IMPLEMENTING SECURITY MEASURES

USING MANAGED DETECTION AND

RESPONSE (MDR)
A PROJECT REPORT

Submitted by

SELVAKUMAR SA [RA2011030010027]

SHARAN K [RA2011030010062]

Under the Guidance of

Dr. HEMAMALINI V.

Associate Professor, Department of Networking and Communications

in partial fulfillment of the requirements for the degree of

BACHELOR OF TECHNOLOGY
in
COMPUTER SCIENCE AND ENGINEERING
with specialization in CYBER SECURITY

DEPARTMENT OF NETWORKING AND COMMUNICATIONS

COLLEGE OF ENGINEERING AND TECHNOLOGY
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY
KATTANKULATHUR- 603 203

MAY 2024
 iv

ACKNOWLEDGEMENT

We express our humble gratitude to Dr. C. Muthamizhchelvan, Vice-Chancellor, SRM Institute of

Science and Technology, for the facilities extended for the project work and his continued support.

We extend our sincere thanks to Dean-CET, SRM Institute of Science and Technology, Dr.T.V.
Gopal, for his invaluable support. We wish to thank Dr. Revathi Venkataraman, Professor &
Chairperson, School of Computing, SRM Institute of Science and Technology, for her support
throughout the project work.
We are incredibly grateful to our Head of the Department, Dr. Annapurani K, Professor and Head,
Department of Networking and Communications, School of Computing, SRM Institute of Science
and Technology, for her suggestions and encouragement at all the stages of the project work.

We want to convey our thanks to our Project Coordinator, Dr. G. Suseela, Associate Professor,
Panel Head, Dr. N. Prasath , Associate Professor and members, Dr. V. Hemamalini , Associate
Professor, Dr. V Joseph Raymond, Assistant Professor, Dr. A. Arokiaraj Jovith, Associate
Professor, Department of Networking and Communications, School of Computing, SRM Institute of
Science and Technology, for their inputs during the project reviews and support

We register our immeasurable thanks to our Faculty Advisors, Dr. S. Thanga Revathi, Associate
Professor and Dr. J. Godwin Ponsam, Associate professor Department of Networking and
Communications, SRM Institute of Science and Technology, for leading and helping us to complete
our course.
Our inexpressible respect and thanks to our guide, Dr. Hemamalini V, Associate Professor,
Department of Networking and Communications, SRM Institute of Science and Technology, for
providing us with an opportunity to pursue our project under his mentorship. He provided us with
the freedom and support to explore the research topics of our interest. His passion for solving
problems and making a difference in the world has always been inspiring.

We sincerely thank the staffs and students of Department of Networking and communications, SRM
Institute of Science and Technology, for their help during our project. Finally, we would like to
thank our parents, family members, and friends for their unconditional love, constant support, and
encouragement.

Selvakumar SA [RA2011030010027]

Sharan K [RA2011030010062]
 v

TABLE OF CONTENTS

S.NO TITLE PAGE.NO

ABSTRACT vii
LIST OF FIGURES viii
LIST OF ABBREVATIONS ix

1 INTRODUCTION 1
1.1 Introduction To Security Operations Center 3
1.1.1 Key Functions Of A Soc 3
1.2 Soc Structure 4
4
1.3 Advanced Capabilities Of A Soc
4
1.4 Soc Operations Models
5
1.5 Key Challenges And Considerations 5
1.6 Future Trends And Emerging Technologies 5

2 LITERATURE REVIEW 6
2.1 Introduction 6
2.2 Algorithmic Approaches 6
2.3 Prospects of our Project 10

3 LOG BASED DETECTION 12

3.1 Working Overview 12
3.1.1 Data Collection Layer 14
3.1.2 Wazuh Manager 15
3.1.3 Elastic Search Cluster 15
3.1.4 Kibana Dashboard 16
3.1.5 Integration with External Systems 16

4 IMPLEMENTATION OF WAZUH 17
4.1 Requirement Analysis 17
4.1.1 Hardware And Software Requirements 17
4.1.2 Deployment Flexibility 18
4.1.3 Installation Alternatives 18
4.2 Infrastructure Planning And Deployment 18
4.3 Agent Configuration And Integration 18
4.4 Ruleset Customization And Tuning 19
4.4.1 Understanding Rules 19
4.4.2 Customization 19
4.4.3 Tuning For Accuracy 19
4.4.4 Testing And monitoring 20
 vi

4.5 Monitoring And Incident Response 20

4.5.1 Incident Response with Wazuh 20
4.5.2 Automating Incident response 20
4.6 Performance Evaluation And Optimization 20
4.6.1 Performing Evaluation And Benchmarks 21
4.6.2 Performance Evaluation Of Wazuh 21
4.6.3 Optimization Techniques 21
4.6.4 Experimental Results And Comparitive 21
AnalysissAnalysis

5 ENDPOINT SECURITY TESTING WITH WAZUH 22

6 RESULTS AND DISCUSSIONS 25

7 CONCLUSION AND FUTURE ENHANCEMENT 37

7.1 Conclusions 37
7.2 Future Enhancements 38

REFERENCES 39

APPENDIX 41
A CODING 41
B CONFERENCE PUBLICATION 55
C JOURNAL PUBLICATION 56
D PLAGARISM REPORT 57
 vii

ABSTRACT

The comprehensive capabilities of the Wazuh tool for log-based attack detection across
various stages of the cybersecurity landscape. Wazuh, an open-source security platform,
offers a wide spectrum of functionalities aimed at enhancing threat detection and response
within organizational environments. Through an examination of its features, including log
analysis, intrusion detection, file integrity monitoring, and threat intelligence integration,
this study aims to provide a detailed understanding of how Wazuh can be leveraged to
fortify defenses against a multitude of cyber threats. By delving into real-world scenarios
and use cases, this exploration sheds light on the effectiveness of Wazuh in identifying and
mitigating security incidents, ultimately contributing to the enhancement of overall
cybersecurity posture. Furthermore, the paper discusses challenges, best practices, and
future directions for optimizing the utilization of Wazuh in diverse operational contexts. By
deploying Wazuh agents across diverse IT environments, organizations can effectively
detect, analyze, and respond to security incidents in real-time. These agents provide
continuous monitoring and log analysis, enabling proactive threat hunting and vulnerability
assessment. Wazuh's centralized management console offers comprehensive visibility and
control, facilitating the orchestration of security measures across the entire infrastructure.
Through its integration with threat intelligence feeds and correlation rules, Wazuh
empowers organizations to stay ahead of emerging threats and compliance requirements.
With its scalable architecture and robust features, Wazuh serves as a vital component in
modern cybersecurity strategies, helping enterprises fortify their defenses and mitigate
risks effectively. Furthermore, the paper discusses challenges, best practices, and future
directions for optimizing the utilization of Wazuh in diverse operational contexts. By
deploying Wazuh agents across diverse IT environments, organizations can effectively
detect, analyze, and respond to security incidents in real-time.
 viii

LIST OF FIGURES

3.1 Architecture diagram of Wazuh server 21

5.1 Top security alerts 30
6.1 Ransomware detection with wazuh 32
6.2 SSH Brute-Force Detection with wazuh 33
6.3 The list of top modified files detected by Wazuh 34
6.4 SSH Failed login overview 35
6.5 SElinux permission checklist 38
6.6 The list of detected anomalies 38
 ix

LIST OF ABBREVIATIONS

AES Advanced Encryption Standard

DB Database

GCP Google Cloud Platform

HAM Human Against Machine

MNIST Modified National Institute of Standards and Technology

PWA Progressive Web App

ROC Receiver Operating Characteristic

DDOS Distributed Denial-Of-Service

HIPAA Health Insurance Portability and Accountability Act

SIEM Security Information and Event Management

 1

CHAPTER 1
INTRODUCTION

In today's dynamic cybersecurity landscape, organizations globally grapple with the formidable task
of detecting and mitigating malicious activities. Network monitoring systems, whether deployed
internally or externally, play a pivotal role in identifying risk factors and preempting system failures.
These systems are designed to pinpoint vulnerabilities, generate comprehensive reports, and ideally,
rectify issues proactively. However, with the burgeoning challenges in cybersecurity and the
exponential rise in global data generation, network and security administrators encounter mounting
hurdles. Predominantly, engineers rely on Host Intrusion Detection Systems for attack detection and
Intrusion Prevention Systems for preemptive measures.[1] A cornerstone of any application and an
indispensable component of data centers, web servers serve as the nexus for hosting websites
accessible to end-users. Given their exposure to the Internet, web servers are prime targets for a
barrage of potential attacks, emanating from both human adversaries and automated bots.

Identifying attacks on web servers is a basic task of any administrator who maintains them because if
protection is breached, the application may be inaccessible to a large number of users or permanently
destroyed . There are many network security monitoring solutions used worldwide [2]. One of the
tools that helps identify and detect attacks on web servers is Wazuh. Wazuh is an open-source, free
platform that has been painstakingly created for security monitoring and threat detection. Its main
job is to examine logs and identify any risks by using pre-established security rules. Whether you're
keeping an eye on network equipment like firewalls and routers or endpoints like PCs, laptops, and
servers, Wazuh offers a strong framework for gathering, analysing, and reacting to security events
instantly.

Wazuh, being an open-source project, has the support of a thriving community of users, contributors,
and security experts that work together to enhance the platform's features and exchange information
and skills. By means of community forums, mailing lists, and cooperative development initiatives,
users may obtain an abundance of resources and assistance to tackle obstacles, share concepts, and
stimulate creativity in the cybersecurity domain.

This report's goal is to examine every facet of Wazuh's log-based attack detection capabilities. We
hope to give a complete knowledge of how Wazuh may strengthen an organization's security posture
by going over its features, architecture, and deployment choices in detail.[3] In addition, this paper
will explore the practical elements of setting up and implementing Wazuh in various scenarios, from
 2

distributed infrastructures to small-scale deployments. Through the provision of real-world use cases
and best practices insights, our goal is to provide readers with the information required to effectively
utilize Wazuh within their own businesses. We will explore several facets of Wazuh in this paper,
including its capacity to gather, examine, and correlate log data from a variety of sources, including
operating systems, applications, and network devices. We will also look at the sophisticated methods
Wazuh uses to detect and handle security events in advance, including anomaly detection, threat
intelligence integration, and real-time alerting. The advantage of this work is that it can serve
network and security engineers very well in network and host security monitoring. This work
demonstrates Wazuh tools when collecting data exclusively from web servers. Wazuh enables
enterprises to establish a unified security ecosystem through its smooth interaction with pre-existing
security products and infrastructure elements.[4] By improving the visibility and correlation of
security events, integration with well-known SIEM (Security Information and Event Management)
systems like Elastic Stack (previously known as ELK Stack) and Splunk streamlines incident
response workflows.

Wazuh does more than only detect. It links occurrences to the MITRE ATT&CK framework's
tactics, techniques, and procedures (TTPs). Wazuh streamlines threat hunting investigations by
aligning with known threat groups' TTPs, allowing for preemptive reactions to possible threats. To
sum up, Wazuh is your watchful sentinel, always keeping an eye on logs, looking for irregularities,
and making sure your digital ecology is safe. Wishing you luck as you start your big project and
Wazuh as your reliable ally in the fight against cybercriminals. Wazuh is always changing to stay up
with the latest developments in technology and cybersecurity concerns. Organizations' resistance
against developing cyber threats is increased by regular upgrades, feature additions, and bug fixes,
which guarantee that they have access to the newest tools and methodologies for efficient threat
detection and response.

The amalgamation of conflict detection techniques with Wazuh's capabilities allows for the swift
adaptation to new log alteration methods, such as those based on advanced analytics. Traditional
detection methods may struggle with the ability to create synthetic logs that closely resemble
authentic ones. However, by employing conflict detection techniques, which scrutinize the distinct
structural properties of logs, indications of manipulation or tampering can be discerned.

