Wazuh EDR (Endpoint Detection and Response) is a security feature of the Wazuh platform that provides real-time detection and response capabilities for endpoint devices.
It uses a combination of signature-based and behavioral-based detection techniques to identify and alert on potential security threats or anomalies on endpoint devices. Wazuh EDR can be configured to monitor a variety of endpoint activity, such as file and network activity, system logs, and system configurations.
It can also be configured to perform specific actions in response to detected threats, such as quarantining a file or blocking network access.
Wazuh EDR is designed to provide a comprehensive view of endpoint security and to help organizations respond quickly to security incidents.
Wazuh structure
The structure of Wazuh consists of the following main components:
- Wazuh Manager: The Wazuh Manager is the central component of the Wazuh platform. It is responsible for collecting and processing data from various sources, such as system logs, network traffic, and application logs. It also includes a number of security modules for threat detection and incident response.
- Elasticsearch: Elasticsearch is a search engine that is used to index, store, and search data in Wazuh. It provides a scalable and flexible platform for storing and querying large volumes of data.
- Kibana: Kibana is a visualization tool that is used to display and analyze data in Wazuh. It provides a variety of charts, graphs, and maps that can be used to visualize data from Elasticsearch and other sources.
- Agents: Wazuh agents are lightweight software programs that are installed on servers and other devices in the network. They are responsible for collecting and sending data to the Wazuh Manager for processing.
Overall, the structure of Wazuh is designed to provide a comprehensive platform for detecting and responding to security threats, as well as for compliance and reporting. It combines the power of Elasticsearch and the Elastic Stack with a set of specialized security tools to provide a flexible and scalable solution for cybersecurity.
Wazuh Server System Requirements
The system requirements for a Wazuh server depend on the size of your environment and the amount of data you are collecting. Here are some general guidelines for a Wazuh server:
CPU: A modern CPU with multiple cores is recommended for optimal performance.Memory: At least 8 GB of RAM is recommended.
More memory may be required if you are collecting and processing large volumes of data.Disk space: At least 50 GB of free disk space is recommended, depending on the size of your environment and the amount of data you are collecting. The Wazuh server stores data in an Elasticsearch database, which can consume a significant amount of disk space.Operating system: Wazuh is supported on a variety of operating systems, including Linux (Debian, Ubuntu, CentOS, Red Hat, Amazon Linux), Windows, and MacOS.
It is also recommended to use a dedicated server for the Wazuh platform, as the Wazuh components can consume significant resources and may impact the performance of other applications on the same server.
Server Roles | System Requirements | Network Requirements | More Details |
---|---|---|---|
Wazuh Master Node | 8GB memory + 4 cores + 100GB disk size | SSH – Management | Cluser management server, rule creation, agent management and worker nodes management |
Wazuh Worker Node | 8GB memory + 4 cores + 100GB disk size | 9200 -Request 9300 -Cluster SSH – Management | Agent management, logging to SIEM |
Installing Ubuntu server for Wazuh EDR
- static IP address
- DNS address
- server information
- user information
Firewall requirements
sudo ufw enable
Opening of a management port to Wazuh
sudo ufw allow ssh comment "Management port"
Open Port Management Cluster and Agent Management
sudo ufw allow 1514 comment "Agents connection service"
sudo ufw allow 1515 comment “Agents registration service”
sudo ufw allow 1516 comment "Wazuh cluster daemon"
sudo ufw allow 55000 comment "Wazuh RESTful API"
Software requirements
Network tool installation
apt install net-tools
* After installing the net-tool, you can connect remotely to all servers by putty
Prerequisites for Wazuh on all servers:
Installing software packages
apt install curl apt-transport-https lsb-release gnupg
Add GPG key for Wazuh
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add wazue source to apt
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
Installing a Wazuh using apt
apt-get install wazuh-manager
Wazuh manager server and workers server use the same wazuh installation package, repeat installing phases for each worker in wazuh cluster.
Defining Master and Workers
To add servers to wazuh cluster edit the default settings for each server, only one server can be set as Master node the other node set as Worker servers
Editing a configuration file for Wazuh01 (Master) server,
In the settings file, enter the server name, role, key, and master server address
nano /var/ossec/etc/ossec.conf
<cluster>
<name>wazuh</name>
<node_name>wazuh01</node_name>
<node_type>master</node_type>
<key>c98b62a9b61222c5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>192.168.0.186</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
Edit a configuration file for Wazuh02 (Worker) server
change the server name, role, key and master server address in the settings file
nano /var/ossec/etc/ossec.conf
<cluster>
<name>wazuh</name>
<node_name>wazuh02</node_name>
<node_type>worker</node_type>
<key>c98b62a9b61222c5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>192.168.0.186</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
Setting up Wazuh as a system service
systemctl daemon reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
Checking the Cluster Status, there are two servers,, Master and Worker
service wazuh-manager status
/var/ossec/bin/cluster_control -l
Filebeat
Filebeat can send wazuh logs directly to Elasticsearch servers without using Logstash.
