Welcome to WaZuh Security Insights and Enhancements,
This project serves as a comprehensive resource for anyone interested in leveraging WaZuh for Xtended Detection and Response (XDR) and Security Information and Event Management (SIEM). Here, you'll find a collection of valuable enhancements, custom dashboards, and personal learnings.
- Comprehensive Overview: Instantly access a complete overview of all security events detected by WaZuh, providing a clear and concise snapshot of the current security landscape.
- Insightful Dashboards: Utilize these dashboards to thoroughly review and analyze security insights identified by WaZuh, enabling a deeper understanding of potential threats and vulnerabilities.
- Periodic Reviews: Leverage these dashboards for regular reviews of security events, helping to systematically narrow down findings and focus on critical issues.
- Advanced Filtering: Each field within the dashboard offers powerful filtering capabilities, allowing for detailed insights and the ability to drill down into specific events for more granular analysis.
-
Custom Dashboards: Dive into Custom dashboards that visualize critical security metrics and insights.
-
Enhancements: Explore various improvements and tweaks to optimize WaZuh's functionality.
-
Learnings: Benefit from my experiences and key takeaways while working with WaZuh XDR and SIEM.
-
Resources: Access documentation and guides to help you get started and make the most out of WaZuh.
1. Overview of the Dashboards: [Full View ↗]
| Dashboard | Exports |
|---|---|
| CISO Dashboard | Security Anomaly Detection | Download |
| CISO Dashboard | AWS Security | Download |
| CISO Dashboard | System Anomaly Detection | Download |
Note: Above Dashboards are in ndjson format, download the file and then follow below steps
2. How to Integrate:
-
Go to WaZuh ➔ Stack Management ➔ Saved Objects ➔ Import
- CISO Dashboard | Security Anomaly Detection Download ➔
- CISO Dashboard | System Anomaly Detection Download ➔
- CISO Dashboard | AWS Security Download ➔
A) WaZuh Extenal API Integrations ↗
1. Monitoring Email Overview
2. How to Integrate:
Step 1: Download the Custom Integration Script
| Resources | Link |
|---|---|
| Custom Alerts Email PY | Go to Download |
Step 2: Setup the Script File
Add this Script inside: /var/ossec/integrations/
Set Permission
chown root:wazuh /var/ossec/integrations/custom-alerts-email.py
chmod 750 /var/ossec/integrations/custom-alerts-email.pyStep 3: Integration in WaZuh
Use the Below XML Section inside WaZuh Manager ossec.conf
<!-- For GuardDuty: Custom GuardDuty Formatter -->
<integration>
<name>custom-alerts-email.py</name>
<hook_url>[email protected]</hook_url>
<group>aws_guardduty</group>
<api_key>Guardduty</api_key>
<alert_format>json</alert_format>
</integration>
<!-- For FIM: Custom FIM Formatter -->
<integration>
<name>custom-alerts-email.py</name>
<hook_url>[email protected]</hook_url>
<group>syscheck</group>
<api_key>FIM</api_key>
<alert_format>json</alert_format>
</integration>
<!-- For SG: Custom SecurityGroups Formatter -->
<integration>
<name>custom-alerts-email.py</name>
<hook_url>[email protected]</hook_url>
<group>aws_cloudtrail_securitygroups</group> <!-- A Custom Group in rules need to be created which has all SG related Events -->
<api_key>SecurityGroups</api_key>
<alert_format>json</alert_format>
</integration>
<!-- For Any: Custom for Any - Set blank for api_key -->
<integration>
<name>custom-alerts-email.py</name>
<hook_url>[email protected]</hook_url>
<group>ossec</group>
<api_key></api_key>
<alert_format>json</alert_format>
</integration>Note: To be added soon, work in progress
A Quick overview of WaZuh Components
| Resources | Link |
|---|---|
| WaZuh Docs | Go to Link |
| WaZuh Docker Installation | Go to Link |
| AWS XDR Integrations | Go to Link |
| Proof of Concepts | Go to Link |