Moreover, adversaries rapidly adopt emerging technologies, underscoring the critical necessity for
continuous advancement in detection techniques. By leveraging the complementary strengths of
Wazuh and conflict detection, security systems can stay ahead of evolving threats and adapt to the
ever-changing tactics employed by malicious actors. Given the complexity of structures, textures,
and patterns often present in logs, accurately identifying abnormalities can be challenging.
 3

Nevertheless, by integrating sophisticated conflict detection techniques with Wazuh-powered log

analysis, the intricate structural characteristics and patterns of logs can be more effectively analyzed,
thereby reducing the likelihood of false positives or negatives and enabling the detection of subtle
irregularities indicative of manipulation or tampering.

1.1 INTRODUCTION TO SECURITY OPERATIONS CENTER (SOC)

An organization's cybersecurity operations are coordinated from a Security Operations Center

(SOC). It is the responsibility of a specialized facility or team to continuously monitor, identify, look
into, and address cybersecurity problems.

1.1.1 KEY FUNCTIONS OF A SOC

a) MONITORING: SOC teams keep a close eye on the company's networks, systems, and apps
for any indications of unusual activity or possible security breaches. To collect and examine
data from several sources, they employ a range of instruments and technologies, including
SIEM (Security Information and Event Management) systems.

b) DETECTION AND ANALYSIS: SOC analysts look into any security events further to
ascertain the type and gravity of the threat. This entails determining the extent of the incident
by examining network traffic, logs, and other pertinent data.

c) INCIDENT RESPONSE: SOC teams are in charge of reacting quickly and efficiently to
security events. They adhere to established protocols and practices in order to immediately
contain the issue, lessen its effects, and resume regular operations.

d) THREAT INTELLIGENCE: Through cooperation with other companies, industry

publications, and threat intelligence feeds, SOC analysts remain up to date on the most recent
cybersecurity threats and trends. They may more effectively assess possible dangers and take
pre-emptive measures to thwart new attacks thanks to this knowledge.

e) VULNERABILITY MANAGEMENT: SOC teams are also involved in locating and fixing
security holes in the company's software and hardware. They could prioritize remediation
efforts, carry out vulnerability assessments, and collaborate with IT teams to deploy fixes and
upgrades.
 4

1.2 SOC STRUCTURE

Depending on the size, sector, and cybersecurity requirements of the company, SOCs can have
different sizes and structures. Still, they usually include the following elements:

a) SOC ANALYSTS: These are the first responders to security risks; they keep an eye on
alarms, look into situations, and take action.

b) SOC MANAGERS: In charge of establishing strategic goals, managing SOC activities, and
making sure they are in line with the organization's overarching security plan.

c) SECURITY TOOLS AND TECHNOLOGIES: Including threat intelligence feeds,

endpoint detection and response (EDR) systems, SIEM platforms, and intrusion detection
systems (IDS). Protocols and Guidebooks: reaction playbooks and documented protocols that
help SOC analysts deal with various kinds of security issues.

d) COLLABORATION CHANNELS: Lines of communication for collaborating with

executive leadership, outside partners, and law enforcement agencies in addition to other
teams inside the company including IT, legal, and senior leadership.

1.3 ADVANCED CAPABILITIES OF A SOC

a) THREAT HUNTING: Proactive threat hunting is another activity that many SOCs do in
addition to reactive incident response. This entails keeping an eye out for any indications of
hostile behaviour or penetration that could have escaped automated detection systems.

b) FORENSIC ANALYSIS: To get information and identify the underlying cause of security
issues, SOC teams may carry out forensic analysis. Understanding how attackers obtained
access, what data may have been exposed, and how to stop such occurrences in the future all
depend on this knowledge.

c) SECURITY AWARENESS TRAINING: SOCs frequently work in tandem with the

company's training and awareness initiatives to instruct staff members on cybersecurity best
practices, such spotting phishing scams, safeguarding private data, and reporting questionable
activity.
 5

1.4 SOC OPERATIONS MODELS

a) IN-HOUSE SOC: Some businesses decide to develop and run their SOC in-house,
employing cybersecurity experts to staff it. Although this method gives complete control and
flexibility, it necessitates a large infrastructure, technological, and staff investment.
b) MANAGED SOC (SOC-AS-A-SERVICE): As an alternative, businesses can contract with
a third-party supplier to handle SOC functions. Scalability, knowledge, and round-the-clock
coverage are provided by managed SOC services without the burden of overseeing an
internal staff. To make sure they fulfil their security and compliance criteria, businesses must
thoroughly assess service providers.

1.5 KEY CHALLENGES AND CONSIDERATIONS

a) SKILLS GAP: Organizations find it difficult to attract and retain competent SOC analysts
due to the scarcity of trained individuals in the cybersecurity field. A qualified SOC team
must be assembled and maintained, which requires training and professional development
initiatives.

b) TOOL INTEGRATION AND OPTIMIZATION: SOCs rely on a range of technologies

and security tools, but it can be difficult to integrate these tools and maximize their
effectiveness. Effective threat detection and response depend on proper configuration,
tweaking, and orchestration.

c) COMPLIANCE AND REGULATORY REQUIREMENTS: Strict regulatory standards

for cybersecurity and data protection apply to many businesses. GDPR, HIPAA, PCI DSS,
and other standards and laws must be complied with by SOC operations in order to maintain
legal compliance and avert fines.

1.6 FUTURE TRENDS AND EMERGING TECHNOLOGIES

a) AI AND MACHINE LEARNING: The application of AI and machine learning

technologies to improve SOC capabilities such as automated threat detection, looking for
abnormalities in huge datasets, and risk-based warning prioritization is growing.
 6

CHAPTER 2
LITERATURE SURVEY

2.1 INTRODUCTION

A literature review serves as a pivotal stage in the research process, facilitating the expansion of prior
knowledge, refinement of research inquiries, and augmentation of the existing body of knowledge in
a domain by addressing knowledge gaps and enhancing comprehension. Integrating conflict
detection with innovative techniques marks a significant stride in mitigating challenges encountered
by modern log analysis technologies. The capacity to generate synthetic data with striking realism
can pose difficulties for traditional detection methods. Conversely, the intricate structures and
diverse patterns within logs sometimes present hurdles for conflict detection techniques. By
amalgamating conflict detection methods with Wazuh-powered log analysis, more resilient systems
capable of identifying and flagging suspicious activities or anomalies can be developed. In
conclusion, the fusion of conflict detection technology with Wazuh offers a potent solution to the
challenges faced by each method individually. In the dynamic landscape of digital security, the
integration of these technologies into a unified framework holds the promise of constructing more
robust.

2.2 ALGORITHIMIC APPROACHES

In the realm of Secure Encryption (SE), the dynamics of keyword search and document updates pose
challenges regarding the confidentiality of information divulged to public cloud servers. Fully Secure
Searchable Encryption (FSSE) emerges as a promising solution, ensuring the privacy of keywords
associated with newly inserted documents. This paper delineates a concrete application scheme for
FSSE within multi-user contexts, affording users granular control over data access and enabling
seamless revocation of access permissions. Notably, the proposed scheme empowers data users to
verify the integrity of data retrieved from public cloud servers, offering a safeguard against incorrect
or incomplete data returns. Through rigorous theoretical and experimental analysis, the performance
of the scheme is scrutinized, demonstrating its capacity to meet stringent security requirements while
minimizing additional computational overhead. [1]

In the realm of cloud data sharing, existing Proxy Re-Encryption (PRE) schemes encounter
challenges in efficiently supporting heterogeneous systems and achieving unbounded capabilities. To
tackle this issue head-on, we introduce FABRIC: a novel, fast, and secure unbounded cross-domain
Proxy Re-Encryption scheme. FABRIC empowers delegators to authorize semi-trusted cloud servers
to seamlessly convert ciphertexts from one identity-based encryption (IBE) scheme to another
 7

ciphertext of an attribute-based encryption (ABE) scheme.To sum up a major contribution to the area
to methodical and effective training technique that produces performance and quality gains that are
noticeable in a variety of applications.[2]

The diverse landscape of research efforts aimed at addressing challenges in secure data sharing,
encryption, and mining within distributed and cloud computing environments. Existing studies
explored various techniques, including Proxy Re-Encryption (PRE) schemes, homomorphic
encryption, and Proxy Re Encryption (PRE) schemes. Notably, recent advancements have focused
on achieving unbounded cross domain encryption schemes, such as FABRIC, which facilitate secure
data sharing across heterogeneous systems while ensuring efficiency and scalability.[3]

In the IoT domain, new security issues are emerging, while traditional security issues are becoming
more difficult. Therefore, the need for entity authentication of end devices, which is considered an
essential aspect of IoT system security today, is growing. Because traditional ID mechanisms are
infeasible in IoT devices due to the constrained runtime environment of the edge devices and the
additional costs and deployment issues they introduce, alternative solutions for securing IoT
components are required. In light of this, we propose JULIET-PUF, a novel PUF-based unique ID
generation method that relies on SRAM content retrieval after power glitches of various durations.
Our evaluation on a data set of traces from multiple units of a popular commercial off-theshelf IoT
device shows that JULIET-PUF offers a considerable security advantage over standard SRAM-PUF
in the counterfeiting threat model, all without requiring any additional hardware costs. [4]

The malicious insider becomes a crucial threat to the organization since they have more access and
opportunity to produce significant damage. Unlike outsiders, insiders possess privileged and proper
access to information and resources. This paper proposed machine learning algorithms for detecting
and classifying an insider attack. A customized dataset from multiple files of the CERT dataset is
used in this work. Four machine learning algorithms were applied to that dataset and gave better
results. These algorithms are Random Forest, AdaBoost, XGBoost, and LightGBM.[5]

Organizations are facing an increasing number of insider threats. As insiders have privileged access
to the assets of an organization, preventing insider threats is a challenging problem. In this article, we
reviewed the techniques and countermeasures that have been proposed to prevent insider attacks, in
particular, we focused on approaches that are validated with empirical results. they proposed a
classification model that categorizes the existing approaches into two main classes: biometric-based
and asset-based. The biometric based approaches are further classified into physiological, behavioral
and physical, while the asset-based approaches are classified into host, network and combined. Such
classification will provide a better understanding of the existing works, and highlight some gaps that
need to be bridged to institute more holistic solutions. [6]
 8

A novel cryptographical primitive: ID-based PDP with compressed cloud storage, and then
investigates a concrete protocol consisting of only basic algebraic operations. In comparison to the
existing protocols, the proposed protocol can greatly lower storage, communication, and computation
costs. We give strict proof to show that our solution realizes the property of correctness, privacy,
unforgeability, and detectability. We also give an illustrative example to show that the proposed
protocol can be easily extended to support the other practical functions by using the primitive
replacement technique. [7]

Ciphertext-policy attribute-based keyword search (CP-ABKS) schemes facilitate the fine-grained

keyword search over encrypted data, such as those sensed/collected from Industrial Internet of
Things (IIoT) devices and stored in the cloud. However, existing CP-ABKS schemes generally have
significant computation and storage requirements, which are beyond those of resource-constrained
IIoT devices. Therefore, in this paper, we design a secure online/offline Data Sharing Framework
(DSF), which supports online/offline encryption and outsourced decryption. [8]

A novel method to image classification that seamlessly integrates accuracy and data privacy by
utilizing encrypted image chunks and an adjusted Convolutional Neural Network (CNN). Our
method demonstrated significant time advantages, especially on large datasets, and maintained high
classification accuracy. The emphasis on encrypting only the feature-rich chunks not only ensures
data privacy but also offers computational benefits. The flexibility of the CNN model in
accommodating encrypted data structures underscores its potential in evolving data privacy
landscapes. Future research directions include further optimization of the CNN model, exploration of
alternative encryption schemes, and application to diverse datasets.[9]

Public Key Cryptography plays a significant role in securing the cloud applications, particularly,
Elliptic Curve Cryptography, as its small key size nature is the most suitable aspect in the Cloud.
Although, many contributions have been made in recent years to enhance the security aspect of
Elliptic Curve approaches in Cloud service by modifications made in the algorithm or in various
algorithm phases, but a review work that integrates recent studies providing research directions is
missing in the literature. In this paper, we reviewed recent studies along with the various phases of
Elliptic Curve Cryptography.[10]

