What is SIEM?
SIEM (Security Information and Event Management) software centrally collects, stores, and analyzes logs from the perimeter to the end user. It helps in monitoring security threats in real-time for quick attack detection, containment, and response with holistic security reporting and compliance management.
SIEM, pronounced “sim,” combines both security information management (SIM) and security event management (SEM) into one security management system
| SIM | SEM |
| Long Term Log management | Real-Time Monitoring |
| Event enrichment | Event Collection |
| Correlation | Event Aggregation |
| Parsing |
SIEM: Capabilities
Data Aggregation: collect data from multiple sources
Correlation: Will define which sequences of events could be indicative of anomalies
Alerting: Will trigger an alert in mail/slack, etc. if any incident has been triggered
Dashboard: This will give a view of incidents, agents, and logs in graphical format.
Compliance: Verify regulatory compliance, auditors look at multiple aspects of a db. environments, including user management
Retention: To maintain your SIEM audit data for longer periods of time, you can configure a new Retention Bucket
Forensic Analysis: allows to collect and analyze log data in a central location from all devices/appliances and hosts and getting notified about abnormal events immediately.
WAZUH:
Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It aims to protect workloads across on-premises, virtualized, containerized, and cloud-based environments.
These include log data analysis, intrusion, and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, and support for regulatory compliance.
It can be used to collect, analyze and correlate security event data for threat detection and incident response. Wazuh has out-of-the-box integration with Mod Security which eliminates the need for creating custom integration.
Wazuh Components:
The Wazuh solution is based on the Wazuh agent, which is deployed on the monitored endpoints, and on three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard.
The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
The Wazuh server analyses data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
The Wazuh dashboard is the web user interface for data visualization and analysis. This includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), file integrity monitoring data, detected vulnerable applications, configuration assessment results, cloud infrastructure monitoring events, and much more. It also helps in managing Wazuh configuration and monitoring its status.
Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and HP-UX.
Wazuh Architecture:
Wazuh Manager:
Wazuh manager is the system that analyzes the data received from all registered agents and triggers alerts when an event coincides with a rule. For example, intrusion detected, file modified, configuration not in accordance with the policy, possible rootkit, among others.
File beat:
Filebeat can be used in conjunction with Wazuh Manager to send events and alerts to the Wazuh indexer. This role will install Filebeat, you can customize the installation with these variables:
filebeat_output_indexer_hosts: This defines the indexer node(s) to be used (default: 127.0.0.1:9200).
Elastic Search:
Elasticsearch is a distributed, free and open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured.
Elasticsearch indices:
The .kibana index
The wazuh-alerts- indices
The wazuh-monitoring- indices
The wazuh-statistics- indices
Kibana:
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. It also allows you to manage the configuration and capabilities of the Wazuh server.
Wazuh Agent:
The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel.
Wazuh Installation:
Wazuh Server:
NOTE:
Ansible Role: Wazuh-Manager
Ansible role to configure wazuh manager standalone with slack integration
Some of the highlighting features are:-
Standalone setup of Wazuh-manager
Setup Slack for alert management
Supported OS
| Ubuntu 18 |
| Ubuntu 20 |
| Ubuntu 22 |
Requirements
No third-party requirement is needed in this role
Step 1:
Navigate to https://galaxy.ansible.com/opstree_devops/wazuh_manager
Installation: ansible-galaxy install opstree_devops.wazuh_manager
Step 2:
Usage
The inventory for wazuh_manager role should look like this:-
| [wazuh] |
| node-1 ansible_host=13.213.39.180 |
| [wazuh:vars] |
| ansible_ssh_user=ubuntu |
Step 3:
An example playbook should look like this:-
| name: wazuh |
| hosts: all |
| become_user: root |
| roles: |
| { role: opstree_devops.wazuh_manager } |
Step 4:
For running the ansible role, we will use ansible cli.
ansible-playbook -i tests/inventory tests/test.yml
Step 5:
Required Ports
| Components | Ports | Protocol | Purpose |
| Wazuh server | 1514 | TCP/UDP | Agent connection service |
| 1515 | TCP | Agent enrollment service | |
| 1516 | TCP | Wazuh cluster daemon | |
| 514 | UDP(default)/ TCP(optional) | Wazuh Syslog collector (disabled by default) | |
| 55000 | TCP | Wazuh server RESTful API | |
| Wazuh indexer | 9200 | TCP | Wazuh indexer RESTful API |
| 9300-9400 | TCP | Wazuh indexer cluster communication | |
| Wazuh dashboard | 443 | TCP | Wazuh web user interface |
Step 6:
Open the public ip in the browser
Default username: admin , password: admin
Wazuh Agent:
Note:
Ansible role to setup & manage Wazuh-Agent
Some of the highlighting features added:-
Setup wazuh agent
Enabling File Integration Management(FIM) over server
Enabling user audit information gathering setup over node
Enabling system check over servers home directory.
Configure N number of application in wazuh agent for log aggregation
Supported OS
| Ubuntu 18 |
| Ubuntu 20 |
| Ubuntu 22 |
Requirements
UDP port should be open
Step 1:
Navigate to https://galaxy.ansible.com/opstree_devops/wazuh_agent
Installation: ansible-galaxy install opstree_devops.wazuh_agent
Step 2:
Usage
The inventory for wazuh_manager role should look like this:-
| [wazuh] |
| node-1 ansible_host=13.213.39.180 |
| [wazuh:vars] |
| ansible_ssh_user=ubuntu |
Step 3:
An example playbook should look like this:-
| name: wazuh |
| hosts: all |
| become_user: root |
| roles: |
| { role: wazuh_agent } |
Step 4:
and for running the ansible role, we will use ansible cli.
ansible-playbook -i tests/inventory tests/test.yml
Wazuh modules:
Log collector:
Log data collection is the real-time process of making sense of the records generated by servers or devices. This component can receive logs through text files or Windows event logs.
Here you can manually add the path of file that you want monitor.
File integrity monitoring (FIM):
Monitors the file system, reporting when files are created, deleted, or modified and keep track of the same
Security configuration assessment:
SCA Component provide detail of Regulatory Compliance on basis of Center of Internet Security (CIS) benchmarks. Wazuh has default Compliance like PCI DSS, NIST, GDPR, TSC, HIPAA
System Auditing:
Monitors audit logs like write access, read access, execute access, attribute change, or system call rule, using Wazuh decoders and rules.
MITRE Attack:
MITRE ATTACK matrix stores all possible attacks that can be made and what to do to mitigate and detect them.
Docker Listener:
Protects container workloads at two different levels: infrastructure and container level.
Osquery:
Collects the information generated by Osquery to send it to the manager and detects the incidents
system_info, high_load_average and low_free_memory queries will be executed every hour further osquery-monitoring,hardware-monitoring or ossec-rootkit
Vulnerabilities:
Detects vulnerabilities based on installed applications
Follows CVE for Ubuntu Linux distributions, National Vulnerability Database. And many more.
Conclusion
Each PoC represents real-world scenarios that users can deploy using specific configurations. In addition, further information is provided to verify the feasibility of the product on how to generate and query the alerts, and the affected endpoints resulting from each PoC.
Blog Pundits: Naveen Verma and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us