Register to 4Geeks
Wazuh: Installation and Endpoint Configuration to protect your machines with with this endpoint detection and response agent
Before you start...
We need you! These exercises are created and maintained in collaboration with people like you. If you find any errors or typos, please contribute and/or report them.
🌱 How to Start This Project
This exercise comprises three stages:
- Download and install Wazuh from a virtual machine (according to the official documentation).
- Download and install the Wazuh agent on another machine/endpoint (in this case, we will use Kali Linux).
- Evaluate or monitor the EDR (Endpoint Detection and Response) of the Kali machine on the Wazuh dashboard.
📝 Instructions
Install Wazuh on a Machine to Use as a Server
Wazuh can generate real-time alerts based on events collected from endpoints, allowing you to act quickly on security incidents. This is crucial for an effective EDR, as it enables security teams to investigate and respond to threats before they cause damage. Let's start with the installation based on VirtualBox.
- Download the Wazuh OVA image.
- Change the graphics controller in VirtualBox Turn off the virtual machine if it is running and go to the machine's settings in VirtualBox. Navigate to the Display section, and in the
Graphics Controllersection, selectVMSVGA. - Save the changes, reboot the virtual machine, and log in with the credentials provided in the official documentation.
1user: wazuh-user 2password: wazuh
- Run the following commands to update the machine:
1sudo -i
- Find the machine's IP and use the obtained IP to access the Wazuh dashboard from a browser using the following URL:
1https:<IP_DE_TU_MAQUINA>/app/login
💡 You can do this from your host machine.
- Finally, log in to the Wazuh interface with the credentials provided in the documentation.
1user: admin 2password: admin
Configure the Endpoints
To perform a test with Wazuh as an EDR, you can add some endpoints (machines with Wazuh agents) that will simulate network activity.
Agents in Wazuh are software installed on endpoints, such as servers, workstations, or devices, to monitor the security of those systems. These agents collect security data and events from the endpoints and send them to the Wazuh Manager, where they are analyzed to detect threats, vulnerabilities, and anomalies.
Install and configure the Wazuh agent on Linux (in our case, Kali Linux)
- In the server management > endpoints summary option, add a new agent. You will see a view like this.
- Select the operating system of the endpoint you want to add, its architecture, the IP address of the Wazuh server we created earlier, and a label/name for that endpoint. Once done, it will generate a command for you to run on the endpoint (in our case, the Linux machine).
- Once you have pasted the command generated by Wazuh and the installation is complete, run the following commands on the same endpoint machine:
1sudo systemctl daemon-reload 2sudo systemctl enable wazuh-agent 3sudo systemctl start wazuh-agent
If everything goes well, click close and look for the active agents in the panel. You will see a view like this.
Monitor Activity in the Wazuh Dashboard
To monitor changes and events in the Wazuh dashboard using the EDR functionality, you can perform several actions on your Kali system that will generate alerts and events.
Threat Simulation
After performing these actions, you can check the Wazuh dashboard under the Threat Hunting option for the specific endpoint. You will see something like this:
⚠ The Wazuh dashboard updates automatically every 15 minutes. If you don’t see the changes reflected immediately, wait until the next automatic update. If after 15 minutes you still don’t see the changes, check the agent logs to ensure there are no errors in the configuration or in the connection to the server.
You’re all set, you’ve successfully installed Wazuh and used it as an EDR! 😎