A Survey on AWS Cloud Computing Security Challenges & Solutions" delves into the multifaceted
landscape of security concerns within Amazon Web Services (AWS) cloud computing environments.
The paper systematically reviews and analyses various security challenges encountered in AWS
deployments, ranging from data breaches and identity management issues to network vulnerabilities
and compliance complexities. Furthermore, the survey comprehensively explores existing solutions
 9

and mitigation strategies proposed by researchers and industry practitioners to address these
challenges effectively. [11]

Communication architecture, mobile edge computing (MEC) not only satisfies customers’ needs in
real time data processing and analysis, but also alleviates the inherent limitations in cloud computing.
However, the MEC inherits some security and privacy challenges from cloud computing, most of the
existing security solutions in the literature cannot meet the requirements of increasing user
experience. To further address the aforementioned issues, in this article, an efficient identity
authenticated protocol with provable security and anonymity is created for the MEC.[12]

Federal classification between cloud, edge, and fog and presents a comprehensive research roadmap
on offloading for different federated scenarios. We survey the relevant literature on the various
optimization approaches used to solve this offloading problem and compare their salient features. We
then provide a comprehensive survey on offloading in federated systems with machine learning
approaches and the lessons learned as a result of these surveys.[13]

The digital transformation is characterized by the convergence of technologies—from the Internet of

Things (IoT) to edge–fog–cloud computing, artificial intelligence (AI), and Blockchain—in multiple
dimensions, blurring the lines between the physical and digital worlds With more adaptation,
embracement, and development, we are witnessing a steady convergence and fusion of these
technologies resulting in an unprecedented paradigm shift that is expected to disrupt and reshape the
next-generation systems in vertical domains in a way that the capabilities of the technologies are
aligned in the best possible way to complement each other. [14]

The proposed mechanism is adaptable to a maximum number of incoming requests along with
optimizing the utilization of limited resources at the edge node. Critical comparisons were made
against closely related algorithms and techniques, i.e., the novel bioinspired hybrid algorithm and the
CORA-GT. The simulation results from the proposed scheme optimistically showing that it
performed better in terms of resources utilization, average response time, task execution time, and
energy consumption. [15]

For large-scale software-intensive systems, high availability and reliability are critical. Given that
these systems offer numerous services to users, even a minor issue with them could cause user
annoyance and possibly severe financial losses. As these systems become more complex, manual
analysis of log data becomes more challenging. Several critical seem to have been overlooked by the
existing work. [16]
 10

This focuses on mitigating the intervening external vulnerabilities in the sequential task processing
intervals. The process controller is administered using the blockchain system based on the
classification output. The harmonized process of blockchain and outcome factor-based classification
improves the job delivery rate under controlled time. [17]

It compares a number of supervised techniques, including standard and ensemble methods. Ensemble
supervised methods have the capability to outperform conventional supervised methods, according to
the evaluation of the results. The fine-tuned classification model (Bidirectional Encoder
Representations from Transformers) and (Multilingual BERT) are based on Transformers, are used
for cyberbullying detection and machine learning algorithms which include Gaussian Naive Bayes
and Logistic regression have been used for spam detection.[18].

2.3 PROSPECTS OF OUR PROJECT

The primary aim of this research is to leverage the discriminator component of Wazuh-powered
systems to address various challenges encountered in the realms of cyber security and data integrity.
The central objective is to enhance the security and effectiveness of data processing workflows by
identifying discrepancies in images, thereby ensuring the accuracy and reliability of processed data.
To elaborate on the methodology, the study involves developing novel methods and algorithms that
enable the discriminator to detect and highlight areas in images where discrepancies occur. These
discrepancies may manifest as anomalies indicative of tampering or manipulation attempts,
inconsistencies in data, or irregularities in visual content. By training the discriminator to recognize
and flag such discrepancies within the image processing pipeline, the system can automatically
identify and mitigate potential security threats in real time.

The study explores how integrating conflict detection techniques into existing data processing
workflows can significantly enhance the overall security posture of systems. Organizations can
mitigate the risk of data breaches, unauthorized access, or dissemination of compromised
information by proactively identifying and addressing potential risks at the image level. The study
also underscores the importance of efficiency in data processing workflows, particularly in scenarios
requiring high throughput or real-time processing. The proposed approach aims to optimize data
processing pipelines by leveraging the conflict detection capabilities of the discriminator, enabling
faster decision-making and more efficient utilization of computing resources. Additionally, the study
discusses real-world applications and scenarios where the proposed conflict detection system can be
utilized. These applications may include secure image authentication, cross-platform content
verification, digital forensics fraud detection, or ensuring compliance with privacy and data integrity
regulations.
 11

In addition to identifying discrepancies within images, the research also delves into the potential
applications of conflict detection techniques in network security and intrusion detection. By
extending the capabilities of Wazuh to detect anomalies and inconsistencies in network traffic and
system logs, organizations can bolster their defenses against cyber threats such as malware
infections, unauthorized access attempts, and data exfiltration. The incorporation of conflict
detection algorithms into network security protocols can provide early warning signs of potential
security breaches, allowing security teams to take proactive measures to mitigate risks and protect
sensitive information.

Furthermore, the research investigates the role of conflict detection techniques in enhancing
compliance with regulatory requirements and industry standards. By accurately identifying and
documenting discrepancies in data processing workflows, organizations can demonstrate compliance
with privacy regulations, data protection laws, and industry-specific security mandates. The ability to
automatically detect and address potential security risks can help organizations avoid costly fines,
legal penalties, and reputational damage associated with non-compliance.

. The study also underscores the importance of efficiency in data processing workflows, particularly
in scenarios requiring high throughput or real-time processing. The proposed approach aims to
optimize data processing pipelines by leveraging the conflict detection capabilities of the
discriminator, enabling faster decision-making and more efficient utilization of computing resources.
Additionally, the study discusses real-world applications and scenarios where the proposed conflict
detection system can be utilized. These applications may include secure image authentication, cross-
platform content verification, digital forensics fraud detection, or ensuring compliance with privacy
and data integrity regulations.

The incorporation of conflict detection algorithms into network security protocols can provide early
warning signs of potential security breaches, allowing security teams to take proactive measures to
mitigate risks and protect sensitive information.

Overall, the integration of conflict detection capabilities into Wazuh-powered cyber security
technologies represents a significant advancement in the field of digital security. By leveraging the
discriminative abilities of Wazuh to identify discrepancies and anomalies in data processing
pipelines, organizations can enhance their ability to detect, respond to, and mitigate cyber threats
effectively. This research lays the groundwork for developing more resilient and adaptive cyber
security solutions that can keep pace with evolving threats and protect critical assets from
unauthorized access, data breaches, and other security risks.
 12

CHAPTER 3
LOG BASED ATTACK DETECTION

The comprehensive capabilities of the Wazuh tool for log-based attack detection across various
stages of the cybersecurity landscape. Wazuh, an open-source security platform, offers a wide
spectrum of functionalities aimed at enhancing threat detection and response within organizational
environments. Through an examination of its features, including log analysis, intrusion detection, file
integrity monitoring, and threat intelligence integration, this study aims to provide a detailed
understanding of how Wazuh can be leveraged to fortify defenses against a multitude of cyber threats

3.1 WORKING OVERVIEW

These lightweight agents run on monitored endpoints (such as servers, desktops, and network
devices). They collect security data and forward it to the central server. The central hub where
security events are decoded, analyzed, and rule-checked. It receives data from agents and augments
events with alert information. Wazuh Indexer responsible for indexing and storing the processed
data. It can be configured as a single-node or multi-node cluster for scalability and high availability.
Wazuh agents continuously send events to the Wazuh server for analysis and threat detection. The
agent establishes a connection with the server service (listening on port 1514 by default) to ship data.
The Wazuh messages protocol uses AES encryption (128 bits per block and 256-bit keys) by default.
Ensuring secure communication between agents and the server is crucial for maintaining data
integrity and confidentiality. Filebeat bridges the gap between the Wazuh server and the Wazuh
indexer. The Wazuh server sends alert and event data to the Wazuh indexer using TLS encryption.
Once indexed, the Wazuh dashboard visualizes this information, aiding threat hunters and security
teams. Because of its architecture's capacity to scale, be flexible, and work with several platforms,
Wazuh is a vital tool in the continuous fight against cyber threats.
 13

These lightweight agents run on monitored endpoints (such as servers, desktops, and network
devices). They collect security data and forward it to the central server.

Fig 3.1 Wazuh Server

Above figure 3.1 describes about the Wazuh Server working overview. The central hub where
security events are decoded, analyzed, and rule-checked. It receives data from agents and augments
events with alert information. Wazuh Indexer responsible for indexing and storing the processed
data. It can be configured as a single-node or multi-node cluster for scalability and high availability.
Wazuh agents continuously send events to the Wazuh server for analysis and threat detection. The
agent establishes a connection with the server service (listening on port 1514 by default) to ship data.
The Wazuh messages protocol uses AES encryption (128 bits per block and 256-bit keys) by default.

Ensuring secure communication between agents and the server is crucial for maintaining data
integrity and confidentiality. Filebeat bridges the gap between the Wazuh server and the Wazuh
indexer. The Wazuh server sends alert and event data to the Wazuh indexer using TLS encryption.
Once indexed, the Wazuh dashboard visualizes this information, aiding threat hunters and security
teams. Because of its architecture's capacity to scale, be flexible, and work with several platforms,
Wazuh is a vital tool in the continuous fight against cyber threats.

Furthermore, it facilitates the seamless distribution of alerts, enabling rapid incident response and
mitigation efforts across the organization. Incoming data is carefully examined by the Wazuh
Manager for a variety of security-related events.

These occurrences may include file changes, configuration anomalies, intrusion detection, and even
 14

possible rootkit activity. Wazuh uses a rule-based methodology to detect abnormalities. The Wazuh
Manager acts when an event and a specified rule coincide. For example, it can sound a warning when
an attempt is made to gain illegal access or when a file is altered without warning. System settings
are monitored by the Wazuh Manager to make sure they follow defined security guidelines. It
quickly alerts security professionals to any deviations found so they may take appropriate action.
Stealthy malware that can jeopardize system integrity is called a rootkit. Wazuh Manager regularly
checks for rootkit existence, protecting against manipulation and illegal access.

3.1.1 DATA COLLECTION LAYER

Fig 3.2 Overview of Data gathering and functioning

Above figure 3.2 describes about the gathering and functioning. At the forefront of the architecture
lies the Data Collection Layer, where Wazuh agents are strategically deployed across diverse
endpoints and servers within the organizational network. These lightweight agents act as sentinels,
diligently monitoring system activities, and collecting a wide array of log data, system events, and
network traffic information. Through seamless integration with various operating systems and
applications, the agents ensure comprehensive coverage across the infrastructure, enabling a holistic
approach to threat detection and response.
Wazuh can integrate with external alerting systems such as Slack, Email, Webhooks, Syslog. Wazuh
can create tickets or incidents in external ticketing systems (e.g., JIRA, ServiceNow) when specific
conditions are met. This facilitates incident response and tracking. Wazuh can ingest threat
intelligence feeds from external sources. These feeds enhance detection by comparing observed
events against known indicators of compromise (IOCs). Wazuh allows users to define custom scripts
 15

or actions triggered by specific events. For example, execute a custom script when a certain type of
alert occurs

3.1.2 WAZUH MANAGER

Situated as the nerve center of the Wazuh ecosystem, the Wazuh Manager plays a pivotal role in
orchestrating the entire security operation. This component is responsible for receiving, aggregating,
and analyzing the influx of data from the deployed agents in real-time. Leveraging sophisticated
algorithms and customizable rulesets, the manager swiftly sifts through the incoming data streams,
identifying anomalous behavior, security incidents, and potential threats. Furthermore, it facilitates
the seamless distribution of alerts, enabling rapid incident response and mitigation efforts across the
organization. Incoming data is carefully examined by the Wazuh Manager for a variety of security-
related events.
These occurrences may include file changes, configuration anomalies, intrusion detection, and even
possible rootkit activity. Wazuh uses a rule-based methodology to detect abnormalities. The Wazuh
Manager acts when an event and a specified rule coincide. For example, it can sound a warning when
an attempt is made to gain illegal access or when a file is altered without warning. System settings
are monitored by the Wazuh Manager to make sure they follow defined security guidelines. It
quickly alerts security professionals to any deviations found so they may take appropriate action.
Stealthy malware that can jeopardize system integrity is called a rootkit. Wazuh Manager regularly
checks for rootkit existence, protecting against manipulation and illegal access.

