Category: XDR

  • Forward Windows events using Rsyslog to Wazuh

    Forward Windows events using Rsyslog to Wazuh

    Pre-requisites: Wazuh Configuration: Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it: Add a rule to capture the logs : Note that for simplicity, I am using only a rule…

  • Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)

    Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)

    Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…

  • Monitor Docker Containers Resources using Wazuh

    Monitor Docker Containers Resources using Wazuh

    Use case: Monitor CPU and memory usage of docker containers using Wazuh. Wazuh Configuration: Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add: The above command will be executed every minute to send an update about the resources to the Wazuh manager. Then add the decoders and rules to parse…

  • Elevate Security with Anomaly Detection in Wazuh

    Elevate Security with Anomaly Detection in Wazuh

    The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…

  • Wazuh Endpoints Inventory Packages in one Dashboard

    Wazuh Endpoints Inventory Packages in one Dashboard

    Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…

  • Discord & Wazuh Integration

    Discord & Wazuh Integration

    Discord is a popular communication platform where people chat, share info, and connect. Integrating Wazuh alerts into Discord is key for quick and effective security updates. It can be deemed as a security guard in your digital hangout, making sure everyone stays informed and acts fast if there’s a potential threat. In this guide, we’ll…

  • Enrich Wazuh indices using Elasticsearch ingest Set processor

    Enrich Wazuh indices using Elasticsearch ingest Set processor

    Elasticsearch offers various processors configurable within the ingest pipelinesallowing you to perform transformations over the data. In this write-up, I will use the Set processor https://www.elastic.co/guide/en/elasticsearch/reference/current/set-processor.html to enrich the Wazuh alerts indices. Use case: Add a flag/field to distinguish between servers in different data centers, knowingthat each data center has servers with unique Operating System.…