Wazuh — Part 2.1: Key Features of the Platform
In the following post, we will examine various events generated by a Windows 10 machine that I have associated with the platform for testing purposes.
We will try to explore the essential features offered by the Wazuh platform.
To do this, I have subdivided the main interface into 4 categories, which we will try to explore one by one:
- Security Information management
- Threat detection and response
- Auditing and policy monitoring
- Regulatory Compliance
At the end of this second part, I will introduce the use of Wazuh as a SIEM as well as the automation of certain platform actions.
1. Security Information Management (Management of security events):
The “ Security Information Management ” category of the Wazuh platform simplifies security information management by making it easy to navigate through alerts, while proactively identifying issues and potential threats in the IT environment. This feature provides deep visibility, enabling rapid response to security incidents.
-Security Events:
This page lists the various security events relating to our Windows machine.
Below, a total of 759 security events are detected on our Windows machine during the last 24 hours, including 6 authentication failures and 132 successful authentications.
In the “ Top Mittre &ttack ” section, the most commonly observed attack techniques are listed based on security events detected by the system.
Dashboards relating to these events are automatically generated by Wazuh to provide a quick and efficient visualization of the activities listed.
On the dashboard below, we have the list of agents generating the most alerts over the current period.
This also allows us to track the number of alerts generated by each agent associated with the platform.
Then we have the list of events that we can review and analyze in depth.
Let’s take a closer look at one of these Login failure events . By consulting the details, as illustrated in the following screenshot, we can observe the information related to the action reported by the Wazuh log indexer.
This data will provide the analyst with elements to conduct an analysis more effectively (Only a correct analysis can determine the real cause of the incident).
Let’s now consult the details of this event which was generated following an authentication error on my part:
At first glance, the lines “ logon Type ” indicating the type of authentication (auth type 2 indicates an attempt to open a session session on a local account, in this case my Windows machine) and “ processName ” which is the name of the process that generated the alert, these two elements already provide us with an overall idea of the event that occurred.
Thus the log message automatically generated by Windows log manager is also present in the alert, see following screenshot.
- Integrity Monitoring:
Allows you to monitor the overall integrity of files, Windows registers, registry keys, etc.
This works thanks to Wazuh’s FIM (File Integrity Monitoring) module , the latter is included in the ossec configuration file , the latter is integrated into the Windows agent directly after the installation process and is accessible via the path C:\ Program Files (x86)\ossec-agent\ossec.conf of the Windows client, the configuration file also allows us to define and personalize the elements (directories to monitor, exclusions, etc.) for which we wish to monitor the integrity of the content.
On a Linux or other system, you will also find it in the agent installation directory, the principle remains the same.
Below is the content of the configuration file ( ossec ):
Among the many modules present in the config file, we have that of integrity control, which interests us in this case.
Note the list of Windows registers mentioned in the screenshot above, these are the default registers included in the list of elements to monitor, we can add or exclude some.
Registry control remains essential in the context of cybersecurity, because malicious actors tend to modify them to bypass the security systems in place, attempt to introduce falsified registry keys in order to deactivate tools such as firewalls, antivirus or other critical systems or set up registry keys allowing them to obtain persistent access by modifying.
For example, persistence tools used by malicious actors tend to modify the 2 registers above in order to force authorization to execute their scripts after restarting the compromised system.
These two keys contain references to programs that are executed at system startup, they are added by default in the Wazuh config file.
Hackers modify these registries by exploiting vulnerabilities, using malware, or gaining unauthorized access to the system to launch their malware automatically at startup.
It is also possible to associate this Wazuh module with VirusTotal, for more details, I invite you to visit the official documentation page.
This is to focus on the importance of controlling Windows registers because they are among the main victims of falsification and alteration in the case of malicious programs.
Now, let’s take a look at the platform health check tab to see it in action.
The dashboard provides us with a first graphical view of the main actions that were detected on the Windows client through the integrity check module, as well as their distributions (see screenshot above).
Details relating to these actions are visible from the “ Events ” tab below:
In my case, there are for example modifications to registers and also a deletion of a register which has been alerted, but these are legitimate actions and therefore false positives.
It is important to know that modifying or deleting registers is not necessarily malicious, because these actions are always carried out in the case of installations or updates, hence the importance of analyzing each event in depth. and thus eliminate false positives.
