We covered and explained Wazuh as a SIEM and IDS/IPS solution along with its use case in the cyber security area and its components such as Wazuh indexer, Wazuh server, the dashboard and Wazuh agents. We also compared Splunk and Wazuh in relation to their use as SIEM, data analysis products and main components. We also covered the important components, mainly the decoders and rules, in Wazuh that are used to process and generate alerts. To edmonstrate this practically, we used TryHackMe Custom Alert Rules in Wazuh and we also covered the answers for TryHackMe Wazuh Room.
What is Wazuh?
Wazuh is an EDR (endpoint detection and response.) solution and can be considered as an HIDS (host intrusion detection system). It monitors the endpoint for any indicators of a threat or policy violations in addition to the ability of auditing against some cyber security frameworks.
Wazuh can be used to achieve the following:
Auditing a device for common vulnerabilities
Proactively monitoring a device for suspicious activity such as unauthorised logins, brute-force attacks or privilege escalations
Visualising complex data and events into neat and trendy graphs
Recording a device’s normal operating behaviour to help with detecting anomalies.
Wazuh Components
Wazuh Indexer: The indexer stores the various alerts generated to enable real-time data search and analytics.
Wazuh Server: The Wazuh Server receives the collected logs by the agents, matches the collected logs against a set of decoders and rules and generates alerts. The Wazuh server is also responsible of all aspects related to the agents including configuration and deployment.
Wazuh Dashboard: The Wazuh Dashboard serves as the user interface from where you can search, analyze and visualize data.
Wazuh Agents: Responsible of collecting logs from the endpoints they are installed on.
Wazuh Agents
Devices that record the events and processes of a system are called agents. Agents monitor the processes and events that take place on the device, such as authentication and user management. Agents will offload these logs to a designated collector for processing, such as Wazuh.
In order for Wazuh to be populated, agents need to be installed onto devices to log such events. Wazuh can guide you through the agent deployment process provided you fill out some pre-requisites such as::
Operating System
The address of the Wazuh server that the agent should send logs to (this can be a DNS entry or an IP address)
What group the agent will be under — you can sort agents into groups within Wazuh if you wish
Room Answers
Room answers can be found here.