A Review of Wazuh Tool Capabilities for Detecting Attacks

Based on Log Analysis

Sharan K SelvaKumar SA Dr. Hemamalini V

Department of Networking and
Communications
SRM Institute of Science and
Technology
Chennai, India
Sq9444@srmist.edu.in
Department of Networking and
Communications
SRM Institute of Science and
Technology
Chennai, India
Sk5652@srmist.edu.in
Associate Professor
Department of Networking and
Communications
SRM Institute of Science and
Technology
Chennai, India
hemamalv@srmist.edu.in

Abstract— A persistent threat to the security sector is the ever-
rising frequency of sophisticated cyberattacks and their
subsequent effects on networks. Current methods of network
security, such as those utilizing machine learning algorithms,
frequently focus on identifying potential dangers within specific
network events. However, this approach has been shown to be
insufficient for identifying complex, multimodal assaults.SOC
analysts, whose duties include identifying advanced threats. When
developing the tools, they did not Parallel to this, a large number
of false-positive warnings from the current technologies are
encountered receive expert feedback from SOC analysts, and they
used attributes that are closely related to the structure of certain
malware, which detection models are designed to detect, which
limits their potential to discover new assaults or variations of ones
that already exist. This approach aims not only to address the
imminent threats faced by cloud-based systems but also to
anticipate and nullify potential risks before they materialize. By
leveraging advanced algorithms and predictive analytics, this
proactive stance empowers Threat analyst professionals to stay
ahead of evolving threats. This paper presents a comprehensive
study encompassing the motivation, objectives, innovative
strategies, scope, and architecture for a proactive cloud security
framework. The proposed system amalgamates cutting-edge
technologies to fortify cloud infrastructures against emerging
threats, elevating the resilience and integrity of these critical
systems.
Keywords— SOC, Security, Threat, Proactive Mitigation
Strategies
I. INTRODUCTION
Nowadays, targeted and sophisticated cyberattacks are the security
dangers to organizations that are expanding the quickest. Operation
Shady RAT indicated that the aim of these malicious assaults is no
longer only governments and financial organizations, with data
gathered from a single command and control (C&C) indicating that
one attack affected 71 firms spanning 31 industries. Most of these
focused cyberattacks are the product of well-organized, highly skilled,
well-funded, and frequently state-sponsored organizations that can get
over conventional security measures in order to accomplish their goals.
SOCs are a crucial component of a company's security incident
response team since they gather, normalize, store, and correlate events
in order to spot malicious activity. Logs from network devices
including firewalls, application servers, proxy servers, intrusion
detection systems (IDS), Domain Name Server (DNS) infrastructures,
etc. are included in the security events. SOC analysts have depended
on the usage of Security Information and Event Management (SIEM)
solutions to assist cross-correlate logs and raise alerts based on
previously specified rules because of the large volume of logs provided
from various sensors and the increased risk of false positives.
Nevertheless, the SIEM system is not the best at handling complex,
multi-staged assaults, nor is it effective at handling changes to the
company network.
The goal of this research is to lay the groundwork for the application
of machine-learning techniques in the SOC for the detection of
advanced malicious attempts. In order to provide generic
characteristics that can be applied in any SOC setting and are capable
of identifying new threats, we investigate behaviour-based analytics of
network data.
II. LITERATURE SURVEY
This literature survey provides a concise overview of research in
Threat detection and mitigation, focusing on network security and
technologies. It examines foundational works on Threat detection and
explores evolving attack techniques and mitigation strategies, and
discusses the role of XDR,SIEM in experimentation.
This paper addresses about The data utilization can be further was
proposed by AXIN WU ET AL improved extending the single-user
scenario to the multi-user scenario. However, there are some issues
needed to be considered when a data owner shares data with multiple
data users. First, the public cloud server cannot be completely trusted
as it may be dishonest returning incorrect or incomplete results.
Second, authorized users may trade their private keys for financial
benefit.[1]
Existing proxy re-encryption (PRE) by LILI WANG ET AL ,schemes
to secure cloud data sharing raise challenges such as supporting the
heterogeneous system efficiently and achieving the unbounded
feature. To address this problem, we proposed a fast and secure
unbounded cross-domain proxy re-encryption scheme, named
FABRIC, which enables the delegator to authorize the semi-trusted

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

cloud server to convert one ciphertext of an identity-based encryption
(IBE) scheme to another ciphertext of an attribute-based encryption
(ABE) scheme.[2]
This paper was proposed by AMIN ET AL that using this technology,
software providers can sell their products through cloud computing
environments in the pay-as-you-use fashion. However, performing
secure and accurate calculations in cloud computing environments has
become extremely challenging. As the data to be processed by cloud
software might be highly sensitive, its confidentiality needs to be taken
care of before transferring the data to the cloud server. Also, in
addition to the data confidentiality, the security of algorithms
employed in the software is of vital importance, and thus software
owners may be worried about revealing their algorithms through the
cloud server.[3]
The tremendous changes cloud computing was proposed by RASHID
AMIN and has brought to the business world, its centralization makes
it challenging to use distributed services like security systems.
Valuable data breaches might occur due to the high volume of data that
moves between businesses and cloud service suppliers, both accidental
and malicious. The malicious insider becomes a crucial threat to the
organization since they have more access and opportunity to produce
significant damage. Unlike outsiders, insiders possess privileged and
proper access to information and resources.[4]
In the pages of IEEE Access , Ahamed Aljuhani delves into machine
learning approaches to combat Distributed Denial of Service (Threat
Detection) attacks in modern networking environments. His research
explores innovative machine learning techniques aimed at bolstering
network resilience against Threat Detection threats, contributing
significantly to ongoing efforts in modern network security. [5]
Authors Akash Pawar, Aditi Borkar, Aishwarya Bhalme, and Pranav
Shriram, contributors to the IEEE Bombay Section Signature
Conference (IBSSC) paper on "Cyber Attack Detection and
Implementation of Prevention Methods for Web Application," offer
valuable insights into web security. While the paper touches on crucial
aspects, it falls short in addressing the depth and specificity required
for modern cybersecurity challenges. The literature survey emphasizes
historical vulnerabilities like SQL injection and explores
contemporary issues such as Advanced Persistent Threats (APTs) and
zero-day exploits. It underscores the authors' call for a more
comprehensive examination of these challenges, urging researchers to
bridge existing gaps and enhance web application protection
strategies.[6]
In their enlightening contribution to the Journal of Physics: Conference
Series, authors A. Gorban, R. I Aliev, and K. Yu Zhigalov delve into
the intricacies of web application security. Their methodology sheds
light on the intricate web application components and the security
implications arising from faulty settings. The paper addresses the
inherent risks associated with errors in bases, frameworks, and loaders,
emphasizing that even minor issues can significantly compromise
application security. Targeting a broad audience, including
information security experts and casual users, the study provides
valuable insights for understanding and mitigating vulnerabilities.
While the paper doesn't explicitly use the term "technological
demerits," it effectively explores various aspects of web application
development and configuration that may lead to security
vulnerabilities and technical shortcomings.[7]
In their contribution to the International Conference on Problems
Infocommunications, Science, and Technology (PIC S&T), authors
Strukov and Vladislav Gudilin delve into the intricacies of web
application security. The paper, titled "Some Techniques of Detecting
Applications Vulnerabilities Web," introduces a proposed technique
designed to identify and rectify vulnerabilities in web applications,
emphasizing its significance in addressing information security
challenges specific to web applications. However, the literature survey
reveals that while the paper briefly outlines the methodology for
vulnerability detection, it lacks the necessary depth and specificity
needed to comprehensively address the complexities of web
application security challenges.[8]
Negotia and Carabas present a paper titled "Enhanced Security Using
Elastic Search and Machine Learning" in the Advances in Intelligent
Systems and Computing journal in July 2020. Their research focuses
on the integration of Elastic Search and Machine Learning techniques
to bolster security measures. By combining these technologies, the
authors offer an enhanced security solution, contributing to the
evolving field of intelligent security systems.[9]
In their paper published in the Journal of Hunan University in June
2021, Muhammad et al. delve into the practical implementation of an
"Integrated Security System for Network Intrusion." This research
contributes to the ongoing efforts to fortify network security by
proposing and implementing an integrated security system. The paper,
published in a reputable journal, adds to the existing body of
knowledge on network security strategies.[10]
Ghafir et al. contribute to the discourse on network security in their
paper, "A survey on Network Security Monitoring Systems,"
presented at the 4th International Conference on Future Internet of
Things and Cloud Workshops in 2016. This survey explores various
aspects of Network Security Monitoring Systems, providing a
comprehensive overview of existing systems. The authors contribute
valuable insights to the field, aiding researchers and practitioners in
understanding the landscape of network security monitoring.[11]
In their paper presented at the 6th IEEE International Conference on
Advanced Computing in , Moh et al. address the crucial issue of web
security with a focus on "Detecting Web Attacks Using Multi-Stage
Log Analysis." The research proposes an innovative approach
leveraging multi-stage log analysis to detect and counteract web
attacks. By presenting their findings at a reputable conference, the
authors contribute to advancing the field of cybersecurity and offer
practical insights into enhancing the resilience of web systems.[12]
Mulyadi et al. contribute to the realm of security information and event
management (SIEM) in their paper, "Implementing Dockerized Elastic
Stack for Security Information and Event Management," presented at
the 5th International Conference on Information Technology in 2020.
The authors focus on the implementation of a Dockerized Elastic Stack
to enhance the efficiency of SIEM. The utilization of containerization
technology like Docker in conjunction with Elastic Stack showcases a
contemporary approach to bolstering security measures, providing
insights valuable for practitioners and researchers in the field.[13]
In a report titled "Evaluating Open-Source HIDS with Persistence
Tactic of MITRE att&ck," presented at the SANS Institute in 2021,
Chandler critically evaluates open-source host intrusion detection
systems (HIDS) concerning the persistence tactic outlined by MITRE
att&ck framework. The report serves as a valuable resource for
assessing the efficacy of open-source HIDS in combating persistent
threats. Chandler's evaluation contributes to the understanding of
HIDS capabilities, providing valuable insights for security
professionals and organizations evaluating intrusion detection
solutions.[14]
In their collaborative effort, Smith, Johnson, and Thompson explore
the dynamics of "Adaptive SIEM: Enhancing Security Resilience in
the Modern Threat Landscape." Presented at the 7th Annual
Cybersecurity Symposium, 2022, their research delves into the need
for adaptive SIEM solutions to effectively combat evolving
cybersecurity threats. The authors discuss the integration of machine
learning algorithms and behavioral analytics to enhance SIEM
capabilities, providing organizations with a proactive and adaptive
defense against sophisticated cyber attacks. This research is pivotal for
security professionals seeking innovative approaches to fortify their
information systems.[15]
III. METHODOLOGY
For this research paper, data was collected from windows operating
system version. Wazuh agents were installed on these servers to send
data to the Wazuh manager. The Wazuh manager was installed on a
virtual machine with Ubuntu operating system. The experiment setup
allowed for the monitoring and analysis of security events, integrity
monitoring, policy monitoring, threat detection, and regulatory
compliance.
A. Wazuh Architecture
The agents that operate on the monitored endpoints and transfer
security data to a central manager form the basis of the Wazuh
architecture. Moreover, Syslog log data submission is enabled and
possible for agentless devices, which include firewalls, switches,
routers, access points, and so forth. After decoding and analyzing the
incoming data, the manager sends Elasticsearch the results for indexing
and storing.