3.1.3 ELASTIC SEARCH CLUSTER

Elasticsearch stands as a pivotal component within the Elastic Stack, often referred to as the ELK
Stack, alongside Logstash and Kibana. This suite furnishes open and free tools for the seamless
handling of data ingestion, enrichment, storage, analysis, and visualization. Wazuh augments
security monitoring and threat detection by seamlessly integrating with Elasticsearch. Acting as the
robust repository for copious amounts of log data, the Elasticsearch Cluster forms the resilient
foundation of the Wazuh architecture. With its distributed and scalable infrastructure, this cluster
efficiently indexes and stores log data ingested by the Wazuh Manager. Leveraging its high-
performance search capabilities, the Elasticsearch Cluster empowers security analysts to rapidly
query and analyze historical data, unearthing valuable insights into past incidents, trends, and
patterns for proactive threat mitigation and continuous enhancement. Logstash plays a pivotal role in
forwarding data from the Wazuh indexer to Elasticsearch in the form of indexes. It's essential to
install Logstash on a dedicated server or on the same server hosting the third-party indexer.
 16

Ensuring uniformity across all components of your ELK stack (Elasticsearch, Logstash, and Kibana)
in terms of version is crucial to circumvent compatibility issues. Installing the logstash-input-
opensearch plugin facilitates the reading of data from the Wazuh indexer into the Logstash pipeline.
Furthermore, copying the Wazuh indexer and Elasticsearch root certificates to the Logstash server is
imperative. Defining mappings between data and index types is essential to ensure correct indexing
of data within Elasticsearch. Utilizing the provided Wazuh mappings for index initialization
streamlines this process. Elasticsearch clusters can seamlessly collaborate with Wazuh clusters.
While a Wazuh cluster provides heightened availability and supports a greater agent load.

3.1.4 KIBANA DASHBOARD

The Wazuh dashboard is accessible through Kibana, which is part of the Elastic Stack. Enhancing
the usability and accessibility of the rich trove of security data stored within the Elasticsearch
Cluster, the Kibana Dashboard serves as the intuitive interface for visualizing, exploring, and
interpreting log data. Equipped with an array of customizable visualization tools and interactive
dashboards, Kibana empowers security practitioners to gain actionable insights into the
organization's security posture. From trend analysis and anomaly detection to forensic investigations
and compliance reporting, Kibana offers a versatile platform for harnessing the full potential of the
Wazuh ecosystem.

3.1.5 INTEGRATION WITH EXTERNAL SYSTEMS

An integral part of any reliable program or tool is its integration with external systems. Let's
investigate Wazuh's integration with external parts. Recognizing the importance of collaboration and
interoperability within the broader cybersecurity landscape, Wazuh facilitates seamless integration
with a myriad of external systems and services. From threat intelligence feeds and Security
Information and Event Management (SIEM) platforms to incident response tools and orchestration
frameworks, this interoperability enhances the efficacy and agility of the security operations. By
enriching log data with contextual information, automating response actions, and streamlining
incident management workflows, Wazuh ensures a holistic and adaptive approach to cyber defense
in an ever-evolving threat landscape.
 17

CHAPTER 4
IMPLEMENTATION OF WAZUH

4.1 REQUIREMENT ANALYSIS

Explore the prerequisites for using Wazuh, an effective security tool that offers combined protection
for endpoints and cloud workloads with XDR (Extended Detection and Response) and SIEM
(Security Information and Event Management). The Wazuh dashboard, Wazuh server, and Wazuh
indexer are some of the parts that make up Wazuh. The methodology commences with a
comprehensive requirement analysis, wherein the specific security needs and operational objectives
of the organization are meticulously evaluated. This stage involves close collaboration with key
stakeholders, including security teams, system administrators, and other relevant personnel, to
ascertain the desired functionalities, deployment scope, and performance criteria for the Wazuh
implementation.

Here are the key aspects to consider when planning to install and configure Wazuh:

4.1.1 HARDWARE AND SOFTWARE REQUIREMENTS

WAZUH SERVER
a) A key element in this process is the Wazuh server, which also handles agent
management, security event processing, and data forwarding to Elasticsearch.
b) Ensure that the server meets the following requirements.
c) Operating System: Wazuh supports Linux distributions such as Ubuntu, CentOS, and
similar variants
d) Resources: Recommended specifications include 16 GB of RAM and 8 CPU cores
e) Root or Sudo Access: You’ll need administrative privileges to install and configure
Wazuh.
f) Internet Connection: A working internet connection is necessary for downloading and
installing packages.

WAZUH AGENTS
a) Wazuh agents are lightweight monitoring software deployed on various endpoints
(laptops, servers, cloud instances, etc.).
b) They collect critical system and application records, inventory data, and detect
anomalies.
 18

c) Agents can be installed on multiple platforms, including Linux, Windows, containers,

and virtual machines.

ELASTIC STACK COMPONENTS

a) Wazuh integrates with the Elastic Stack, which includes Elasticsearch, Logstash, and
Kibana.

4.1.2 DEPLOYMENT FLEXIBILITY

a) Choose between a more tailored deployment with separate servers for each
component or an all-in-one installation where the Wazuh server and indexer are on
the same host.
b) The Wazuh indexer and Wazuh server can be installed on a single host or distributed
in cluster configurations.

4.1.3 INSTALLATION ALTERNATIVES

a) Wazuh provides additional installation methods beyond the ones covered in this
guide.
b) Ready-to-use Machines: Deploy Wazuh using pre-configured virtual machines or
cloud images.
c) Containers: Use Docker containers for easy deployment.
d) Orchestration Tools: Integrate Wazuh into your existing orchestration workflows.
e) Offline Installation: Install Wazuh without an internet connection.
f) Commercial Options: Explore commercial offerings for specific use cases.

4.2 INFRASTRUCTURE PLANNING AND DEPLOYMENT

Following the requirement analysis, the next phase entails meticulous planning and deployment
of the Wazuh infrastructure. This involves determining the optimal placement of Wazuh agents
across the organization's network, ensuring sufficient coverage of endpoints, servers, and critical
assets. Additionally, careful consideration is given to the sizing and configuration of the Wazuh
Manager and Elasticsearch Cluster to accommodate the anticipated volume of log data and
ensure scalability and performance.

4.3 AGENT CONFIGURATION AND INTEGRATION

With the infrastructure in place, the focus shifts to configuring and integrating the Wazuh agents
with the target systems and applications. This involves customizing agent settings to align with
 19

the organization's security policies, defining log collection rules, and configuring log forwarding
mechanisms to relay data to the centralized Wazuh Manager. Furthermore, integration with third-
party systems and services, such as SIEM platforms and threat intelligence feeds, is established to
enrich the collected data.

4.4 RULESET CUSTOMIZATION AND TUNING

A critical aspect of the methodology involves the customization and tuning of the rulesets used by
the Wazuh Manager for log analysis and threat detection. This process entails fine-tuning existing
rules, creating new rules tailored to the organization's specific environment and threat landscape,
and adjusting rule priorities to optimize detection accuracy while minimizing false positives.
Continuous refinement and validation of the rulesets are conducted to ensure their effectiveness
in capturing relevant security events and anomalies.
Wazuh may be made to more accurately detect security events while reducing false positives by
adjusting and fine-tuning its criteria. The steps are as follows:

4.4.1 UNDERSTANDING RULES

a) Wazuh rules are written in YAML format and define conditions for detecting specific
events.
b) Each rule has a rule ID, description, and criteria (conditions).
c) You can find the default rules in the rules directory of your Wazuh installation.
4.4.2 CUSTOMIZATION
a) Rule Overrides: To customize rules, create a custom_rules.xml file in the decoders
directory. Add your custom rules there.
b) Rule Variables: Modify rule variables to adapt them to your environment. For
example, adjust thresholds, IP addresses, or file paths.
c) Rule Groups: Organize rules into groups (e.g., local, custom, user-defined). Prioritize
rules based on your needs.
4.4.3 TUNING FOR ACCURACY
a) Tune Thresholds: Adjust thresholds to reduce false positives. For example,
increase the threshold for failed login attempts.
b) Whitelisting: Exclude known benign events from triggering alerts. Use the
whitelist option in rules.
c) Customize Alerts: Customize alert messages to provide more context. Edit the
description field in rules.
 20

4.4.4 TESTING AND MONITORING

a) Test Changes: After customization, test rules against real-world scenarios.
b) Monitor Alerts: Regularly review alerts and adjust rules as needed.

4.5 MONITORING AND INCIDENT RESPONSE

the Wazuh infrastructure is operational, ongoing monitoring and incident response activities
form a core component of the methodology. Security analysts closely monitor the alerts and
notifications generated by the Wazuh Manager, investigating suspicious activities and security
incidents in real-time. Prompt response actions are initiated to contain and mitigate identified
threats, leveraging predefined response mechanisms and playbooks to streamline incident

resolution workflows.

4.5.1 INCIDENT RESPONSE WITH WAZUH

a) Wazuh offers centralized administration for alerting, monitoring, and log analysis in
real-time, empowering businesses to effectively look into and handle events.
b) By providing a common platform for issue triage, investigation, and remediation, this
cooperative setting expedites incident response.

4.5.2 AUTOMATING INCIDENT RESPONSE

a) The Wazuh Active Response module allows users to run automated actions
when incidents are detected on endpoints.
b) Configure actions to be carried out when specific events occur on monitored
endpoints.
c) Examples of default active response scripts include disabling user accounts,
adding IP addresses to deny lists, and restarting Wazuh agents or servers.
d) Furthermore, Wazuh enables the creation of unique active reaction actions in
any programming language, customized to meet certain organizational needs.

4.6 PERFORMANCE EVALUATION AND OPTIMIZATION

The methodology concludes with a thorough evaluation of the Wazuh deployment's performance
and efficacy in meeting the organization's security objectives. Key performance indicators (KPIs)
such as detection rate, response time, and false positive rate are assessed to gauge the
effectiveness of the solution. Based on the findings, iterative optimization efforts are undertaken
 21

to fine-tune the configuration, rulesets, and overall operational processes, ensuring continuous
improvement and alignment with evolving security requirements.

4.6.1 PERFORMANCE METRICS AND BENCHMARKS

a) Explanation of performance indicators that are often utilized, including throughput,
latency, scalability, and resource use.
b) Examining benchmarking techniques to compare cybersecurity tool performance.
c) Overview of pertinent principles and criteria for cybersecurity performance assessment.

4.6.2 PERFORMANCE EVALUATION OF WAZUH

a) An explanation of the experimental setting, system specs, network configuration, and
dataset used to assess Wazuh's performance.
b) Display of performance data for several parameters, including resource use, alert creation
times, and event processing rates.
c) analysis of how different configuration options, network traffic, and data amount affect
Wazuh's performance.

4.6.3 OPTIMIZATION TECHNIQUES

a) An overview of optimization methods to enhance the functionality of cybersecurity

instruments such as Wazuh.
b) Examining various optimization techniques, such as algorithmic optimizations, software
configuration adjustment, and hardware optimization.
c) An explanation of certain optimization methods that are relevant to Wazuh, including data
pretreatment, rule optimization, and indexing optimization.

