Hands-on with Wazuh SIEM: A Comprehensive Guide

By /

Listen to this Post

This article provides hands-on experience with Wazuh SIEM, covering Security Monitoring, Log Analysis, Incident Response, and Threat Hunting. Below are essential resources and practical steps to enhance your cybersecurity skills.

Basics of Wazuh

  • Wazuh Crash Course | 2 Hour+ Free Course Link
  • Wazuh Overview and Architecture Link

Lab Setup

  • Wazuh All-in-One Lab Setup Link
  • Wazuh Installation on Virtualbox Link
  • Wazuh Installation on Docker Link
  • Creating Custom Dashboards Link

Log Analysis with Wazuh

  • Log Ingestion on Wazuh Link
  • Windows Sysmon Log Analysis Link
  • Integrating Graylog with Wazuh for Log Analysis Link

Threat Detection

  • Correlation Rules in Wazuh Link
  • VirusTotal Integration with Wazuh Link
  • Suricata IDS Integration Link
  • Advanced Wazuh Rulesets Link

Incident Response

  • Blocking SSH Brute-Force Attacks Link
  • Disabling a Linux User Account Link

Threat Hunting

  • Threat Hunting Using Inventory Data Link
  • Threat Hunting with Wazuh FIM and Yara for Linux Endpoints Link

Further Learning

  • Book: “Security Monitoring with Wazuh” (45% Discount on Amazon) Link

    You Should Know: Practical Wazuh Commands & Configurations

1. Installing Wazuh (Linux)

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && sudo chmod 644 /usr/share/keyrings/wazuh.gpg 
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list 
sudo apt update 
sudo apt install wazuh-manager 
sudo systemctl start wazuh-manager

2. Configuring Log Ingestion

Edit `/var/ossec/etc/ossec.conf` to add log sources:

<localfile> 
<log_format>syslog</log_format> 
<location>/var/log/syslog</location> 
</localfile>

3. Blocking SSH Brute-Force Attacks

Enable active response in Wazuh:

<active-response> 
<command>firewall-drop</command> 
<location>local</location> 
<level>7</level> 
<timeout>600</timeout> 
</active-response>

4. Integrating VirusTotal with Wazuh

Edit `/var/ossec/etc/ossec.conf`:

<integration> 
<name>virustotal</name> 
<api_key>YOUR_VIRUSTOTAL_API_KEY</api_key> 
</integration>

5. Using YARA for Threat Hunting

Scan a directory with YARA:

yara -r /path/to/malware/rules.yar /suspicious/directory

6. Disabling a Linux User Account

sudo usermod --expiredate 1 username

7. Checking Wazuh Agent Status

sudo systemctl status wazuh-agent

What Undercode Say

Wazuh is a powerful open-source SIEM that enhances security monitoring, threat detection, and incident response. By leveraging log analysis, YARA rules, and integrations like VirusTotal, security teams can detect and mitigate threats efficiently.

Key Linux & Windows Commands for Security Teams
– Linux: 

journalctl -u wazuh-manager -f  Monitor Wazuh logs 
chkrootkit -q  Check for rootkits 
rkhunter --check  Scan for malware

– Windows: 

Get-WinEvent -LogName Security -MaxEvents 10  Check security logs 
net user hacker /delete  Remove a user

Wazuh’s real-time monitoring, FIM (File Integrity Monitoring), and automated responses make it indispensable for cybersecurity professionals.

Expected Output:

A fully configured Wazuh SIEM with log analysis, threat detection rules, and automated incident response capabilities.

References:

Reported By: Alexrweyemamu Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: