We covered and explained Wazuh as a SIEM and IDS/IPS solution along with its use case in the cyber security area and its components such as Wazuh indexer, Wazuh server, the dashboard and Wazuh agents. We also compared Splunk and Wazuh in relation to their use as SIEM, data analysis products and main components. We also covered the important components, mainly the decoders and rules, in Wazuh that are used to process and generate alerts. To edmonstrate this practically, we used TryHackMe Custom Alert Rules in Wazuh and we also covered the answers for TryHackMe Wazuh Room.

Wazuh SIEM Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights

What is Wazuh?

Wazuh is an EDR (endpoint detection and response.) solution and can be considered as an HIDS (host intrusion detection system). It monitors the endpoint for any indicators of a threat or policy violations in addition to the ability of auditing against some cyber security frameworks.

Wazuh can be used to achieve the following:

  • Auditing a device for common vulnerabilities
  • Proactively monitoring a device for suspicious activity such as unauthorised logins, brute-force attacks or privilege escalations
  • Visualising complex data and events into neat and trendy graphs
  • Recording a device’s normal operating behaviour to help with detecting anomalies.

Wazuh Components

  • Wazuh Indexer: The indexer stores the various alerts generated to enable real-time data search and analytics.
  • Wazuh Server: The Wazuh Server receives the collected logs by the agents, matches the collected logs against a set of decoders and rules and generates alerts. The Wazuh server is also responsible of all aspects related to the agents including configuration and deployment.
  • Wazuh Dashboard: The Wazuh Dashboard serves as the user interface from where you can search, analyze and visualize data.
  • Wazuh Agents: Responsible of collecting logs from the endpoints they are installed on.

Wazuh Agents

Devices that record the events and processes of a system are called agents. Agents monitor the processes and events that take place on the device, such as authentication and user management. Agents will offload these logs to a designated collector for processing, such as Wazuh.

In order for Wazuh to be populated, agents need to be installed onto devices to log such events. Wazuh can guide you through the agent deployment process provided you fill out some pre-requisites such as::

  • Operating System
  • The address of the Wazuh server that the agent should send logs to (this can be a DNS entry or an IP address)
  • What group the agent will be under – you can sort agents into groups within Wazuh if you wish

Room Answers | TryHackMe Wazuh

How many agents does this Wazuh management server manage?

2

What are the status of the agents managed by this Wazuh management server?

disconnected

How many “Security Event” alerts have been generated by the agent “AGENT-001”?

Note: You will need to make sure that your time range includes the 11th of March 2022

196

What is the name of the tool that we can use to monitor system events?

sysmon

What standard application on Windows do these system events get recorded to?

event viewer

What is the full file path to the rules located on a Wazuh management server?

/var/ossec/ruleset/rules

What application do we use on Linux to monitor events such as command execution?

auditd

What is the full path & filename for where the aforementioned application stores rules?

/etc/audit/rules.d/audit.rules

What is the name of the standard Linux tool that we can use to make requests to  the Wazuh management server?

curl

What HTTP method would we use to retrieve information for a Wazuh management server API?

GET

What HTTP method would we use to perform an action on a Wazuh management server API?

PUT

Use the API console to find the Wazuh server’s version.

Note: You will need to add the “v” prefix to the number for this answer. For example v1.2.3

v4.2.5

Analyse the report. What is the name of the agent that has generated the most alerts?

agent-001

Video Walkthrough | TryHackMe Wazuh

Room Answers | TryHackMe Custom Alert Rules in Wazuh

Looking at the Sysmon Log, what will the value of sysmon.commandLine be?

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\” \”-file\” \”C:\Users\Alberto\Desktop\test.ps1\

What would the extracted value be if the regex is set to “User: \S*”?

WIN-P57C9KN929H\Alberto

 From the Ruleset Test results, what is the <mitre> ID of rule id 184666?

T1055

According to the Wazuh documentation, what is the description of the rule with a classification level of 12?

High importance event

In the Ruleset Test page, change the value of  “sysmon.image” to “taskhost.exe’, and press the “Test” button again. What is the ID of the rule that will get triggered?

184736

In the sysmon_rules.xml file, what is the Rule ID of the parent of 184717?

184716

What is the regex field name used in the local_rules.xml?

audit.cwd

Looking at the log, what is the current working directory (cwd) from where the command was executed?

/var/log/audit

If the filename in the logs is “test.php”, what rule ID will be triggered?

100003

If the filename in the logs is “malware-checker.sh”, what is the rule classification level in the generated alert?

12

Video Walkthrough | TryhackMe Custom Alert Rules in Wazuh

, ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles