Deployment (HIDS)

Pituphong Yavirach, CPTE

Founder – Debug Consulting
 01 Introduction

02 Installation

03 Deployment Wazuh Agent

04 Configuration

05 Function Test

06 Conslution

Agenda
Introduction
HIDS – Host Based Intrusion
Detection System
• A Host-Based Intrusion Detection System (HIDS)
• HIDS collects, analyzes and pre-correlates a client's logs and
alerts if an attack, fraudulent use (policy) or detected error.
• It verifies the integrity of local system files, the detection of
rootkits, identifies hidden actions of attackers; Trojan horses,
Malware, etc.
• HIDS leads to real-time alerts and active response
• HIDS easily integrates with SIEMs
• Centralized policy deployment is performed for all agents HIDS
to monitor server compliance.

Ref. Anglia Ruskin University, OWASP Cambridge Chapter

image ref. https://www.decipherzone.com/blog-detail/web-application-architecture
OSSEC
• OSSEC is open source HIDS.
• Its purpose is to detect abnormal behavior on a machine.
• It collects the information sent to it by the equipment, it uses
signatures or behavior to detect an anomaly.
• An OSSEC agent is installed on each machine.

Ref. Anglia Ruskin University, OWASP Cambridge Chapter

OSSEC

Ref. Anglia Ruskin University, OWASP Cambridge Chapter

WAZUH
• Wazuh is a open source platform for detecting intrusion
detection, security monitoring, incident response and
compliance check.
• He joins OSSEC
• It can be used to monitor endpoints, services cloud and
containers, and to aggregate and analyze data from external
sources

Ref. Anglia Ruskin University, OWASP Cambridge Chapter

WAZUH
• The Wazuh solution consists of an endpoint security agent,
deployed on the monitored systems, and a management server,
which collects and analyzes the data collected by the agents.

• Additionally, Wazuh has been fully integrated with ElasticStack,

providing a search engine and a visualization tool for data that
allows users to navigate their alerts of security.
WAZUH Abilities
• A brief overview of some of the most popular use cases currents
of the Wazuh solution.
Log analysis File Integrity monitoring
Rootkit detection Active response
Configuration Assessment System inventory
Vulnerability detection Cloud security
Container security Regulatory conformity
WAZUH Architecture
• The Wazuh architecture is based on agents, executed on the
monitored terminals, which transmit security data to a central
server.
• Agentless devices such as firewalls, switches, routers and access
points are supported and can actively submit log data via
Syslog, SSH or using their API.
• The central server decodes and analyzes incoming information
and forwards the results to the Wazuh indexer for indexing and
storage.
• The Wazuh indexer cluster is a set of one or more nodes that
communicate with each other to perform operations reading
and writing indexes
WAZUH Architecture
WAZUH Component
WAZUH Indexer
• The Wazuh indexer is a text search and analysis engine highly
scalable integral.
• Wazuh indexer stores data as documents JSON. Each document
correlates a set of keys, names of fields or properties, with their
values corresponding
• An index is a collection of documents related to each other.
• Wazuh uses four different indexes to store different types of
events: wazuh - alerts, wazuh - archives, wazuh - monitoring,
wazuh - statistics

Ref. Anglia Ruskin University, OWASP Cambridge Chapter

WAZUH Indexer
WAZUH Server
• The Wazuh server component analyzes the received data
agents, triggering alerts when threats or abnormalities are
detected.
• It is also used to manage the configuration of agents at distance
and monitor their status.
• The Wazuh server uses sources of information about the threats
to improve its detection capabilities.
• It also enriches alert data using the MITER framework ATT&CK
and regulatory compliance requirements such as PCI DSS,
GDPR, HIPAA, CIS and NIST 800-53 providing context useful for
security analysis.
WAZUH Server
WAZUH Dashboard
• The Wazuh dashboard is a flexible web-based user interface and
intuitive for exploring, analyzing and visualizing security events
and alert data.
• It is also used for platform management and monitoring Wazuh.
• Additionally, it provides access control functionality based on
Roles (RBAC), Single Sign-On (SSO), Viewing and data analysis,
agent monitoring and configuration, Platform Management,
Developer Tools
WAZUH Data visualization and
analysis
WAZUH Data visualization and
analysis
WAZUH Data visualization and
analysis
WAZUH Data visualization and
analysis
WAZUH Agent Monitoring
WAZUH Platform Management
WAZHU Status and Reports
WAZUH Ruleset test
WAZUH API Console
WAZUH Security rules
WAZUH Agent
• The Wazuh agent is cross-platform and runs on the hosts that
the user wants to monitor.
• It is also used for platform management and monitoring Wazuh.
• The Wazuh Agent provides key functionality to improve the
security of your system
Log collector Command execution
File integrity monitoring (FIM) Security configuration assessment
(SCA)
System inventory Malware detection
Active response Container security monitoring
Cloud security monitoring
WAZUH Agent
Questions?
THANK YOU