Created in 2015, Wazuh is an open-source, freely available and extensive EDR solution. It can be used in all scales of environments. Wazuh operates on a management and agent module. Simply, a device is dedicated to running Wazuh named a manager, where Wazuh operates on a management and agent model where the manager is responsible for managing agents installed on the devices you’d like to monitor. Let's look at this model in the diagram below:

Wazuh monitors the following:

1. Policy violations - monitor Group policy (in windows). This works in the basis of Rules.
2. Auditing - Performs auditing in the workstations and reports best practices, security issues and security events. This also relies in Rules. This also auditing for compliance such as NIST, PCI DSS and MITRE
3. Vulnerabilities - Perform vulnerability scan based on database of CVE

How it works:

1. We install wazuh in a central server (wazuh manager)
2. In the host, we will install wazuh agent. Agent will send the log to the wazuh manager

Wazuh config:

• Alerts: /var/ossec/logs/alerts
• Rules: /var/ossec/etc/rules
• Agent config:
  • /Programfiles/ossec-agent/os.conf (Windows)
  • /var/etc/ossec/ossec.conf (Linux)

Alert is stored in a specific file on the Wazuh management server: /var/ossec/logs/alerts/alerts.log. We can use a command such as grep or nano to search through this file on the management server manually.

All sorts of actions and events are captured and recorded on a Windows operating system. This includes authentication attempts, networking connections, files that were accessed, and the behaviours of applications and services. This information is stored in the Windows event log using a tool called Sysmon.

We can use the Wazuh agent to aggregate these events recorded by Sysmon for processing to the Wazuh manager. Now, we will need to configure both the Wazuh agent and the Sysmon application.  Sysmon uses rules that are made in XML formatting to be triggered.