Book Image

Security Monitoring with Wazuh

By : Rajneesh Gupta

Book Image

Security Monitoring with Wazuh

By: Rajneesh Gupta

Overview of this book

Explore the holistic solution that Wazuh offers to improve your organization’s cybersecurity posture with this insightful guide. Security Monitoring with Wazuh is a comprehensive resource, covering use cases, tool integration, and compliance monitoring to equip you with the skills you need to build an enterprise-level defense system. The book begins by setting up an Intrusion Detection System (IDS), integrating the open-source tool Suricata with the Wazuh platform, and then explores topics such as network and host-based intrusion detection, monitoring for known vulnerabilities, exploits, and detecting anomalous behavior. As you progress, you’ll learn how to leverage Wazuh’s capabilities to set up Security Orchestration, Automation, and Response (SOAR). The chapters will lead you through the process of implementing security monitoring practices aligned with industry standards and regulations. You’ll also master monitoring and enforcing compliance with frameworks such as PCI DSS, GDPR, and MITRE ATT&CK, ensuring that your organization maintains a strong security posture while adhering to legal and regulatory requirements. By the end of this book, you’ll be proficient in harnessing the power of Wazuh and have a deeper understanding of effective security monitoring strategies.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Share Your Thoughts

Download a free PDF copy of this book

Part 1:Threat Detection

Part 1:Threat Detection

Free Chapter

Chapter 1: Intrusion Detection System (IDS) Using Wazuh

Chapter 1: Intrusion Detection System (IDS) Using Wazuh

What is an IDS?

What is Suricata?

Getting started with Wazuh and Suricata

Understanding Suricata rules

Testing web-based attacks using DVWA

Testing NIDS with tmNIDS

Chapter 2: Malware Detection Using Wazuh

Chapter 2: Malware Detection Using Wazuh

Types of malware

Wazuh capabilities for malware detection

Malware detection using FIM

VirusTotal integration

Integrating Windows Defender logs

Integrating Sysmon to detect fileless malware

Part 2: Threat Intelligence, Automation, Incident Response, and Threat Hunting

Part 2: Threat Intelligence, Automation, Incident Response, and Threat Hunting

Chapter 3: Threat Intelligence and Analysis

Chapter 3: Threat Intelligence and Analysis

What is threat intelligence?

Automated threat intelligence

Setting up TheHive and Cortex

Setting up MISP

Integrating Wazuh with TheHive

Integrating TheHive and Cortex with MISP

Chapter 4: Security Automation Using Shuffle

Chapter 4: Security Automation Using Shuffle

How a SOC analyst uses SOAR

Introduction to Shuffle

Retrieving Wazuh alerts

Remotely managing Wazuh

Important Shuffle apps

Chapter 5: Incident Response with Wazuh

Chapter 5: Incident Response with Wazuh

Introduction to incident response

Incident response automation

Wazuh active response

Blocking unauthorized SSH access

Isolating a Windows machine post-infection

Blocking RDP brute-force attacks

Chapter 6: Threat Hunting with Wazuh

Chapter 6: Threat Hunting with Wazuh

Proactive threat hunting with Wazuh

Log data analysis for threat hunting

MITRE ATT&CK mapping

Threat hunting using Osquery

Command monitoring

Part 3: Compliance Management

Part 3: Compliance Management

Chapter 7: Vulnerability Detection and Configuration Assessment

Chapter 7: Vulnerability Detection and Configuration Assessment

Introduction to vulnerability detection and security configuration management

Chapter 8: Appendix

Chapter 8: Appendix

Custom PowerShell rules

Custom Wazuh rules for Auditd

Custom Wazuh rules for Kaspersky Endpoint Security

Custom Wazuh rules for Sysmon

Chapter 9: Glossary

Chapter 9: Glossary

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

R

S

T

V

Y

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

What is an IDS?

An IDS works by monitoring network traffic, system logs, and other relevant information to identify and analyze patterns and signatures associated with known threats or abnormal behavior. The primary goal of an IDS is to detect and alert security administrators about potential threats or breaches. When an IDS identifies suspicious behavior or patterns, it generates an alert, notifying the security team to take appropriate action.

Types of IDS

There are two main types of IDS: NIDS and host-based IDS (HIDS). The main difference between a NIDS and a HIDS is the monitoring scope and types of activities they detect. Have a look at the following table to look at the differences:

	NIDS	HIDS
Scope	It works at the network level, monitoring the data going to and from different devices to look for abnormal behaviors or events that might indicate an intrusion.	It is installed directly on the host’s and monitor’s log files, system calls, file integrity, and other host-specific files for any unusual activities.
Location	Functions at one or more central places in a network’s infrastructure to monitor and analyze traffic going through those points.	Operates locally on individual hosts or devices, keeping an eye on actions that are unique to that machine.
Detection focus	A NIDS detects network attacks and anomalies. It can detect port scans, DoS attacks, intrusion attempts, and other network infrastructure threats.	A HIDS monitors host activity. It detects unauthorized access, file system changes, critical system file modifications, and suspicious processes or behaviors that may indicate a compromised host.
Popular tools	Suricata, Snort	Wazuh, OSSEC

Table 1.1 – NIDS versus HIDS

In the following diagram, you can see that a NIDS is installed to monitor network traffic while an HIDS monitors individual devices.

Figure 1.1 – NIDS versus HIDS

Figure 1.1 – NIDS versus HIDS