Listen to this Post
Wazuh, the well-known open-source SIEM (Security Information and Event Management) tool, has recently released its latest version, 4.10.1. This update brings new features, improvements, and fixes, making it a powerful solution for unifying traditionally separate security functions into a single agent and platform architecture. Wazuh provides protection for public clouds, private clouds, and on-premises data centers, offering real-time correlation and context for analysts. Its granular active response capabilities include on-device remediation to ensure endpoints remain clean and operational.
You Should Know:
1. Installation on Linux:
To install Wazuh on a Linux system, follow these steps:
<h1>Step 1: Add the Wazuh repository</h1> curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list <h1>Step 2: Update the package list</h1> sudo apt-get update <h1>Step 3: Install Wazuh manager</h1> sudo apt-get install wazuh-manager <h1>Step 4: Start and enable the Wazuh manager service</h1> sudo systemctl daemon-reload sudo systemctl enable wazuh-manager sudo systemctl start wazuh-manager
2. Configuring Sysmon with Wazuh:
Sysmon (System Monitor) is a powerful tool for monitoring and logging system activity. To integrate Sysmon with Wazuh, you can use the following configuration file:
<Sysmon schemaversion="4.81"> <EventFiltering> <ProcessCreate onmatch="include"> <Image condition="contains">powershell.exe</Image> </ProcessCreate> <FileCreateTime onmatch="include"> <TargetFilename condition="contains">.exe</TargetFilename> </FileCreateTime> </EventFiltering> </Sysmon>
Save this configuration as `sysmonconfig.xml` and apply it using the following command:
sysmon -accepteula -i sysmonconfig.xml
3. Real-Time Monitoring with Wazuh:
Wazuh provides real-time monitoring and alerting. To view real-time alerts, use the following command:
tail -f /var/ossec/logs/alerts/alerts.log
4. Active Response:
Wazuh’s active response capabilities allow you to automatically respond to threats. For example, you can configure Wazuh to block an IP address when a specific alert is triggered:
<h1>Example of an active response script</h1> echo "iptables -A INPUT -s $1 -j DROP" > /var/ossec/active-response/bin/firewall-drop.sh chmod 750 /var/ossec/active-response/bin/firewall-drop.sh
5. Integration with Elastic Stack:
Wazuh can be integrated with the Elastic Stack (Elasticsearch, Logstash, and Kibana) for advanced visualization and analysis. Follow the official documentation for detailed steps: Wazuh Elastic Integration.
What Undercode Say:
Wazuh continues to be a robust and versatile SIEM solution, especially for organizations looking for an open-source alternative. The latest version, 4.10.1, enhances its capabilities, making it even more effective for real-time threat detection and response. By integrating tools like Sysmon and leveraging active response features, security teams can significantly improve their incident response times. Additionally, the integration with the Elastic Stack provides a comprehensive platform for security monitoring and analysis. For those looking to strengthen their cybersecurity posture, Wazuh is a tool worth exploring.
Useful Links:
References:
Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