4.6.4 EXPERIMENTAL RESULTS AND COMPARATIVE ANALYSIS

a) Presentation of the experimental findings both before and after Wazuh was optimized.
b) Comparative analysis of performance improvements achieved through optimization.
c) Discussion of trade-offs between performance gains and potential drawbacks, such as
increased complexity or resource requirements.
 22

CHAPTER 5

ENDPOINT SECURITY TESTING

SSSSSSS WITH WAZUH

The testing phase of the Wazuh platform is a meticulous process designed to validate every aspect of its
functionality, performance, and security. Functional testing involves ensuring that all features, from log data
collection to rule-based alerting, perform accurately and reliably. Performance testing delves into the
platform's ability to handle various loads, assessing factors such as scalability, response times, and resource
utilization to optimize performance under real-world conditions. Security testing is paramount, involving
penetration testing, vulnerability assessments, and threat emulation to identify and address potential
weaknesses in the platform's defenses. Integration testing ensures seamless compatibility with external
systems and services, guaranteeing smooth data exchange and interoperability with other security tools and
platforms. Usability testing focuses on the user experience, assessing the platform's interface, navigation, and
workflow to ensure intuitive operation for security analysts and administrators.

Fig 5.1 Top 10 security alerts

Above figure 5.1 describes about the Top 10 security alerts. Regression testing is essential for maintaining
stability across updates and releases, verifying that new features or changes do not introduce unexpected issues
or regressions. Additionally, compliance testing may be conducted to ensure adherence to industry regulations
and standards, providing assurance that the Wazuh platform meets necessary security and compliance
requirements. Through comprehensive testing across these dimensions, organizations can instill confidence in
the Wazuh platform's reliability, effectiveness, and ability to bolster their overall cybersecurity posture.
 23

Wazuh SIEM (Security Information and Event Management) in industries is a crucial step to ensure robust
cybersecurity measures. Through rigorous testing protocols, including simulated attacks, anomaly detection
scenarios, and stress tests, Wazuh SIEM's effectiveness in identifying, analyzing, and responding to security
incidents can be thoroughly evaluated. Industries such as finance, healthcare, and government rely on Wazuh
SIEM to protect sensitive data and infrastructure from cyber threats. By subjecting the system to diverse
testing environments representative of industry-specific challenges, organizations can validate its ability to
detect and mitigate security breaches effectively. Additionally, testing allows for fine-tuning configurations
and optimizing performance, enhancing the overall security posture of the organization.

In addition to functional, performance, security, integration, usability, regression, and compliance testing, the
thorough testing phase of the Wazuh platform may also encompass several specialized testing approaches.
These include stress testing to assess the platform's resilience under extreme conditions, such as high traffic
volumes or denial-of-service attacks, ensuring that it can withstand adverse scenarios without compromising
performance or stability.

In education institutions and healthcare industries, Wazuh SIEM plays a pivotal role in safeguarding sensitive
data and ensuring regulatory compliance. In educational settings, where student records and research data are
paramount, Wazuh SIEM provides comprehensive monitoring and threat detection capabilities, helping to
mitigate risks associated with data breaches and cyberattacks. By continuously monitoring network activity,
detecting anomalies, and providing real-time alerts, Wazuh helps educational institutions maintain the integrity
and confidentiality of their data. Similarly, in healthcare industries, where patient confidentiality and data
security are paramount, Wazuh SIEM offers robust security solutions to protect electronic health records
(EHRs) and other sensitive information. It helps healthcare organizations comply with regulations such as
HIPAA (Health Insurance Portability and Accountability Act) by providing centralized monitoring, threat
detection, and incident response capabilities. Wazuh SIEM serves as a critical tool in both educational and
healthcare settings, ensuring the protection of sensitive data and the integrity of digital infrastructure.

Wazuh SIEM in industries is a crucial step to ensure robust cybersecurity measures. Through rigorous testing
protocols, including simulated attacks, anomaly detection scenarios, and stress tests, Wazuh SIEM's
effectiveness in identifying, analyzing, and responding to security incidents can be thoroughly evaluated.
Industries such as finance, healthcare, and government rely on Wazuh SIEM to protect sensitive data and
infrastructure from cyber threats. By subjecting the system to diverse testing environments representative of
industry-specific challenges, organizations can validate its ability to detect and mitigate security breaches
effectively. Additionally, testing allows for fine-tuning configurations and optimizing performance, enhancing
the overall security posture of the organization.

Disaster recovery testing evaluates the platform's ability to recover and resume normal operations in the event
of system failures or catastrophic incidents, validating the effectiveness of backup and recovery mechanisms.
 24

Interoperability testing focuses on verifying seamless communication and data exchange between the Wazuh
platform and various hardware devices, software applications, and network protocols, ensuring compatibility
across heterogeneous environments.

Testing Wazuh SIEM is a multifaceted endeavor that demands meticulous planning and execution. At its core,
effective testing aims to scrutinize Wazuh's capabilities across various dimensions, ensuring its readiness to
defend against evolving cyber threats. Before embarking on the testing journey, it's imperative to grasp the
intricate nuances of Wazuh's architecture and functionalities. Wazuh SIEM comprises a constellation of
components, including agents deployed on endpoints, a centralized manager for log aggregation and analysis,
and integrations with complementary security tools. These components work in concert to form a robust
defense mechanism, capable of detecting anomalies, identifying potential security breaches, and orchestrating
timely responses. By delineating clear testing objectives and establishing comprehensive criteria,
organizations can methodically assess Wazuh's performance, scalability, reliability, and efficacy. This
strategic approach not only fortifies the organization's security posture but also fosters a culture of continuous
improvement and adaptation in the face of emerging threats.

In educational settings, where student records and research data are paramount, Wazuh SIEM provides
comprehensive monitoring and threat detection capabilities, helping to mitigate risks associated with data
breaches and cyberattacks. By continuously monitoring network activity, detecting anomalies, and providing
real-time alerts, Wazuh helps educational institutions maintain the integrity and confidentiality of their data.
Similarly, in healthcare industries, where patient confidentiality and data security are paramount, Wazuh
SIEM offers robust security solutions to protect electronic health records (EHRs) and other sensitive
information. It helps healthcare organizations comply with regulations such as HIPAA (Health Insurance
Portability and Accountability Act) by providing centralized monitoring, threat detection, and incident
response capabilities. Wazuh SIEM serves as a critical tool in both educational and healthcare settings,
ensuring the protection of sensitive data and the integrity of digital infrastructure.

Furthermore, disaster recovery testing evaluates the platform's ability to recover and resume normal operations
in the event of system failures or catastrophic incidents, validating the effectiveness of backup and recovery
mechanisms. Interoperability testing focuses on verifying seamless communication and data exchange
between the Wazuh platform and various hardware devices, software applications, and network protocols,
ensuring compatibility across heterogeneous environments.
 25

CHAPTER 6

RESULTS AND DISCUSSION

The comprehensive capabilities of the Wazuh tool for log-based attack detection across various stages of
the cybersecurity landscape. Wazuh, an open-source security platform, offers a wide spectrum of
functionalities aimed at enhancing threat detection and response within organizational environments.
Through an examination of its features, including log analysis, intrusion detection, file integrity
monitoring, and threat intelligence integration, this study aims to provide a detailed understanding of how
Wazuh can be leveraged to fortify defenses against a multitude of cyber threats.

Wazuh exhibited a high degree of efficacy in detecting malware across various stages of the attack
lifecycle. Through its comprehensive log analysis and threat detection capabilities, Wazuh promptly
identified suspicious patterns and behaviours indicative of malware infections. By leveraging signature-
based detection techniques, Wazuh successfully flagged known malware variants, enabling swift response
and mitigation actions. Furthermore, its behaviour-based detection mechanisms proved invaluable in
identifying novel and evasive malware strains that evade traditional signature-based detection methods.
Through real-time correlation of system events and anomaly detection algorithms, Wazuh effectively
pinpointed malicious activities indicative of malware compromise, enabling timely remediation and
containment efforts.

Fig 6.1 Ransomware Detection with wazuh

Above figure 6.1 describes about the Ransomware detection with wazuh. Wazuh has a preset set of
criteria created especially to identify typical malware-related activity. These rules cover a wide range of
 26

indications of compromise (IoCs), including network interactions with known malicious domains or IP
addresses, illegal processes, and suspicious file alterations. Wazuh does not just rely on signature-based
detection; it also emphasizes behavioural analysis. Keep an eye out for odd activity, such as programs
trying to alter important system files, illegal registry modifications, or fraudulent network connections.

Ransomware detection stands as a critical pillar in modern cybersecurity defenses, given the ever-looming
threat posed by ransomware attacks. Detecting ransomware requires a multi-layered approach that
encompasses both preventative measures and proactive detection mechanisms. At its core, ransomware
detection involves the continuous monitoring and analysis of various system activities and behaviors to
identify anomalous patterns indicative of ransomware activity. This encompasses scrutinizing file system
changes, network traffic anomalies, and unusual process behaviors that may signal the presence of
ransomware encryption or propagation attempts. Moreover, leveraging advanced threat intelligence feeds,
behavioral analytics, and machine learning algorithms can enhance the detection capabilities by
identifying previously unseen ransomware variants and evolving attack techniques. Additionally,
implementing data backup solutions and conducting regular backup integrity checks serve as essential
preventative measures, enabling organizations to mitigate the impact of ransomware attacks and facilitate
timely recovery. By combining proactive detection strategies with robust incident response protocols,
organizations can bolster their resilience against ransomware threats and safeguard critical assets from
extortion attempts.

Fig 6.2 SSH Brute-Force Detection with wazuh

Above figure 6.2 describes about the SSH Brute-Force detection with wazuh. In assessing Wazuh's
performance in detecting SSH brute-force attacks, we observed robust detection capabilities that proved
instrumental in thwarting unauthorized access attempts. Wazuh effectively monitored SSH login attempts
 27

and scrutinized authentication logs for patterns indicative of brute-force attacks, such as repeated login
failures from the same IP address or unusual login patterns. Through real-time alerting and correlation of
authentication events, Wazuh swiftly identified and alerted security teams to ongoing brute-force attacks,
enabling proactive response actions such as IP blocking or account lockdown. Furthermore, Wazuh's
integration with threat intelligence feeds enriched its detection capabilities, allowing it to identify known
malicious IP addresses associated with SSH brute-force campaigns and proactively block access from
these sources.Wazuh can be used for SSH brute-force attack detection. Automated efforts to guess
legitimate usernames and passwords in order to obtain illegal access to a system are known as brute-force
attacks against SSH. Here are a few techniques for spotting and preventing these kinds of attacks.

Detecting SSH brute force attacks is paramount in safeguarding network security, particularly in
environments where Secure Shell (SSH) is a primary method of remote access. A comprehensive
approach to SSH brute force detection involves a blend of proactive measures, sophisticated algorithms,
and real-time monitoring capabilities. At its essence, SSH brute force detection revolves around
scrutinizing authentication attempts to identify patterns indicative of malicious activity. This entails
analyzing login attempts, monitoring failed authentication events, and correlating this data with contextual
information such as IP addresses, time stamps, and user accounts. Furthermore, leveraging machine
learning algorithms and anomaly detection techniques can enhance the efficacy of SSH brute force
detection by discerning deviations from normal behavior. In addition to automated detection mechanisms,
employing manual review and threat intelligence feeds can provide invaluable insights into emerging
threats and attack trends. By integrating robust detection mechanisms into the broader security
infrastructure and fostering a culture of vigilance, organizations can effectively thwart SSH brute force
attacks and fortify their defenses against malicious actors.

Network-based detection is a foundational component of modern cybersecurity strategies, enabling

organizations to identify and mitigate a wide range of threats traversing their network infrastructure. At its
core, network-based detection involves the continuous monitoring and analysis of network traffic to
pinpoint suspicious or malicious activities. This proactive approach is essential for detecting threats such
as malware infections, command-and-control communications, data exfiltration attempts, and lateral
movement by adversaries within the network.

One of the primary methods employed in network-based detection is the use of Intrusion Detection
Systems (IDS) and Intrusion Prevention Systems (IPS). These systems analyze network packets in real-
time, comparing them against predefined signatures or behavioral patterns indicative of known threats. By
inspecting inbound and outbound traffic, IDS/IPS solutions can swiftly detect and alert security teams to
potential security incidents, enabling timely response and mitigation actions.
 28

In addition to signature-based detection, network-based detection also encompasses anomaly detection

techniques. Anomaly detection relies on establishing a baseline of normal network behavior and
identifying deviations from this baseline that may indicate suspicious or unauthorized activities. Machine
learning algorithms play a crucial role in anomaly detection, as they can adapt to evolving network
environments and discern subtle deviations that may evade traditional detection methods.

