Wazuh EDR (Endpoint detection and response)

Wazuh EDR (Endpoint Detection and Response) is a security feature of the Wazuh platform that provides real-time detection and response capabilities for endpoint devices.

It uses a combination of signature-based and behavioral-based detection techniques to identify and alert on potential security threats or anomalies on endpoint devices. Wazuh EDR can be configured to monitor a variety of endpoint activity, such as file and network activity, system logs, and system configurations.

It can also be configured to perform specific actions in response to detected threats, such as quarantining a file or blocking network access.

Wazuh EDR is designed to provide a comprehensive view of endpoint security and to help organizations respond quickly to security incidents.

Wazuh structure

The structure of Wazuh consists of the following main components:

  • Wazuh Manager: The Wazuh Manager is the central component of the Wazuh platform. It is responsible for collecting and processing data from various sources, such as system logs, network traffic, and application logs. It also includes a number of security modules for threat detection and incident response.
  • Elasticsearch: Elasticsearch is a search engine that is used to index, store, and search data in Wazuh. It provides a scalable and flexible platform for storing and querying large volumes of data.
  • Kibana: Kibana is a visualization tool that is used to display and analyze data in Wazuh. It provides a variety of charts, graphs, and maps that can be used to visualize data from Elasticsearch and other sources.
  • Agents: Wazuh agents are lightweight software programs that are installed on servers and other devices in the network. They are responsible for collecting and sending data to the Wazuh Manager for processing.

Overall, the structure of Wazuh is designed to provide a comprehensive platform for detecting and responding to security threats, as well as for compliance and reporting. It combines the power of Elasticsearch and the Elastic Stack with a set of specialized security tools to provide a flexible and scalable solution for cybersecurity.

Wazuh Server System Requirements

The system requirements for a Wazuh server depend on the size of your environment and the amount of data you are collecting. Here are some general guidelines for a Wazuh server:

CPU: A modern CPU with multiple cores is recommended for optimal performance.Memory: At least 8 GB of RAM is recommended.

More memory may be required if you are collecting and processing large volumes of data.Disk space: At least 50 GB of free disk space is recommended, depending on the size of your environment and the amount of data you are collecting. The Wazuh server stores data in an Elasticsearch database, which can consume a significant amount of disk space.Operating system: Wazuh is supported on a variety of operating systems, including Linux (Debian, Ubuntu, CentOS, Red Hat, Amazon Linux), Windows, and MacOS.

It is also recommended to use a dedicated server for the Wazuh platform, as the Wazuh components can consume significant resources and may impact the performance of other applications on the same server.

Server RolesSystem RequirementsNetwork RequirementsMore Details
Wazuh Master Node8GB memory + 4 cores + 100GB disk size
SSH – Management
Cluser management server, rule creation, agent management and worker nodes management
Wazuh Worker Node8GB memory + 4 cores + 100GB disk size9200
-Request 9300 -Cluster
SSH – Management
Agent management, logging to SIEM
Wazuh System Requirements

Installing Ubuntu server for Wazuh EDR

  • static IP address
  • DNS address
set up Wazuh server static ip address
  • server information
  • user information
Wazuh edr system settings

Firewall requirements

sudo ufw enable

Opening of a management port to Wazuh

sudo ufw allow ssh comment "Management port"

Open Port Management Cluster and Agent Management

sudo ufw allow 1514 comment "Agents connection service"

sudo ufw allow 1515 comment “Agents registration service”

sudo ufw allow 1516 comment "Wazuh cluster daemon"
sudo ufw allow 55000 comment "Wazuh RESTful API"
wazuh edr firewall allowed ports

Software requirements

Network tool installation

apt install net-tools

* After installing the net-tool, you can connect remotely to all servers by putty

Prerequisites for Wazuh on all servers:

Installing software packages

apt install curl apt-transport-https lsb-release gnupg

Add GPG key for Wazuh

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

Add wazue source to apt

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Installing a Wazuh using apt

apt-get install wazuh-manager

Wazuh manager server and workers server use the same wazuh installation package, repeat installing phases for each worker in wazuh cluster.

Defining Master and Workers

To add servers to wazuh cluster edit the default settings for each server, only one server can be set as Master node the other node set as Worker servers

Editing a configuration file for Wazuh01 (Master) server,

In the settings file, enter the server name, role, key, and master server address

nano /var/ossec/etc/ossec.conf
<cluster>
    <name>wazuh</name>
    <node_name>wazuh01</node_name>
    <node_type>master</node_type>
    <key>c98b62a9b61222c5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.0.186</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

Edit a configuration file for Wazuh02 (Worker) server

change the server name, role, key and master server address in the settings file

nano /var/ossec/etc/ossec.conf
<cluster>
    <name>wazuh</name>
    <node_name>wazuh02</node_name>
    <node_type>worker</node_type>
    <key>c98b62a9b61222c5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.0.186</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

Setting up Wazuh as a system service

systemctl daemon reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Checking the Cluster Status, there are two servers,, Master and Worker

service wazuh-manager status
/var/ossec/bin/cluster_control -l
deploy Wazuh multi node cluster
Wazuh multi-node cluster

Filebeat

Filebeat can send wazuh logs directly to Elasticsearch servers without using Logstash.

