Wazuh SIEM
Running Your Own XDR and SIEM
*WARNING THIS is only a lab and not complete for use*
*WARNING THIS is only a lab and not complete for use*
Set Up and Run Wazuh as a SIEM and Windows Endpoint Security
Directions:
Go to Wazuh.com
Click Install Wazuh
Notice that there are 4 main components listed
List the components of Wazuh and briefly describe what each does
Answer 1:
Answer 2:
Answer 3:
Answer 4:
Click Installation Guide
In the Navigation pane on the left, select Installation Alternatives
Choose Virtual Machine (OVA)
Review the System Requirements and make sure your machine has adequate resources available
Download the OVA file
Open the Downloads folder
Right click on the Wazuh OVA file
Open the file using VirtualBox
In VirtualBox, set the display settings for the Wazuh VM to VMSVGA graphic controller
Start the Wazuh VM – This will be your Wazuh Server
Enter your default credentials:
Username: wazuh-user
Password: wazuh
To gain root privileges, enter sudo -i
Update the VM sudo yum update
Look up the IP on the Wazuh Server terminal with ip a or ifconfig
**This may freeze at any time where you don’t see a cursor anymore and can’t seem to get one back. THIS IS OK. It happens with programs and we just need to select the X to exit the window, and select “Send Shutdown Signal”. Then brush yourself off and take a breath or two and try again. If you have updated and everything is in good standing. Try the next step. Just know that the server must be running in order to use Wazuh.**
Now access the Wazuh Dashboard
Open Google Chrome or Firefox and enter Using the IP address to the Wazuh server
http:// [Wazuh. Server IP Address ]
This will not be a secure connection according to the browser. Proceed to the address.
A page with Wazuh logo will appear and there will be a logon screen with the following fields
User: admin
Password: admin
Open the Wazuh dropdown menu by clicking the logo or the downward arrow
Select Agents
Select Deploy new agent
Now we fill out this little worksheet
Choose Windows or the endpoint type you need to set up
Fill in the Wazuh Server IP Address (found earlier using ifconfig on the terminal)
Select a Name for the Agent
Select Default
You will use this text generated shortly
Open PowerShell with Administrative Privileges
Do this by right clicking the PowerShell icon and selecting to Run as Administrator
Copy and Paste the Generated text from step 7 and press Enter
After this Finishes, Enter NET START WazuhSvc
Enter Get-NetTCPConnection -RemotePort 1514
Go back to your Dashboard, refresh if necessary
Your Endpoint agent should be showing in the dashboard
Take a SCREENSHOT that includes your Endpoint Name
Edit out any IP information
Using the Snippet Tool in Windows is quite an effective solution, Check it out!
Now create a document and add the 4 Answers and Screenshot to the document
Submit it as a PDF file with the file name as [YOURLASTNAME]Wazuh_Lab[Year]
Congratulations! You have completed this lab and have the ability to set up Wazuh via OVA file!