Listen to this Post
Introduction
Wazuh is a powerful open-source SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) platform that enables real-time log analysis, intrusion detection, and automated threat response. In this guide, we’ll explore how to deploy Wazuh from scratch, configure custom rules, and optimize threat detection for Linux and Windows environments.
Learning Objectives
- Deploy a fully functional Wazuh server with centralized agent management.
- Create custom detection rules and decoders for tailored threat monitoring.
- Implement automated active responses for real-time threat mitigation.
- Configure File Integrity Monitoring (FIM) and rootkit detection.
- Optimize alert correlation to minimize false positives.
1. Setting Up the Wazuh Server
Verified Command (Linux):
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Step-by-Step Guide:
1. Download and run the Wazuh installation script.
2. Choose a deployment type (`-a` for all-in-one).
- Access the Wazuh dashboard at
https://<your-server-IP>.
4. Log in with the default credentials (`admin:SecretPassword`).
- Deploying Wazuh Agents on Linux & Windows
Linux Agent Installation:
sudo WAZUH_MANAGER="<WAZUH_SERVER_IP>" apt-get install wazuh-agent sudo systemctl start wazuh-agent
Windows Agent Installation (PowerShell):
Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi" -OutFile "wazuh-agent.msi" msiexec.exe /i wazuh-agent.msi /qn WAZUH_MANAGER="<WAZUH_SERVER_IP>"
Step-by-Step Guide:
1. Replace `` with your Wazuh server’s IP.
- Restart the agent to apply changes (
sudo systemctl restart wazuh-agenton Linux). - Verify agent registration in the Wazuh dashboard under Agents.
3. Creating Custom Detection Rules
Example Rule (Wazuh `/var/ossec/etc/rules/local_rules.xml`):
<group name="custom_threats,"> <rule id="100100" level="12"> <decoded_as>sshd</decoded_as> <description>Multiple SSH authentication failures</description> <match>Failed password</match> <group>authentication_failure,</group> </rule> </group>
Step-by-Step Guide:
1. Edit `/var/ossec/etc/rules/local_rules.xml`.
2. Define rule IDs, triggers, and severity levels.
3. Restart Wazuh manager:
sudo systemctl restart wazuh-manager
4. Configuring Active Responses for Automated Mitigation
Example Active Response (Linux):
<command> <name>block_ip</name> <executable>firewall-drop.sh</executable> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>block_ip</command> <location>local</location> <rules_id>100100</rules_id> <timeout>600</timeout> </active-response>
Step-by-Step Guide:
- Define a command (e.g.,
firewall-drop.sh) to block malicious IPs. - Link the response to a rule ID (e.g., `100100` for SSH brute force).
- Test by triggering the rule (e.g., multiple failed SSH logins).
5. Enabling File Integrity Monitoring (FIM)
Linux FIM Configuration (`/var/ossec/etc/ossec.conf`):
<syscheck> <directories check_all="yes">/etc,/usr/bin</directories> <alert_new_files>yes</alert_new_files> </syscheck>
Step-by-Step Guide:
1. Specify directories to monitor for unauthorized changes.
2. Enable alerts for new files (`yes `).
3. Restart Wazuh:
sudo systemctl restart wazuh-manager
6. Rootkit Detection & Malware Scanning
Linux Rootkit Scan Command:
sudo /var/ossec/bin/rootcheck_control -r all
Step-by-Step Guide:
1. Enable rootkit scans in `/var/ossec/etc/ossec.conf`:
<rootcheck> <disabled>no</disabled> </rootcheck>
2. Schedule periodic scans or trigger manually.
7. Alert Correlation & False Positive Reduction
Wazuh Rule Tuning Example:
<rule id="100101" level="3"> <if_sid>100100</if_sid> <same_source_ip /> <description>SSH brute force attack in progress</description> </rule>
Step-by-Step Guide:
1. Use `` to link related alerts.
2. Apply filters (``) to reduce noise.
3. Adjust severity levels (`level=”3″`) based on risk.
What Undercode Say:
- Key Takeaway 1: Wazuh provides enterprise-grade SIEM capabilities for free, making it ideal for small to mid-sized security teams.
- Key Takeaway 2: Automated active responses drastically reduce manual intervention in threat mitigation.
Analysis:
Wazuh’s flexibility in custom rule creation and log analysis makes it a strong alternative to commercial SIEMs. However, proper tuning is critical to avoid alert fatigue. Integrating threat intelligence feeds (e.g., MISP) can further enhance detection accuracy.
Prediction:
As cyber threats evolve, open-source SIEMs like Wazuh will become essential for organizations lacking budget for Splunk or IBM QRadar. Future updates may include deeper AI-driven anomaly detection and cloud-native deployment optimizations.
By following this guide, you’ve built a robust Wazuh deployment capable of detecting and mitigating threats in real time. 🚀
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Priombiswas Itsec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