Filebeat software requirements
Import PGP keys
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add a new source for downloads
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
install filebeat version 7.14.2 by apt (last version supported by wazuh)
sudo apt-get update && sudo apt-get install filebeat =7.14.2
Save password in keystore
To keep your passwords secure, create a Keystore if it does not exist by run below commands:
filebeat keystore create
set elastic user password in keystore
filebeat keystore add ES_PWD
Change Filebeat settings
Add Wazuh settings to filebeat and adjust to elasticsearch on each server
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_elastic_cluster.yml
Download Wazuh templates for Elasticsearch
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go + r / etc / filebeat /wazuh-template.json
Download Wauh model for filebeat
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C / usr / share / filebeat / module
Edit a Filebeat /etc/filebeat/filebeat.yml file
Check filebeat settings
filebeat test output
Setting up Kibana for Wazuh
install and configure Kibana server step by step , to configure Wazuh with Kibana ,its require to install a wazuh plugin on Kibana server
apt install curl libcap2-bin
Adding Wazuh’s GPG
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Add apt source to download Wazuh
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update all installation packages
apt-get update
Create a folder for Wazuh and grant permissions
sudo mkdir /usr/share/kibana/data
sudo chown -R kibana: kibana / usr / share / kibana / data
Installing a Wazuh Plugin for Kibana
cd /usr/share/kibana
Wazuh latest versions supported by elasticseach here
bin / kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.14.2-1.zip
enable connection via wazuh API request
nano /usr/share/kibana/data/wazuh/config/wazuh.yml
Change default settings, we will update to the address of the Master server
url: https://192.168.0.186
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: false
restart Kibana, if all goes well, you can access Wazuh at http://192.168.0.183:5601/app/wazuh
As you can see below, Wazuh has numerous security options, compliance, API integrations, agent management and many more tools to manage and protect multiple systems (Mac, Linux, Windows) and also cloud environments such as Azure and AWS
Agent Wazuh
Wazuh’s agent runs on Linux, Windows, macOS, Solaris, AIX and other operating systems. It can be deployed to laptops, desktops, servers, cloud, containers or virtual machines. It provides threat detection and prevention, it is also used to collect system data and applications, which it transmits to the Wazuh server through an encrypted and authenticated channel.
Models and security components
The Wazuh Agent has a large number of options and models, below is an up-to-date list of all the different components and models that can be configured for each agent or group of agents
- Log data collection
- File integrity monitoring
- Auditing who-data
- Anomaly and malware detection
- Security Configuration Assessment
- Monitoring security policies
- Monitoring system calls
- Command monitoring
- Active response
- Agentless monitoring
- Anti-flooding mechanism
- Agent labels
- System inventory
- Vulnerability detection
- VirusTotal integration
- Osquery
- Agent key polling
- Fluentd forwarder
- Wazuh-Logtest
Wazuh EDR common use cases
Here are some common use cases for Wazuh EDR:
Detection of malware and other security threats:
- Wazuh EDR can detect and alert on potential security threats, such as malware, viruses, and ransomware, on endpoint devices. It uses a combination of signature-based and behavioral-based detection techniques to identify anomalies and potential threats.File integrity monitoring
- Wazuh EDR can monitor changes to files on endpoint devices and alert on any suspicious or unauthorized changes. This can help identify potential tampering or malicious activity on the endpoint.Network activity monitoring
- Wazuh EDR can monitor network activity on endpoint devices and alert on any suspicious or unauthorized network communication. This can help identify potential network-based attacks or data exfiltration.System log analysis
- Wazuh EDR can monitor system logs on endpoint devices and alert on any suspicious or unusual activity. This can help identify potential security threats or system issues.Compliance monitoring
- Wazuh EDR can be configured to monitor endpoint devices for compliance with security policies and regulations. It can alert on any non-compliant activity or configuration changes.
Summery
This guide has taught you how to set up and configure the Wazuh Endpoint Detection and Response (EDR) feature. You have learned about the system requirements for the Wazuh server, as well as the different components of the Wazuh platform, such as the Wazuh Manager, Elasticsearch, and Kibana. The guide has also walked you through the process of installing and configuring Wazuh agents on endpoint devices, as well as setting up Wazuh as a system service. You have learned about the use of Filebeat to collect and send data to the Wazuh Manager and setting up Kibana for visualizing data from Wazuh. Additionally, you have learned about common use cases for Wazuh EDR.