role mapping and complete the empty fields with the following parameters: For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration…
-
Forward Windows events using Rsyslog to Wazuh
Pre-requisites: Wazuh Configuration: Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it: Add a rule to capture the logs : Note that for simplicity, I am using only a rule…
-
Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)
Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…
-
Monitor Docker Containers Resources using Wazuh
Use case: Monitor CPU and memory usage of docker containers using Wazuh. Wazuh Configuration: Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add: The above command will be executed every minute to send an update about the resources to the Wazuh manager. Then add the decoders and rules to parse…
-
Test Logstash Pipelines/Filters Before Implementation
Use case: Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases. Logstash configuration & testing: Suppose that we have the following log files representing both cases described above: Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of…
-
Elevate Security with Anomaly Detection in Wazuh
The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…
-
Configure Emails in Wazuh Docker (Docker compose + Outlook SMTP)
Prerequisites: Docker Compose Configuration: To allow Wazuh to have the capability to authenticate to the outlook SMTP, I will leverage the use of a Postfix image from https://github.com/juanluisbaptiste/docker-postfix. Wazuh configuration: Note that, you have generic and granular options to configure the emails https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html?highlight=email#configuring-email-alerts . Hope you find it useful 🙂
-
Wazuh Endpoints Inventory Packages in one Dashboard
Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…
-
Wazuh & eBPF: Monitor TCP connections effectively
Network monitoring can be a powerful method for gaining insights into your server environment, but it is often a complex and resource-intensive task. The Extended Berkeley Packet Filter (eBPF) technology solves these challenges by providing pre-configured resources, including the bcc-tools package with its pre-built eBPF programs. In this blog post, I will showcase the eBPF…