Security professionals rely on various tools within their daily routines to streamline workflows and automate various tasks. One such essential tool is SIEM, which stands for Security Information and Event Management. The term aptly describes its function and significance in the security landscape.
SIEM tools play a pivotal role in modern cybersecurity strategies. They act as a centralized hub, aggregating and analyzing vast amounts of security data from disparate sources within an organization’s network. This includes logs from servers, applications, firewalls, and other devices, offering a comprehensive view of the security landscape.
One of the primary advantages of SIEM tools is their ability to correlate and contextualize these diverse data sets. By detecting patterns and anomalies across the network, they enable security professionals to identify potential threats and respond proactively. This proactive stance is crucial in today’s ever-evolving threat landscape, where swift detection and response can mitigate potential damages significantly. There is a diverse array of SIEM tools available, including industry-leading options like Splunk, Google Chronicle, SolarWinds, and Wazuh which will be covered in this article.
Moreover, SIEM tools streamline incident response processes. They provide real-time alerts and notifications, allowing security teams to promptly investigate and mitigate security incidents. This agility in response can prevent minor security issues from escalating into major breaches, safeguarding sensitive data and the overall integrity of the network.
It’s worth mentioning that certain SIEM tools, such as Wazuh, incorporate Extended Detection and Response (XDR) functionalities. XDR goes beyond traditional SIEM capabilities by not only detecting and responding to security incidents but also providing additional context, analytics, and automated responses across various security layers. This allows for a more comprehensive and integrated approach to threat detection and mitigation.
Now, let’s dive into a step-by-step guide on installing and configuring Wazuh, an open-source SIEM tool renowned for its robust features and user-friendly interface. For this tutorial, the installation will occur within a virtualized environment utilizing VirtualBox. This setup comprises three virtual machines: two running pre-installed Ubuntu Linux, and the third one equipped with Windows 10 Pro.
Step 1: Install Wazuh Manager
The Wazuh Manager serves as the server process within the Wazuh system. It operates on the computer responsible for gathering files and hosting essential tools, essentially functioning as the control panel for the SIEM. While almost any machine can be monitored and configured as a Wazuh Agent (details will be covered later), it’s important to note that the Wazuh Manager is exclusively installable on a Linux-based machine.
Let’s begin by navigating to the official Wazuh Quickstart Guide. We’ll use the following command on the machine destined to be used as the host:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -aUpon completion of the installation process, the administrator credentials required to access the dashboard will be generated and displayed in the final output lines. It’s crucial to make note of these credentials as they will be necessary for accessing the dashboard:
Step 2: Access your Dashboard
The dashboard is accessible through our local machine’s IP address. We simply open a web browser and enter ‘localhost’ or our machine’s IP address in the URL section to access it. Upon our first visit to the Wazuh dashboard, our browser will display a warning message, noting that the certificate was not issued by a trusted authority. This is normal because Wazuh uses a self-signed certificate, which doesn’t require immediate concern. To proceed, we’ll need to accept the ‘risk’ presented by the warning. It’s important to note that accepting this warning does not present any actual risk to our system or security! For those with a domain name and an SSL certificate, there’s an option to configure the system to use a certificate from a trusted authority.
We’ll be prompted to enter our login credentials. We are going to use the credentials generated during the installation process, as shown below:
Quick Overview
Upon successful login, we will be redirected to the Wazuh landing page. This page looks like this:
With a quick overview, several notable modules in the ‘Security Information Management’ category immediately stand out. Among these are ‘Security Events’ and ‘Integrity Monitoring’, both of which showcase security events captured by Wazuh. In addition, the ‘Threat Detection and Response’ module is crucial, as it actively identifies potential threats in an organisation’s environment and enables rapid response to mitigate them.
