Open Source Security Blogs

Category: SIEM

  • Wazuh & Keycloak using SAML

    Wazuh & Keycloak using SAML

    Use case: Set up Keycloak for Authentication using SAML protocol in Wazuh. Keycloak configuration: Wazuh indexer configuration: Wazuh Dashboard configuration: As this might be solved in future versions you should perform the next step only if you are facing logout issue (https://forum.opensearch.org/t/saml-issue-on-logout/5617/14). DEMO: I hope you find it useful 🙂

  • Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data

    Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data

    Prerequisites: Use case: Monitor Wazuh indexer/Elasticsearch/Opensearch Indexing and get a discord notification if no events indexed for the last 5 minutes. Monitoring Script: Wazuh Manager Configuration: Place the script in the Wazuh manager under the path /var/ossec/integrations assigning the following permissions and ownership: Add the configuration to run the script and the rules to trigger the alerts…

  • Discord & Wazuh Integration

    Discord & Wazuh Integration

    Discord is a popular communication platform where people chat, share info, and connect. Integrating Wazuh alerts into Discord is key for quick and effective security updates. It can be deemed as a security guard in your digital hangout, making sure everyone stays informed and acts fast if there’s a potential threat. In this guide, we’ll…

  • Wazuh in K8S (Kubernetes): Enable archives index & get all events

    Wazuh in K8S (Kubernetes): Enable archives index & get all events

    Capturing all coming logs and visualizing them can be a requirement andenabling that option in an on-prem environment can be achieved as describedin the official guide here https://documentation.wazuh.com/4.4/user-manual/manager/wazuh-archives.html; however, In K8s, restarting theFilebeat service causes restarting the Wazuh manager pod which will wipeup the changes and revert the initial configuration (archives disabled). This article describes…

  • HTTP Strict Transport Security(HSTS) for Wazuh & Kibana

    HTTP Strict Transport Security(HSTS) for Wazuh & Kibana

    HTTP Strict Transport Security (HSTS) is a vital security measure in today’sdigital landscape, where data security and privacy are paramount. With the increasing sophistication of cyber threats, safeguarding sensitiveinformation transmitted over the internet has become critical for individualsand organizations. HSTS plays a crucial role in this regard by enforcing secure connections. Itinstructs browsers to only…

  • Enrich Wazuh indices using Elasticsearch ingest Set processor

    Enrich Wazuh indices using Elasticsearch ingest Set processor

    Elasticsearch offers various processors configurable within the ingest pipelinesallowing you to perform transformations over the data. In this write-up, I will use the Set processor https://www.elastic.co/guide/en/elasticsearch/reference/current/set-processor.html to enrich the Wazuh alerts indices. Use case: Add a flag/field to distinguish between servers in different data centers, knowingthat each data center has servers with unique Operating System.…