Wazuh SIEM

Set Up and Run Wazuh as a SIEM and Windows Endpoint Security

Directions:

1. Go to Wazuh.com

   • Click Install Wazuh

   • Notice that there are 4 main components listed

     • List the components of Wazuh and briefly describe what each does

       • Answer 1:

       • Answer 2:

       • Answer 3:

       • Answer 4:

2. Click Installation Guide

   • In the Navigation pane on the left, select Installation Alternatives

   • Choose Virtual Machine (OVA)

     • Review the System Requirements and make sure your machine has adequate resources available

   • Download the OVA file

3. Open the Downloads folder

   • Right click on the Wazuh OVA file

   • Open the file using VirtualBox

4. In VirtualBox, set the display settings for the Wazuh VM to VMSVGA graphic controller

   • Start the Wazuh VM – This will be your Wazuh Server

   • Enter your default credentials:

     • Username: wazuh-user

     • Password: wazuh

   • To gain root privileges, enter sudo -i

   • Update the VM sudo yum update

   • Look up the IP on the Wazuh Server terminal with ip a or ifconfig

**This may freeze at any time where you don’t see a cursor anymore and can’t seem to get one back. THIS IS OK. It happens with programs and we just need to select the X to exit the window, and select “Send Shutdown Signal”. Then brush yourself off and take a breath or two and try again. If you have updated and everything is in good standing. Try the next step. Just know that the server must be running in order to use Wazuh.**

5. Now access the Wazuh Dashboard

   • Open Google Chrome or Firefox and enter Using the IP address to the Wazuh server

     • http:// [Wazuh. Server IP Address ]

     • This will not be a secure connection according to the browser. Proceed to the address.

   • A page with Wazuh logo will appear and there will be a logon screen with the following fields

     • User: admin

     • Password: admin

6. Open the Wazuh dropdown menu by clicking the logo or the downward arrow

   • Select Agents

   • Select Deploy new agent

7. Now we fill out this little worksheet

   • Choose Windows or the endpoint type you need to set up

   • Fill in the Wazuh Server IP Address (found earlier using ifconfig on the terminal)

   • Select a Name for the Agent

   • Select Default

   • You will use this text generated shortly

8. Open PowerShell with Administrative Privileges

   • Do this by right clicking the PowerShell icon and selecting to Run as Administrator

   • Copy and Paste the Generated text from step 7 and press Enter

   • After this Finishes, Enter NET START WazuhSvc

   • Enter Get-NetTCPConnection -RemotePort 1514

9. Go back to your Dashboard, refresh if necessary

   • Your Endpoint agent should be showing in the dashboard

10. Take a SCREENSHOT that includes your Endpoint Name

    • • Edit out any IP information

      • Using the Snippet Tool in Windows is quite an effective solution, Check it out!

11. Now create a document and add the 4 Answers and Screenshot to the document

12. Submit it as a PDF file with the file name as [YOURLASTNAME]Wazuh_Lab[Year]

13. Congratulations! You have completed this lab and have the ability to set up Wazuh via OVA file!

STAY TUNED AS THERE IS MORE TO CONFIGURE!!!!