Skip to content

aashishrbhandari/WaZuh-Security-Insights

Repository files navigation

WaZuh Security Insights and Enhancements

WaZuh Logo

Welcome to WaZuh Security Insights and Enhancements,

This project serves as a comprehensive resource for anyone interested in leveraging WaZuh for Xtended Detection and Response (XDR) and Security Information and Event Management (SIEM). Here, you'll find a collection of valuable enhancements, custom dashboards, and personal learnings.

  1. Comprehensive Overview: Instantly access a complete overview of all security events detected by WaZuh, providing a clear and concise snapshot of the current security landscape.
  2. Insightful Dashboards: Utilize these dashboards to thoroughly review and analyze security insights identified by WaZuh, enabling a deeper understanding of potential threats and vulnerabilities.
  3. Periodic Reviews: Leverage these dashboards for regular reviews of security events, helping to systematically narrow down findings and focus on critical issues.
  4. Advanced Filtering: Each field within the dashboard offers powerful filtering capabilities, allowing for detailed insights and the ability to drill down into specific events for more granular analysis.

What's Inside:

  1. Custom Dashboards: Dive into Custom dashboards that visualize critical security metrics and insights.

  2. Enhancements: Explore various improvements and tweaks to optimize WaZuh's functionality.

  3. Learnings: Benefit from my experiences and key takeaways while working with WaZuh XDR and SIEM.

  4. Resources: Access documentation and guides to help you get started and make the most out of WaZuh.


Custom Dashboards

1. Overview of the Dashboards:        [Full View ↗]

CISO Dashboard | Security Anomaly Detection

CISO Dashboard | Security Anomaly Detection

CISO Dashboard | AWS Security

CISO Dashboard | AWS Security

CISO Dashboard | System Anomaly Detection

CISO Dashboard | System Anomaly Detection


Dashboard Exports
CISO Dashboard | Security Anomaly Detection Download
CISO Dashboard | AWS Security Download
CISO Dashboard | System Anomaly Detection Download

Note: Above Dashboards are in ndjson format, download the file and then follow below steps


2. How to Integrate:

  1. Go to WaZuh ➔ Stack Management ➔ Saved Objects ➔ Import

Enhancements:

A) WaZuh Extenal API Integrations

1. Monitoring Email Overview        [Full View ↗]

FIM Email Alert

FIM Email Alert


Guardduty Email Alert

FIM Email Alert

2. How to Integrate:

Step 1: Download the Custom Integration Script

Resources Link
Custom Alerts Email PY Go to Download

Step 2: Setup the Script File

Add this Script inside: /var/ossec/integrations/

Set Permission

chown root:wazuh /var/ossec/integrations/custom-alerts-email.py
chmod 750 /var/ossec/integrations/custom-alerts-email.py

Step 3: Integration in WaZuh

Use the Below XML Section inside WaZuh Manager ossec.conf

<!-- For GuardDuty: Custom GuardDuty Formatter -->
<integration>
    <name>custom-alerts-email.py</name>
    <hook_url>[email protected]</hook_url>
    <group>aws_guardduty</group>
    <api_key>Guardduty</api_key>
    <alert_format>json</alert_format>
</integration>

<!-- For FIM: Custom FIM Formatter -->
<integration>
    <name>custom-alerts-email.py</name>
    <hook_url>[email protected]</hook_url>
    <group>syscheck</group>
    <api_key>FIM</api_key>
    <alert_format>json</alert_format>
</integration>

<!-- For SG: Custom SecurityGroups Formatter -->
<integration>
    <name>custom-alerts-email.py</name>
    <hook_url>[email protected]</hook_url>
    <group>aws_cloudtrail_securitygroups</group> <!-- A Custom Group in rules need to be created which has all SG related Events -->
    <api_key>SecurityGroups</api_key>
    <alert_format>json</alert_format>
</integration>

<!-- For Any: Custom for Any - Set blank for api_key -->
<integration>
    <name>custom-alerts-email.py</name>
    <hook_url>[email protected]</hook_url>
    <group>ossec</group>
    <api_key></api_key>
    <alert_format>json</alert_format>
</integration>

Learnings:

Note: To be added soon, work in progress

To be Added soon

Resources:

A Quick overview of WaZuh Components

WaZuh Arch


Resources Link
WaZuh Docs Go to Link
WaZuh Docker Installation Go to Link
AWS XDR Integrations Go to Link
Proof of Concepts Go to Link

Releases

No releases published

Packages

No packages published

Languages