Furthermore, leveraging threat intelligence feeds and integrating with security information and event
management (SIEM) platforms enhances the efficacy of network-based detection. By correlating network
events with threat intelligence data and contextual information from other security tools, organizations can
gain deeper insights into potential threats and prioritize response efforts effectively.

Ultimately, network-based detection serves as a critical line of defense in protecting against a myriad of
cyber threats, providing organizations with the visibility and situational awareness needed to safeguard
their network assets and sensitive data. By deploying robust network monitoring solutions, organizations
can strengthen their cybersecurity posture and effectively mitigate the risks posed by malicious actors
targeting their network infrastructure.

To customize the Wazuh ruleset effectively, start by understanding its structure and organization,
distinguishing between various rule types, and grasping the roles of rule groups, decoders, and directives.
Conduct a thorough risk assessment to identify specific security threats and compliance requirements
relevant to your environment. Consider factors like network architecture, system configurations, and
industry regulations when defining customization objectives. Next, prioritize ruleset modifications based
on the criticality of identified risks and alignment with organizational security policies. Develop a clear
plan for rule customization, including the creation of new rules, modification of existing ones, or the
removal of obsolete rules. Test customized rules in a controlled environment to ensure they accurately
detect and respond to security events without generating false positives. Finally, implement the
customized ruleset into your Wazuh deployment and regularly review and update it to address evolving
threats and compliance mandates.

Behavioral analysis plays a pivotal role in modern cybersecurity defenses, offering a proactive approach
to threat detection by scrutinizing patterns of behavior across various endpoints, networks, and user
activities. This method focuses on identifying anomalies and deviations from established baselines of
normal behavior, rather than relying solely on known signatures or patterns of known threats. By
leveraging machine learning algorithms and advanced analytics, behavioral analysis can detect
sophisticated and previously unseen threats, including insider threats, zero-day attacks, and advanced
persistent threats (APTs). Furthermore, behavioral analysis extends beyond traditional perimeter defenses,
providing organizations with insights into user behavior, application usage, and system interactions to
identify potential security risks and anomalies. Incorporating behavioral analysis into a comprehensive
 29

security strategy enables organizations to enhance their threat detection capabilities, mitigate risks more
effectively, and respond to incidents in a timely manner, ultimately strengthening their overall
cybersecurity posture.

File integrity monitoring (FIM) is a critical security measure that involves monitoring and detecting
unauthorized changes to files and directories within an organization's IT infrastructure. By continuously
analyzing the cryptographic hashes or attributes of files and comparing them against baseline values, FIM
solutions can identify alterations, deletions, or additions to critical system files, configuration files, and
application binaries. This proactive approach helps organizations detect unauthorized modifications that
may result from malware infections, insider threats, or unauthorized access attempts. FIM also plays a
vital role in compliance adherence by providing evidence of data integrity and regulatory compliance.
Moreover, integrating FIM with security information and event management (SIEM) systems enables
organizations to correlate file integrity events with other security events, enhancing threat detection and
incident response capabilities. Overall, FIM serves as an essential component of a layered security
strategy, helping organizations maintain the integrity and security of their critical assets and sensitive data.

While not directly part of Wazuh, you can use tools like xHydra (a graphical version of Hydra) to
automate SSH brute-force attacks. Below figure 6.3 and 6.4 describes about the list of modified files and
SSH failed login by wazuh respectively.

Fig 6.3 The list of top modified files detected by Wazuh

 30

System auditing within the framework of Wazuh SIEM is a cornerstone of cybersecurity operations,
offering organizations a comprehensive suite of tools and functionalities to ensure the integrity,
availability, and confidentiality of their digital assets. At its core, Wazuh SIEM facilitates system auditing
through robust log management capabilities, enabling the collection, normalization, and analysis of logs
from diverse sources across the IT infrastructure. Leveraging the Elastic Stack, Wazuh SIEM provides a
scalable and flexible platform for storing and querying log data, empowering security teams to identify
anomalous activities, investigate security incidents, and mitigate potential threats effectively.

Fig 6.4 SSH Failed login overview

In addition to log management, Wazuh SIEM offers real-time monitoring capabilities that enable
continuous visibility into system activities and network traffic. Through the use of agents deployed on
endpoints and network sensors strategically placed throughout the environment, Wazuh SIEM monitors
for suspicious behavior, unauthorized access attempts, malware infections, and other security events in
real-time. By correlating and analyzing security events in context, Wazuh SIEM helps security analysts
identify indicators of compromise (IOCs) and respond to security incidents promptly, minimizing the
impact of breaches and preventing future attacks.

Moreover, Wazuh SIEM excels in compliance auditing, providing organizations with the tools and
resources necessary to adhere to industry regulations and standards. With built-in compliance templates
and reporting capabilities, Wazuh SIEM simplifies the process of auditing and documenting compliance
 31

with frameworks such as PCI DSS, HIPAA, GDPR, and CIS benchmarks. By automating compliance
checks and generating audit reports, Wazuh SIEM helps organizations demonstrate regulatory compliance
to auditors and stakeholders, mitigating the risk of non-compliance penalties and fines.

Despite its strengths, effective system auditing with Wazuh SIEM presents certain challenges that
organizations must address. These challenges include the configuration and tuning of detection rules to
reduce false positives and false negatives, the management of alert fatigue resulting from the high volume
of security alerts generated, and the integration of Wazuh SIEM with existing security infrastructure and
workflows. However, with proper planning, training, and support, organizations can overcome these
challenges and leverage the full potential of Wazuh SIEM to enhance their cybersecurity posture and
achieve their business objectives.

Looking ahead, the future of system auditing with Wazuh SIEM holds promise for further innovation and
advancement. As cyber threats continue to evolve and become more sophisticated, Wazuh SIEM is
expected to incorporate cutting-edge technologies such as machine learning, artificial intelligence, and
behavioral analytics to improve threat detection accuracy and efficiency. Moreover, with the rise of cloud
computing and hybrid IT environments, Wazuh SIEM is likely to expand its capabilities to provide
seamless visibility and control across on-premises, cloud, and hybrid infrastructures, enabling
organizations to secure their digital assets wherever they reside.

System auditing with Wazuh SIEM represents a powerful approach to cybersecurity that empowers
organizations to proactively identify and mitigate security risks, maintain regulatory compliance, and
safeguard their digital assets from cyber threats. By leveraging the comprehensive auditing capabilities of
Wazuh SIEM and staying abreast of emerging trends and technologies, organizations can stay one step
ahead of cyber adversaries and ensure the security and resilience of their IT infrastructure.

Expanding on the intricacies of system auditing within the realm of Wazuh SIEM involves delving deeper
into its features, functionalities, and practical applications in real-world scenarios. Wazuh SIEM's system
auditing capabilities extend beyond traditional log management and real-time monitoring to encompass
advanced threat detection, incident response automation, and compliance assurance.

One notable aspect of Wazuh SIEM is its extensive rule set, which comprises predefined rules for
detecting known threats, as well as the flexibility to create custom rules tailored to specific organizational
requirements. These rules cover a wide range of security events, including malware infections, brute force
attacks, suspicious file modifications, and unauthorized access attempts. By continuously analyzing log
data and network traffic against these rules, Wazuh SIEM can identify indicators of compromise and
generate actionable alerts for security analysts to investigate further.
 32

Furthermore, Wazuh SIEM's incident response capabilities streamline the process of responding to
security incidents, enabling security teams to automate response actions based on predefined playbooks
and workflows. For example, in the event of a detected intrusion attempt, Wazuh SIEM can automatically
block the source IP address, quarantine the affected endpoint, and alert designated personnel for further
investigation. By automating response actions, Wazuh SIEM helps organizations mitigate the impact of
security incidents and reduce the time to remediation, enhancing overall cybersecurity resilience.

In the realm of compliance auditing, Wazuh SIEM shines as a comprehensive solution for meeting
regulatory requirements and industry standards. Its built-in compliance templates cover a wide range of
regulations and frameworks, providing organizations with a roadmap for implementing security controls
and demonstrating compliance with auditors and regulators. Wazuh SIEM's compliance reports offer
granular insights into security posture, vulnerabilities, and policy violations, enabling organizations to
address gaps and prioritize remediation efforts effectively.

Moreover, Wazuh SIEM's integration capabilities allow organizations to leverage existing security
investments and extend the functionality of their cybersecurity ecosystem. Through integrations with
threat intelligence feeds, ticketing systems, endpoint protection platforms, and security orchestration tools,
Wazuh SIEM enriches security data, enhances threat detection capabilities, and streamlines incident
response workflows. By centralizing security operations and fostering interoperability between disparate
security tools, Wazuh SIEM empowers organizations to build a cohesive and agile cybersecurity
infrastructure capable of defending against modern cyber threats.

System auditing with Wazuh SIEM represents a holistic approach to cybersecurity that combines
advanced threat detection, incident response automation, compliance assurance, and seamless integration
with existing security infrastructure. By harnessing the full potential of Wazuh SIEM's auditing
capabilities and staying proactive in adapting to evolving cyber threats, organizations can fortify their
defenses, mitigate risks, and maintain regulatory compliance in an increasingly complex and dynamic
threat landscape. Below figure 6.5 and 6.6 describes about the SElinux and anamolies detected by wazuh.
 33

Fig 6.5 SElinux permission checklist

The results of our evaluation underscore the effectiveness of the Wazuh platform in detecting and
mitigating malware and SSH brute-force attacks, highlighting its value as a critical component of
organizational cybersecurity defenses. Wazuh's robust log analysis and threat detection capabilities enable
timely identification of malicious activities, facilitating swift response actions to mitigate risks and
minimize the impact of security incidents.

Fig 6.6 The list of detected anomalies

By leveraging a combination of signature-based detection, behaviour-based analysis, and real-time

correlation of security events, Wazuh provides comprehensive coverage against a wide range of cyber
threats, including both known and emerging malware variants and brute-force attacks.

Furthermore, Wazuh's flexibility and extensibility allow for seamless integration with existing security
infrastructure, enhancing its overall effectiveness in detecting and responding to security threats. Its
ability to integrate with threat intelligence feeds and external systems enables organizations to leverage
actionable insights and automate response actions, streamlining incident response workflows and
bolstering cybersecurity resilience.
 34

Overall, our evaluation demonstrates that the Wazuh platform is a valuable asset in detecting and
mitigating malware and SSH brute-force attacks, providing organizations with the capabilities needed to
effectively protect their digital assets and mitigate cybersecurity risks. Continued research and
development efforts aimed at further enhancing Wazuh's detection capabilities and expanding its
functionality will contribute to its ongoing relevance and effectiveness in addressing evolving cyber
threats.

Interpreting findings in cybersecurity is a multifaceted process crucial for understanding the security
posture of an organization and mitigating potential risks effectively. It involves analyzing data collected
from various sources, such as logs and network traffic, to identify patterns or anomalies indicative of
security incidents. By recognizing indicators of compromise and understanding the context surrounding
these findings, security teams can assess the severity of potential threats and prioritize response efforts
accordingly. Additionally, contextualization enables organizations to discern between benign events and
genuine security incidents, facilitating more informed decision-making. Ultimately, the interpretation of
findings serves as the foundation for developing proactive security measures, strengthening defenses, and
safeguarding against emerging cyber threats.

