Intro to Wazuh
Wazuh is a free and open-source security platform primarily used for threat detection and incident response.
What is Wazuh?
Wazuh is an open-source security monitoring platform designed for securing data assets across diverse environments including on-site, virtualized, containerized, and cloud-based systems. It is commonly used in security operation centers or high performance computing environments to gain visibility into system activity and detect suspicous behavior. Wazuh has a variety of different cababilities including:
Intrusion detection (or HIDS - Host Intrusion Detection Software)
Log data analysis and correlation
File integrity monitoring
Vulnerability detection
Compliance monitoring
Incident response
Wazuh is most commonly referred to as a SIEM (System, Information, and Event Management) and XDR (Extended Detection and Response) solution to help monitor systems, detect threats, and ensure compliance with industry standards. It collects logs from systems, analyzes them for suspicious activity, and generates alerts when it detects potential issues from attacks, system misconfigurations, or unusual system behavior.
Wazuh Architecture
Wazuh follows a client-server distributed architecture made up of components that work together to collect, process, and analyze security data.
Component |
Description |
|---|---|
Agents |
|
Wazuh Server |
|
Indexer |
|
Visualization (Wazuh Dashboard) |
|
Wazuh Core Features
Log Analysis: Centralized visibility and correlation
Intrusion Detection: Detects suspicious activty on endpoints
File Integirty Monitoring: Protects sensitive files and detects tampering
Rootkit Detection: Scans for hidden or malicious processes at the kernel level
Vulnerabilty Detection: Reduces risk exposure
Active Incident Response: Automates containment actions of threat detections
Compliance Monitoring: Evaluates system settings for compliance with industry standards like PCI DSS, HIPAA, GDPR, NIST frameworks, CIS Benchmarks, and MITRE Attack frameworks
Installation
The easiest way to get Wazuh up and rolling for exploration is to use the Wazuh installation assistant.
Download and run the Wazuh installation assistant:
curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Once finished, an output with credentials and ways to access the dashboard will show in the output:
INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
User: admin
Password: <ADMIN_PASSWORD>
INFO: Installation finished.
At this point, you should be able to open your browser and log into the Wazuh dashboard to begin exploring the platform.
Note: When accessing the dashboard for the first time, the browser shows a warning message stating the certficate is not trusted by a trusted authority. This is expected, and you can choose to accept the certificate anyway, or alternatively configure the system to use a certificate from a trusted authority.
Adding an Agent
Up to this point, this installation will allow you to explore the Wazuh dashboard, and become more familair with its features. If you are curious about adding additional endpoints to monitor, follow the steps laid out in the Wazuh adding an agent documentation.
Wazuh Tutorials
Crash Course: An in-depth and complete guide to using Wazuh, configuring endpoints, and exploring its features. This tutorial also walks through deploying Wazuh with docker.
Creating Dashboards: Wazuh offers the ability to create different dashboards that highlight certain or specific pieces of log data. This tutorial walks you through how to do that.
Resources
Quickstart: Steps to get starting with Wazuh quick isntallation guide.
Adding an Agent(Linux): Steps to deploy the Wazuh agent on Linux endpoints.
Wazuh Architecture: A run down of how Wazuh works as a distributed system.
Getting Started: Getting started with Wazuh.
Overview of Wazuh: Overview of Wazuh with feature descriptions.