Another important category is ‘Auditing and Policy Monitoring’, offering tools to automate auditing tasks, streamlining the workload for security professionals. Moreover, one particularly valuable set of tools falls under ‘Regulatory Compliance’. These tools are essential as all security strategies must adhere to various regulations. Notable standards include GDPR, governing the processing of Personal Identifiable Information (PII), PCI DSS, which sets standards for processing, storing, and transmitting payment cardholder data and NIST 800-53, providing guidelines for federal information systems. The use of these tools allows security experts to assess the alignment of current security strategies with key regulations. They offer insights, suggestions and actionable steps to ensure compliance with the necessary standards.
Step 3: Adding Agents
Once access to the Wazuh dashboard is granted and a preliminary understanding of its capabilities is established, the next step involves adding agents. Agents represent the systems intended for monitoring in the Wazuh environment. Adding agents to Wazuh is an important process for extending monitoring capabilities to various network endpoints. Each agent serves as a sentinel, actively collecting and forwarding security-related data to Wazuh Manager for analysis and centralized monitoring.
In our fresh installation, we notice the absence of connected agents. To add an agent, we go to the ‘Agents’ page, which is accessible from the drop-down menu indicated below:
This page shows support for a wide range of operating systems. For the purposes of this tutorial, we will follow the installation process for both Ubuntu Linux and Windows 10 Pro.
Ubuntu Linux
Let’s begin by choosing the package for download and installation on the target system. In our scenario, where the target system operates on Ubuntu, we select ‘DEB amd64’:
Proceeding with the setup, we enter the IP address of the server machine, essentially pointing to the Wazuh Manager. In our example, this is ‘10.0.4.4’:
The following step involves assigning an agent name on the target machine. This practice becomes particularly useful when you are managing a significant number of endpoints. For example, assigning a name such as ‘Finance-1’ may indicate that the endpoint belongs to the Finance department. For simplicity, in this tutorial, we will use the name ‘Ubuntu’:
In the next step, we will be prompted to execute a command on the target machine. This command is customized based on our configuration, including the server address and agent name we assigned earlier. Ensure to copy and use the provided command that aligns with your specific setup:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.1-1_amd64.deb && sudo WAZUH_MANAGER='10.0.4.4' WAZUH_AGENT_NAME='Ubuntu' dpkg -i ./wazuh-agent_4.7.1-1_amd64.debThe concluding steps of the setup process involve, first reloading the systemd manager configuration:
sudo systemctl daemon-reloadThen enable the Wazuh agent service to start automatically at boot time:
sudo systemctl enable wazuh-agentAnd finally, start the Wazuh agent service manually immediately:
sudo systemctl start wazuh-agentOnce done, the setup is complete. We click the ‘Close’ button, and the page will refresh, clearly displaying the newly added agent:
Windows 10
The setup process of a Windows agent is similar to the previous one, but with different commands to execute. Let’s begin by selecting ‘MSI 32/64 bits’ as the package for download and installation:
Next, we enter the IP address of the server machine, which is ‘10.0.4.4’, and choose an agent name. For the sake of simplicity in this example, we’ll use ‘Windows’.
Next, we have to open PowerShell as an administrator and execute the corresponding command to download and install the agent. This command is also customized based on our configuration, including the server address and agent name we assigned earlier. Ensure to copy and use the provided command that aligns with your specific setup:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.2-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='10.0.4.4' WAZUH_AGENT_NAME='Windows' WAZUH_REGISTRATION_SERVER='10.0.4.4'Finally, we start the Wazuh agent service using the following command:
NET START WazuhAfter clicking the ‘Close’ button, we will notice the Windows machine has been added to the ‘Agents’ list:
Now, we have a fully functional Wazuh setup that we can explore further and leverage its capabilities.
Suggestions
The most effective way to gain in-depth knowledge about a specific technology or tool is by interacting and experimenting with it. Feel free to follow the instructions above, set up Wazuh in a virtualized environment, and explore its functionalities on your own.
Keep in mind that, while installing and configuring SIEM tools like Wazuh is crucial for business environments, ongoing maintenance, regular updates, and continuous monitoring are equally essential. Keeping your SIEM tool optimized ensures it remains a reliable asset in defending against evolving cybersecurity threats.
In a next article, we’ll explore advanced features and best practices for leveraging Wazuh effectively within your security operations.
