How to deploy a SIEM (Security information and Event Management) using Wazuh

Wazuh is an open source SIEM that can perorm so many different Cybersecurity functions, and it's open source! Here some things that it can perform: Endpoint Security, Threat Intelligence, Security Operations and Cloud Security. This is a great way to practice in a home lab environment and configure you own SIEM at home and protect your home network.

Here's what you'll see

• Installing a SIEM using a virtual machine.
  
• Configuring your network to use the right parameters to interact with the SIEM.
• Adding an agent on an endpoint, this will allow you to monitor specific hosts on your network.

Click here to navigate to the Wazuh website
This install of Wazuh will show you how to use it with Virtual Box and download an OVA which is an Open Virtual Appliance, which is a file that comes with pre-installed packages that are needed for your SIEM. Go ahead and download the OVA file and import it into Virtual Box. Click here to learn how to install and use Virtual Box

Starting your Amazon Linux 2023 virtual machine (OVA)

Once you've imported your OVA file into Virtual Box, make sure your settings are good and click start. Below is image of the login screen. This virtual machine will be called the manager or the server. This is where all the information will be processed and then imported into the UI. Follow the prompts and enter your username and password. To find the IP of your server or manager, enter: "ip a" or "ip add" and it will output your IPv4 address.

Once you've logged in and your server/OVA is running, you have to open a browser to navigate to you Wazuh Dashboard, where all your information will be in the UI.
In the URL type: https://"whatever your IP is" that your server is on
The username and password is admin and admin.
This will show your Wazuh Dashboard!

Deploying an Agent

Once you login the UI, you have to set up an agent, which will reside on a endpoint (a VM, a server, an IoT device,, etc), An agent is basically software that will run on it and provide security related information from that endpoint, send to the manager Threat will display in the Wazuh Dashboard.

Once you click on the the "deploy new agent" button, you will be asked to provide information about your endpoint and this will help install the proper packages or files to deploy your agent.
1. Selecting your endpoint architecture is important.
2. If you're selecting the server address, be careful when selecting the IP, in my case, I had to select the Hypervisor's IP and not the endpoint IP.

Copy the link it generated in your terminal and it will install the agent software, in this case, it's my Linux Machine.
See below


Copy and paste these commands in the terminal to start the agent service on your endpoint. And go back to your Dashboard and you should see your endpoint "active".
Below shows the active agent.

Playing with your SIEM

This post will be an inital gathering of information and differents ways to confirgure your SIEM, find vulnerabilities and harden your endpoints and network. Look out for more in this SIEM series.

Notes:

https://wazuh.com/
https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html