Filebeat software requirements

Import PGP keys

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Add a new source for downloads

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

install filebeat version 7.14.2 by apt (last version supported by wazuh)

sudo apt-get update && sudo apt-get install filebeat =7.14.2

Save password in keystore

To keep your passwords secure, create a Keystore if it does not exist by run below commands:

filebeat keystore create

set elastic user password in keystore

filebeat keystore add ES_PWD

Change Filebeat settings

Add Wazuh settings to filebeat and adjust to elasticsearch on each server

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_elastic_cluster.yml

Download Wazuh templates for Elasticsearch

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go + r / etc / filebeat /wazuh-template.json

Download Wauh model for filebeat

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C / usr / share / filebeat / module

Edit a Filebeat /etc/filebeat/filebeat.yml file

configure wazuh edr server
configure wazuh edr server

Check filebeat settings

filebeat test output

Setting up Kibana for Wazuh

install and configure Kibana server step by step , to configure Wazuh with Kibana ,its require to install a wazuh plugin on Kibana server

apt install curl libcap2-bin

Adding Wazuh’s GPG

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

Add apt source to download Wazuh

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update all installation packages

apt-get update

Create a folder for Wazuh and grant permissions

sudo mkdir /usr/share/kibana/data
sudo chown -R kibana: kibana / usr / share / kibana / data

Installing a Wazuh Plugin for Kibana

cd /usr/share/kibana

Wazuh latest versions supported by elasticseach here

bin / kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.14.2-1.zip

enable connection via wazuh API request

nano /usr/share/kibana/data/wazuh/config/wazuh.yml

Change default settings, we will update to the address of the Master server

url: https://192.168.0.186
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: false

restart Kibana, if all goes well, you can access Wazuh at http://192.168.0.183:5601/app/wazuh

As you can see below, Wazuh has numerous security options, compliance, API integrations, agent management and many more tools to manage and protect multiple systems (Mac, Linux, Windows) and also cloud environments such as Azure and AWS

Wazuh edr set up dashboard
Wazuh edr dashboard

Agent Wazuh

Wazuh’s agent runs on Linux, Windows, macOS, Solaris, AIX and other operating systems. It can be deployed to laptops, desktops, servers, cloud, containers or virtual machines. It provides threat detection and prevention, it is also used to collect system data and applications, which it transmits to the Wazuh server through an encrypted and authenticated channel.

Models and security components

The Wazuh Agent has a large number of options and models, below is an up-to-date list of all the different components and models that can be configured for each agent or group of agents

Wazuh EDR common use cases

Here are some common use cases for Wazuh EDR:

Detection of malware and other security threats:

  • Wazuh EDR can detect and alert on potential security threats, such as malware, viruses, and ransomware, on endpoint devices. It uses a combination of signature-based and behavioral-based detection techniques to identify anomalies and potential threats.File integrity monitoring
  • Wazuh EDR can monitor changes to files on endpoint devices and alert on any suspicious or unauthorized changes. This can help identify potential tampering or malicious activity on the endpoint.Network activity monitoring
  • Wazuh EDR can monitor network activity on endpoint devices and alert on any suspicious or unauthorized network communication. This can help identify potential network-based attacks or data exfiltration.System log analysis
  • Wazuh EDR can monitor system logs on endpoint devices and alert on any suspicious or unusual activity. This can help identify potential security threats or system issues.Compliance monitoring
  • Wazuh EDR can be configured to monitor endpoint devices for compliance with security policies and regulations. It can alert on any non-compliant activity or configuration changes.

Summery

This guide has taught you how to set up and configure the Wazuh Endpoint Detection and Response (EDR) feature. You have learned about the system requirements for the Wazuh server, as well as the different components of the Wazuh platform, such as the Wazuh Manager, Elasticsearch, and Kibana. The guide has also walked you through the process of installing and configuring Wazuh agents on endpoint devices, as well as setting up Wazuh as a system service. You have learned about the use of Filebeat to collect and send data to the Wazuh Manager and setting up Kibana for visualizing data from Wazuh. Additionally, you have learned about common use cases for Wazuh EDR.

Like this article?

You may also enjoy these articles

SearchSploit: Guide to Exploit Database Search

Searchsploit is a command-line tool that allows users to search the Exploit Database, which is a repository of publicly disclosed vulnerabilities and exploitation techniques. It

fuzzing with ffuf tool

Guide to FFUF tool – Web Application Fuzzing

FFUF is a powerful and flexible open-source tool for performing web application fuzzing. Whether you’re a security professional looking to identify vulnerabilities or a developer

Guide to sqlmap tool – sql injection

SQLmap is an powerful open source tool used by hackers to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and

Hydra

Hydra tool make password cracking to easy task, hydra can brute Force multiple protocols and services like ftp irc ldap2[s] ldap3 mongodb mssql mysql

Scroll to Top