Interpreting findings in cybersecurity carries significant implications for the continuous improvement of
cyber security practices within organizations. By meticulously analyzing collected data and deriving
actionable insights, security teams can bolster their defenses and response capabilities. Through the
identification of patterns or anomalies, organizations can enhance their ability to detect and thwart
potential security threats, including sophisticated attacks and insider risks. Furthermore, understanding the
context surrounding security findings enables more informed decision-making in incident response,
allowing for prompt and effective mitigation measures. This proactive approach not only minimizes the
impact of security incidents but also informs risk management strategies, helping organizations allocate
resources more effectively to mitigate risks. Additionally, insights derived from interpreting findings
facilitate the development and implementation of preventive measures, strengthening overall cyber
resilience and enabling organizations to adapt to evolving cyber threats more adeptly. Ultimately, the
implications of interpreting findings in cybersecurity extend beyond incident response, serving as a
catalyst for continuous improvement and ensuring the protection of critical assets and sensitive data
against emerging threats.

Based on the interpretation of findings in cybersecurity, several recommendations can be proposed to

improve organizational security practices. Firstly, investing in advanced threat detection technologies,
such as machine learning-based anomaly detection and behavioral analytics, can enhance the
organization's ability to detect and respond to sophisticated threats effectively. Additionally, regular
security awareness training for employees can help mitigate risks associated with insider threats and
 35

human error, fostering a culture of security throughout the organization. Furthermore, implementing a
robust incident response plan, which includes clear escalation procedures and predefined response actions,
is essential for minimizing the impact of security incidents and facilitating swift recovery. Additionally,
continuous monitoring and auditing of security controls and configurations can help identify and
remediate vulnerabilities before they are exploited by attackers. Lastly, fostering collaboration with
industry peers and sharing threat intelligence can provide valuable insights into emerging threats and best
practices for enhancing cyber resilience. By adopting these recommendations, organizations can
strengthen their security posture and better protect against evolving cyber threats.

When evaluating cybersecurity practices, comparing them with industry standards provides valuable
insights into areas of strength and areas for improvement. Aligning cybersecurity practices with
recognized standards such as ISO/IEC 27001, NIST Cybersecurity Framework, or CIS Controls ensures
that organizations adhere to established best practices and guidelines. By conducting a comparison,
organizations can identify gaps between their current practices and industry standards, enabling them to
prioritize efforts for improvement effectively. Furthermore, compliance with industry standards enhances
credibility and demonstrates a commitment to security to stakeholders, customers, and regulatory bodies.
Additionally, leveraging industry standards can facilitate benchmarking against peer organizations and
gaining insights into emerging trends and evolving threats. Ultimately, comparing cybersecurity practices
with industry standards serves as a roadmap for continuous improvement, helping organizations enhance
their security posture and mitigate risks effectively in an ever-changing threat landscape.

When addressing limitations and potential bias in cybersecurity practices, organizations must adopt a
transparent and proactive approach to ensure the integrity and effectiveness of their security measures.
Firstly, acknowledging the inherent limitations of security technologies and methodologies is essential.
For example, while machine learning algorithms can enhance threat detection, they may also introduce
biases or false positives based on the data they are trained on. It's crucial to continuously evaluate and
validate the performance of these technologies to mitigate such biases.

Additionally, organizations must be cognizant of potential biases in threat intelligence feeds or security
assessments. Biases can arise from various sources, including the geographical region of the data source,
the industry focus of the threat intelligence provider, or the methodology used in security assessments. To
address this, organizations should diversify their sources of threat intelligence and regularly review and
cross-reference findings to minimize bias and ensure comprehensive threat coverage.

Moreover, organizations should conduct thorough risk assessments to identify and mitigate potential
biases in security decision-making processes. This involves considering factors such as organizational
culture, biases in risk perception, and the influence of stakeholders on security priorities. Implementing
 36

governance mechanisms, such as independent oversight committees or peer reviews, can help mitigate
biases and ensure that security decisions are based on objective risk assessments.

Furthermore, fostering a culture of diversity and inclusivity within the cybersecurity workforce can help
mitigate biases in security practices. By promoting diverse perspectives and experiences, organizations
can enhance their ability to identify and address potential blind spots or biases in security strategies.

organizations should conduct thorough risk assessments to identify and mitigate potential biases in
security decision-making processes. This involves considering factors such as organizational culture,
biases in risk perception, and the influence of stakeholders on security priorities. Implementing
governance mechanisms, such as independent oversight committees or peer reviews, can help mitigate
biases and ensure that security decisions are based on objective risk assessments.

Overall, addressing limitations and potential bias in cybersecurity practices requires a multifaceted
approach, encompassing transparency, continuous evaluation, diversification of data sources, and
fostering a culture of diversity and inclusivity. By adopting these measures, organizations can enhance the
integrity and effectiveness of their security measures and better protect against evolving cyber threats.

Exploring new research directions in cybersecurity is crucial for staying ahead of emerging threats and
technological advancements. Promising avenues for future research include leveraging artificial
intelligence and machine learning for more effective threat detection, delving into the implementation and
scalability of the Zero Trust security model, addressing the security challenges posed by the Internet of
Things, advancing quantum cryptography to counter the threat of quantum computing, enhancing cyber
threat intelligence capabilities, investigating human-centric security approaches, and researching
blockchain security. By investing in these areas, researchers can contribute to the development of
innovative solutions to mitigate cyber risks and enhance the resilience of digital systems and networks
against evolving threats. By conducting a comparison, organizations can identify gaps between their
current practices and industry standards, enabling them to prioritize efforts for improvement effectively.
Furthermore, compliance with industry standards enhances credibility and demonstrates a commitment to
security to stakeholders, customers, and regulatory bodies. Additionally, leveraging industry standards can
facilitate benchmarking against peer organizations and gaining insights into emerging trends and evolving
threats. Ultimately, comparing cybersecurity practices with industry standards serves as a roadmap for
continuous improvement, helping organizations enhance their security posture and mitigate risks
effectively in an ever-changing threat landscape. Interpreting findings in cybersecurity is a multifaceted
process crucial for understanding the security posture of an organization and mitigating potential risks
effectively. Additionally, contextualization enables organizations to discern between benign events and
genuine security incidents, facilitating more informed decision-making.
 37

CHAPTER 7

CONCLUSION AND FUTURE ENHANCEMENTS

7.1 CONCLUSION

In Conclusion, the rigorous testing phase underscores the Wazuh platform's effectiveness in fortifying
cybersecurity defenses through comprehensive log-based attack detection and response capabilities.
Functional, performance, security, integration, usability, regression, and compliance testing collectively
validate the platform's reliability, efficacy, and resilience in identifying and mitigating evolving cyber
threats. This thorough validation process instills confidence in the platform's ability to safeguard
organizational assets and respond effectively to security incidents. Looking ahead, future work could
involve exploring advanced testing methodologies, developing automated testing frameworks, and
expanding testing efforts to encompass emerging technologies. By continuously refining testing
methodologies and adapting to evolving threat landscapes, the Wazuh platform can remain at the forefront
of cybersecurity innovation, effectively mitigating risks and protecting critical assets in an ever-changing
digital environment. Looking towards future work, there are several avenues for further enhancing the
capabilities of the Wazuh platform through advanced testing methodologies and innovative approaches.
This includes exploring the integration of emerging technologies such as machine learning and artificial
intelligence to enhance threat detection capabilities and improve response automation.

Additionally, research efforts could focus on developing more sophisticated testing frameworks and tools
to streamline the testing process and provide deeper insights into the platform's performance under diverse
scenarios. Furthermore, there is potential for expanding testing efforts to encompass new use cases and
deployment environments, such as cloud-native architectures and Internet of Things (IoT) ecosystems, to
ensure the platform's relevance and effectiveness in addressing evolving cybersecurity challenges. By
continually advancing testing methodologies and adapting to emerging trends, the Wazuh platform can
remain a vital component of organizations' cybersecurity strategies, effectively protecting against cyber
threats and mitigating risks in an increasingly complex digital landscape.
 38

7.2 FUTURE ENHANCEMENTS

Future improvements and advancements in Wazuh are likely to focus on several key areas to enhance its
capabilities and effectiveness in addressing evolving cybersecurity challenges. One potential area of
improvement is the integration of advanced artificial intelligence and machine learning algorithms. By
leveraging AI and ML technologies, Wazuh can improve its ability to detect and respond to sophisticated
cyber threats with greater accuracy and efficiency, reducing false positives and enhancing overall threat
intelligence. Another area for advancement is the expansion of Wazuh's support for cloud-native
environments and technologies. As organizations increasingly migrate their infrastructure and applications
to the cloud, Wazuh will need to adapt to provide seamless monitoring and protection across hybrid and
multi-cloud environments. This could involve developing native integrations with leading cloud platforms
and services, as well as enhancing support for containerized environments such as Kubernetes.
Furthermore, enhancing automation and orchestration capabilities within Wazuh can streamline incident
response workflows and enable faster mitigation of security incidents. By integrating with existing
security tools and frameworks through standardized APIs, Wazuh can automate repetitive tasks, facilitate
information sharing, and improve overall security posture. Additionally, as regulatory requirements
continue to evolve and become more stringent, future versions of Wazuh may incorporate enhanced
compliance management features to help organizations maintain compliance with industry-specific
regulations and standards.

Wazuh's support for cloud-native environments and technologies. As organizations increasingly migrate
their infrastructure and applications to the cloud, Wazuh will need to adapt to provide seamless
monitoring and protection across hybrid and multi-cloud environments. This could involve developing
native integrations with leading cloud platforms and services, as well as enhancing support for
containerized environments such as Kubernetes. Overall, the future of Wazuh will likely involve a
combination of technological advancements, expanded platform support, and improved usability to meet
the ever-changing demands of the cybersecurity landscape.
 39

REFERENCES

[1] Enabling Traceable and Verifiable Multi-User Forward Secure Searchable Encryption in Hybrid Cloud
- Dec. IEEE 6/ 2023.

[2] FABRIC: Fast and Secure Unbounded Cross-System Encrypted Data Sharing In Cloud Computing
IEEE 01 April June/ 2023.

[3] “Privacy-Preserving Joint Data and Function Homomorphic Encryption for Cloud Software Services”
IEEE IOT 01 January .2024

[4] Juliet-PUF: “Enhancing the Security of IoT-Based SRAM-PUFs Using the Remanence Decay” Effect
IEEE 15 July .2023

[5] Privilege Escalation Attack Detection and Mitigation in Cloud Using Machine Learning IEEE 08
May.2023

[6] R. A. Alsowail and T. Al-Shehari, "Techniques and countermeasures for preventing insider threats",
PeerJ Computer Sci., vol. 8, pp. e938, Apr. 2022

[7] Y. Yang, Y. Chen, F. Chen and J. Chen, "An efficient identity-based provable data possession protocol
with compressed cloud storage", IEEE Trans. Inf. Forensics Security, vol. 17, pp. 1359-1371, 2022.

[8] M. Ali, M.-R. Sadeghi, X. Liu, Y. Miao and A. V. Vasilakos, "Verifiable online/offline multi keyword
search for cloud-assisted Industrial Internet of Things", J. Inf. Security Appl., vol. 65, Mar. 2022.

[9] B. Joshi, B. Joshi, A. Mishra, V. Arya, A. K. Gupta and D. Peraković, “A comparative study of
privacy-preserving homomorphic encryption techniques in cloud computing”, Int. J. Cloud Appl.
Comput., vol. 12, no. 1, pp. 1-11, 2022.

[10] Anwar 2022 12th International Conference on Cloud Computing, Data Science &Engineering
(Confluence) Mohammad Anas, Raza Imam, Faisal Anwer

[11] A Survey on AWS Cloud Computing Security Challenges & Solutions Manmeet Kaur; Athira B
Kaimal 2023 International Conference on Computer Communication and Informatics (ICCCI)
 40

[12] An Efficient Identity Authentication Scheme with Provable Security and Anonymity for Mobile Edge
Computing IEEE Systems Journal (Volume: 17, Issue: 1, March 2023)

[13] Offloading Using Traditional Optimization and Machine Learning in Federated Cloud–Edge–Fog
Systems: A Survey IEEE Communications Surveys & Tutorials (Volume: 25, Issue: 2, Second quarter
2023)

[14] Fusion of IoT, AI, Edge–Fog–Cloud, and Blockchain: Challenges, Solutions, and a Case Study in
Healthcare and Medicine IEEE Internet of Things Journal (Volume: 10, Issue: 5, 01 March 2023)

[15] Adaptive and Priority-Based Resource Allocation for Efficient Resources Utilization in Mobile-Edge
Computing IEEE Internet of Things Journal (Volume: 10, Issue: 4, 15 February 2023.

