The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation.
The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish anomalies from normal variations applying to your time-series data stored in the Wazuh indexer.
Docker Installation:
Add the docker image elwali/wazuh-dashboard-anomaly-detector:4.7.2
located in the repo https://hub.docker.com/r/elwali/wazuh-dashboard-anomaly-detector; Example of docker-compose.yml
of a Single-node Deployment would be:
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.7.2
hostname: wazuh.manager
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: wazuh/wazuh-indexer:4.7.2
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh.dashboard:
image: elwali/wazuh-dashboard-anomaly-detector:4.7.2
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- WAZUH_API_URL=https://wazuh.manager
- DASHBOARD_USERNAME=kibanaserver
- DASHBOARD_PASSWORD=kibanaserver
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
wazuh-dashboard-config:
wazuh-dashboard-custom:
Apply it by running: docker-compose up -d
Standard Installation:
Access the Wazuh dashboard server and run /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install anomalyDetectionDashboards — allow-root
Restart the Wazuh Dashboard systemctl restart wazuh-dashboard
Take into consideration:
The anomaly detector requires several indices and if the current index templates do not have index_patterns
for the anomaly detector indices, You can add via the dev tools (or API) by adding a corresponding template:
POST _template/configuration-indices-template.json
{
"order": 1,
"index_patterns": [
".opendistro-ism-config",
".opendistro-job-scheduler-lock",
".opendistro-alerting-alerts",
".opendistro-alerting-config",
".opendistro-anomaly-checkpoints",
".opendistro-anomaly-detection-state",
".opendistro-anomaly-detector-jobs",
".opendistro-anomaly-detectors",
".opendistro-anomaly-results-history-*"
],
"settings": {
"index.number_of_shards": "1",
"index.number_of_replicas": "0",
"index.auto_expand_replicas": "0-1"
}
}
I hope you find it useful 😀
9 responses to “Elevate Security with Anomaly Detection in Wazuh”
Soory Sr i want to ask something out of topic…is there really a need to integrate wazuh and ELK or Opensearch and what integration suits you best
You can use the Wazuh stack (Manager + Indexer + Dashboard) and no need to integrate ELK nor Opensearch unless you have a specific use case for that.
Is it possible to integrate it with existing deployed Wazuh. Existing stack based on Opensearch.
Hello Amey,
Sure you can install it as described in the Standard Installation section.
209481 203632Your article is truly informative. More than that, it??s engaging, compelling and well-written. I would desire to see even more of these types of great writing. 414539
446909 644518hey there i stumbled upon your internet site looking around the web. I wanted to say I enjoy the look of points around here. Keep it up will save for certain. 181111
224766 898481Normally I dont learn post on blogs, nonetheless I wish to say that this write-up extremely pressured me to try and do it! Your writing taste has been surprised me. Thank you, quite excellent write-up. 376388
… [Trackback]
[…] Read More here: opensourcesecurityblogs.com/elevate-security-with-anomaly-detection-in-wazuh/ […]
216410 145556Can you give me some tips for piece of software writing? 124902