WAZUH Stuff

Overview

Wazuh XDR use cases' integrator scripts

Rule ID

• Wazuh Rule [between 0 and 99999]
• Custom Rule between 100000 and 120000
  • Custom Integrator Rule [between 110000 and 119999][::200] by files

• Prerequisites
• Usage
• Wazuh Utils
• Wazuh Capabilities
• Wazuh Integrations
• References

Prerequisites

• Have Wazuh Installed Installation Guide or Wazuh Docker Bundle
• Groups creation on Wazuh Dashobard
  • w1ndows_s0urces for Windows Endpoint
  • l1nux_s0urces for Linux Endpoint
• Configuration - Create the .env file for credentials. Take .env-example as reference

Usage - Deploying

• clone repo into wazuh server(manager) and exec the following command for the utilities

# global configuration
bash ./bin/update_manager_config.sh

# configuration for windows endpoint
bash ./bin/update_windows_sources.sh
bash ./bin/update_windows_rules.sh

# configuration for linux edpoint
bash ./bin/update_linux_sources.sh

Wazuh Utils

• Wazuh Email CSVReporting
• Wazuh Indexer Rollup

Wazuh Capabilities

wc001 - Vulnerability detection

• How it works

wc002 - System inventory

• How it works

wc003 - Security Configuration Assessment (SCA)

• How it works
• SCA - blog

wc004 - File integrity monitoring (FIM)

• How it works

wc005 - Log data collection

• How it works

wc006 - Command monitoring

• How it works

wc007 - Active Response

• Pending

wc008 - Osquery

• How it works

Wazuh Integration

wi000 - Slack Integration

• Alert Notification

wi001 - Sysmon Integration

• Windows Edpoint
• Linux Endpoint - Pending

wi002 - YARA Integration

• Windows/Linux Edpoint

Refences

• Wazuh Server Administration
• Proof of Concept Guide
• Wazuh Blog