[16] Sunil, S., Suresh, A., Hemamalini, V.,Log Based Anomaly Detection: Relation between the Logs–
Proceedings of the 1st IEEE International Conference on Networking and Communications 2023, ICNWC
2023, 2023 -(SCOPUS).

[17] Hemamalini.V, Dr. Zayaraz G, Dr.Vijayalakshmi V, BSPC: Blockchain-aided Secure Process

Control for Improving the Efficiency of Industrial Internet of Things, Journal of Ambient Intelligence &
Humanized Computing (AIHC),January 2022, SPRINGER –(SCIE).

[18] Meenakshi, M., Shyam Babu, P., Hemamalini, V.,Deep Learning Techniques for Spamming and
Cyberbullying Detection– Proceedings of the 1st IEEE International Conference on Networking and
Communications 2023, ICNWC 2023, 2023 -(SCOPUS).
 41

APPENDIX A
CODING

The project encompassed the integration of agents ,these agents collect system and application data ,such
as logs, configuration details, file integrity status, and system metrics and it uses a set of rules to analyze
the data collected by agents and identify security threats. Wazuh can integrate with other security tools
and services to enhance its capabilities. For example, it can integrate with antivirus solutions to leverage
their malware detection capabilities. It can also integrate with SIEM (Security Information and Event
Management) systems for centralized log management and correlation. Wazuh includes file integrity
monitoring capabilities, which allow it to detect unauthorized changes to critical system files, directories,
and configuration settings. This helps in identifying potential malware infections or system
compromises. Wazuh can generate real-time alerts and notifications when suspicious or malicious
activity is detected. These alerts can be sent via email, SMS, or other communication channels to notify
security personnel of potential threats and it also provides dashboards and reporting capabilities.

A.1 SAMPLE CONFIGURATION

<!--

Wazuh - Manager - Default configuration.

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

<global>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall>no</logall>

<logall_json>no</logall_json>

<email_notification>no</email_notification>
 42

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>wazuh@example.wazuh.com</email_from>

<email_to>recipient@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

<agents_disconnection_time>10m</agents_disconnection_time>

<agents_disconnection_alert_time>0</agents_disconnection_alert_time>

</global>

<!-- Choose between plain or json format (or both) for internal logs -->

<logging>

<log_format>plain</log_format>

</logging>

<alerts>

<log_alert_level>3</log_alert_level>

<email_alert_level>12</email_alert_level>

</alerts>

<remote>

<connection>secure</connection>

<port>1514</port>

<protocol>tcp</protocol>

</remote>

<!-- Policy monitoring -->

<rootcheck>

<disabled>no</disabled>

<!-- Frequency that rootcheck is executed - every 12 hours -->

 43

<frequency>43200</frequency>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<wodle name="open-scap">

<disabled>yes</disabled>

<timeout>1800</timeout>

<interval>1d</interval>

<scan-on-start>yes</scan-on-start>

<content type="xccdf" path="ssg-debian-8-ds.xml">

<profile>xccdf_org.ssgproject.content_profile_common</profile>

</content>

<content type="oval" path="cve-debian-oval.xml"/>

</wodle>

<wodle name="syscollector">

<disabled>no</disabled>

<interval>1h</interval>

<scan_on_start>yes</scan_on_start>

<hardware>yes</hardware>

<os>yes</os>
 44

<network>yes</network>

<!-- Database synchronization settings -->

<synchronization>

<max_eps>10</max_eps>

</synchronization>

</wodle>

<!-- File integrity monitoring -->

<syscheck>

<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Generate alert when new file detected -->

<alert_new_files>yes</alert_new_files>

<!-- Don't ignore files that change more than 3 times -->

<auto_ignore>no</auto_ignore>

<!-- Directories to check (perform all possible verifications) -->

<directories>/etc,/usr/bin,/usr/sbin</directories>

<directories>/bin,/sbin,/boot</directories>

<!-- Files/directories to ignore -->

<ignore>/etc/mtab</ignore>

<ignore>/etc/hosts.deny</ignore>
 45

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<!-- File types to ignore -->

<ignore type="sregex">.log$|.swp$</ignore>

<!-- Check the file, but never compute the diff -->

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<!-- Nice value for Syscheck process -->

<process_priority>10</process_priority>

<!-- Maximum output throughput -->

<max_eps>50</max_eps>
 46

<!-- Database synchronization settings -->

<synchronization>

<enabled>yes</enabled>

<interval>5m</interval>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<!-- Active response -->

<global>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>10.0.0.2</white_list>

</global>

<command>

<name>disable-account</name>

<executable>disable-account</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<command>

<name>restart-wazuh</name>

<executable>restart-wazuh</executable>

</command>

<command>

<name>firewall-drop</name>

<executable>firewall-drop</executable>

<timeout_allowed>yes</timeout_allowed>
 47

</command>

<command>

<name>host-deny</name>

<executable>host-deny</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<command>

<name>route-null</name>

<executable>route-null</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<command>

<name>win_route-null</name>

<executable>route-null.exe</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<!--

<active-response>

active-response options here

</active-response>

-->

<!-- Log analysis -->

<localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>
 48

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/auth.log</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<localfile>

<log_format>command</log_format>

<command>df -P</command>

<frequency>360</frequency>

</localfile>

<localfile>

<log_format>full_command</log_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

<frequency>360</frequency>

</localfile>

<localfile>
 49

<log_format>full_command</log_format>

<command>last -n 5</command>

<frequency>360</frequency>

</localfile>

<ruleset>

<!-- Default ruleset -->

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<!-- User-defined ruleset -->

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

</ruleset>

<!-- Configuration for wazuh-authd

To enable this service, run:

wazuh-control enable auth

-->

<auth>

<disabled>no</disabled>

<port>1515</port>

<use_source_ip>no</use_source_ip>

<purge>yes</purge>

<use_password>no</use_password>

<!-- <ssl_agent_ca></ssl_agent_ca> -->

<ssl_verify_host>no</ssl_verify_host>

<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
 50

<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>

<ssl_auto_negotiate>no</ssl_auto_negotiate>

</auth>

</ossec_config>

SAMPLE RULESETS
1. DETECTING SUSPICIOUS PROCESS EXECUTION

<group name="syslog,">

<rule id="100001" level="7">

<decoded_as>json</decoded_as>

<field name="process.name">/usr/bin/malicious_process</field>

<match>Process execution detected</match>

<description>Suspicious process execution</description>

</rule>

</group>

2. DETECTING MALICIOUS FILE CREATION

<group name="syslog,">

<rule id="100002" level="8">

<decoded_as>json</decoded_as>

<field name="file.path">/var/tmp/malicious_file</field>

<match>File creation detected</match>

<description>Malicious file creation</description>

</rule>

</group>
 51

3. DETECTING BRUTE-FORCE SSH LOGIN ATTEMPTS

<group name="syslog,">

<rule id="100003" level="6">

<decoded_as>json</decoded_as>

<field name="log_name">auth</field>

<field name="syslog.programname">sshd</field>

<match>Failed password for .* from <SrcIP> port .* ssh2</match>

<options>alert_by_email</options>

<description>SSH brute-force attempt</description>

</rule>

</group>

4. DETECTING BRUTE-FORCE LOGIN ATTEMPTS VIA FTP

<group name="syslog,">

<rule id="100004" level="6">

<decoded_as>json</decoded_as>

<field name="log_name">auth</field>

<field name="syslog.programname">proftpd</field>

<match>maximum authentication attempts</match>

<options>alert_by_email</options>

<description>FTP brute-force attempt</description>

</rule>

</group>

5. DETECTING WEB APPLICATION FIREWALL (WAF) EVENTS

<group name="syslog,">

<rule id="100005" level="6">

<decoded_as>json</decoded_as>

<field name="log_name">waf</field>

<match>WAF detected suspicious request</match>

 52

<options>alert_by_email</options>

<description>WAF alert: suspicious request</description>

</rule>

</group>

<group name="syslog,">

<rule id="100006" level="7">

<decoded_as>json</decoded_as>

<field name="log_name">dns</field>

<match>DNS tunneling detected</match>

<options>alert_by_email</options>

<description>DNS tunneling activity detected</description>

</rule>

</group>

6. DETECTING MALICIOUS REGISTRY MODIFICATIONS

<group name="registry,">

<rule id="100007" level="7">

<decoded_as>json</decoded_as>

<field name="registry.key">HKLM\System\CurrentControlSet\Services\malicious_service</field>

<match>Registry modification detected</match>

<description>Malicious registry modification</description>

</rule>

</group>

7. DETECTING SUSPICIOUS NETWORK TRAFFIC

<group name="network_traffic,">

<rule id="100008" level="7">

 53

<decoded_as>json</decoded_as>

<field name="source.ip">192.168.1.100</field>

<match>High volume of outbound traffic detected</match>

<description>Suspicious network traffic</description>

</rule>

</group>

8. DETECTING ANOMALOUS USER ACCOUNT ACTIVITY

<group name="syslog,">

<rule id="100009" level="6">

<decoded_as>json</decoded_as>

<field name="user.name">admin</field>

<match>Unusual login time detected</match>

<description>Anomalous user account activity</description>

</rule>

</group>

9. DETECTING ACCESS TO SENSITIVE FILES

<group name="syslog,">

<rule id="100010" level="7">

<decoded_as>json</decoded_as>

<field name="file.path">/etc/shadow</field>

<match>File access detected</match>

<description>Access to sensitive file</description>

</rule>

</group>
 54

A.2 IMPLEMENTATION SCREENSHOTS

Fig A2.1: Wazuh Dashboard

Fig A2.2: Ransomware Detection

Above figures A2.1 and A2.1 describes the implementation of wazuh dashboard and Ransomware detection by
wazuh respectively.
 55

APPENDIX B

CONFERENCE PUBLICATION

Our paper EXPLORING THE FULL SPECTRUM OF WAZUH TOOL FOR LOG BASED
ATTACK DETECTION is accepted at COMSIA -2024 which will be held during 10th and 11 th
of May 2024 at Shaheed Rajguru College Of Applied Sciences, University of Delhi.

Figure B.1 COMSIA-2024 Acceptance

 56

APPENDIX C

JOURNAL PUBLICATION

Figure C.1Journal details.

After presenting in conference our paper will be published in Elsevier SSRN series journals.
 57

D PLAGARISM REPORT

Format - I
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY
(Deemed to be University u/ s 3 of UGC Act, 1956)

Office of Controller of Examinations

REPORT FOR PLAGIARISM CHECK ON THE DISSERTATION/PROJECT REPORTS FOR UG/PG PROGRAMMES
(To be attached in the dissertation/ project report)
SELVAKUMAR SA
Name of the Candidate (IN BLOCK
1
LETTERS)
SHARAN K

SRM INSTITUTE OF SCIENCE AND

2 Address of the Candidate TECHNOLOGY

RA2011030010027
3 Registration Number RA2011030010062
26/05/2003
4 Date of Birth 18/11/2002

5 Department NETWORKING AND COMMUNICATIONS

6 Faculty FACULTY OF ENGINEERING AND

TECHNOLOGY
IMPLEMENTING SECURITY
7 Title of the Dissertation/Project MEASURES USING MANAGED
DETECTION AND RESPONSE (MDR)

Individual or group: GROUP

(Strike whichever is not applicable)

a) If the project/ dissertation is done in

Whether the above project /dissertation group, then how many students together
8
is done by completed the project :2
b) Mention the Name & Register number of
other candidates

SELVAKUMAR SA [RA2011030010027]
SHARAN K [RA2011030010062] :

DR. V. Hemamalini
Associate Professor, NWC
Name and address of the Supervisor / Mail ID: hemamalv@srmist.edu.in
9
Guide Mobile Number: 9626611060
SRM Institute of Science and Technology

N/A
Name and address of Co-Supervisor /
10
Co- Guide (if any)
59
60
61