-
Forward Windows events using Rsyslog to Wazuh
Pre-requisites: Wazuh Configuration: Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it: Add a rule to capture the logs : Note that for simplicity, I am using only a rule…
-
Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)
Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…
-
Monitor Docker Containers Resources using Wazuh
Use case: Monitor CPU and memory usage of docker containers using Wazuh. Wazuh Configuration: Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add: The above command will be executed every minute to send an update about the resources to the Wazuh manager. Then add the decoders and rules to parse…
-
Elevate Security with Anomaly Detection in Wazuh
The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…
-
Wazuh Endpoints Inventory Packages in one Dashboard
Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…
-
Discord & Wazuh Integration
Discord is a popular communication platform where people chat, share info, and connect. Integrating Wazuh alerts into Discord is key for quick and effective security updates. It can be deemed as a security guard in your digital hangout, making sure everyone stays informed and acts fast if there’s a potential threat. In this guide, we’ll…
-
Enrich Wazuh indices using Elasticsearch ingest Set processor
Elasticsearch offers various processors configurable within the ingest pipelinesallowing you to perform transformations over the data. In this write-up, I will use the Set processor https://www.elastic.co/guide/en/elasticsearch/reference/current/set-processor.html to enrich the Wazuh alerts indices. Use case: Add a flag/field to distinguish between servers in different data centers, knowingthat each data center has servers with unique Operating System.…