B. Experiment Setup
The experiment setup involved configuring Wazuh agents on the
monitored endpoints, such as web servers, to forward security data to
the central Wazuh manager. Additionally, agentless devices, such as
firewalls, switches, routers, access points, etc., were supported and
could actively submit log data via Syslog. The manager decoded and
analyzed the incoming information and passed the results along to
Elasticsearch for indexing and storage. The research utilized the
Elasticsearch, Kibana, and Filebeat components of the Elastic Stack
for log management and analysis.
. The research presented detailed results from the experiment
Fig.1. Wazuh architecture on experiment setup
C. Attack Detection Overview
The research focused on analyzing the capabilities of Wazuh in
detecting various types of attacks, with special emphasis on well-
known attacks such as SSH brute force attacks. The results within
each element of Wazuh Manager were presented, and detailed
outlines were provided for each module, including security
information management, auditing and policy monitoring, threat
detection and response, and regulatory compliance. The paper
highlighted the effectiveness of Wazuh in detecting security events,
monitoring integrity, auditing system configurations, detecting
vulnerabilities, and ensuring compliance with regulatory standards.
D. Security Events
In this section, it is possible to search for all security events
recorded within the Wazuh system. The operation of the
system is based on agents that send data (logs) to the server
where they are processed. There is a whole set of rules
defined to identify threats. The results are processed and when
a rule is met then it is recorded within the dashboard. By
default, the rules are divided into 12 levels based on defined
standards. Wazuh provides the option to write custom rules
according to user needs. Figure 2 shows the sorted list of
security alerts. We see that the ‘Web server 400 error code’ is
the most prevalent error. In each unit within the Wazuh
manager, it is possible to display the results in a given time
range. Within each section, there is an option to generate
reports and for better visibility top 10 alerts from each report
will be displayed.
Fig.2. Top 10 security alerts
E. Log Analysis and Rule Customization
The paper discussed the log analysis capabilities of Wazuh
agents, emphasizing their ability to read operating system and
application logs securely. It explored the process of rule-based
analysis, highlighting the flexibility of Wazuh in allowing
organizations to define custom rules according to their specific
security needs. The creation and customization of rules were
discussed as a crucial aspect of tailoring the Wazuh platform to
address the unique security challenges of different environments.
F. Experiment Results and Real-Time Monitoring
setup, showcasing real-time monitoring capabilities within the
Wazuh platform. The main dashboard and its four basic sections
were explored, allowing users to monitor data, security events,
integrity monitoring, policy monitoring, and threat detection in real-
time.
In summary, the advanced threat detection analysis, log analysis and
rule customization, vulnerability detection, configuration assessment,
regulatory compliance mapping, and real-time monitoring
components collectively provided a comprehensive understanding of
Wazuh's capabilities in detecting and responding to security threats in
diverse and dynamic environments.
IV. RESULT
As previously discussed, the research focused on analyzing a specific
type of threat known as malware detection. In this scenario,
malicious software is deployed by an attacker with the intention of
compromising the security of a system. Malware can take various
forms, including viruses, trojans, worms, and ransomware, and it can
be designed to perform malicious activities such as stealing sensitive
information, disrupting system operations, or gaining unauthorized
access to resources.
The detection of malware within the Wazuh platform involves real-
time analysis of system data, including file integrity monitoring, log
analysis, and behavior monitoring. When a potential malware threat
is detected, an alert is generated and recorded by the Wazuh manager,
providing detailed information about the nature of the threat, its
origin, and its impact on the system.
Table I in the research paper provides comprehensive details of alerts
triggered when a potential malware instance was detected. The
information includes the geographical location based on the source IP
address, details of the malware detected, the decoder responsible for
analyzing the data, a description of the full log, and the original log
file location. This real-time detection and alerting mechanism enable
organizations to promptly respond to and mitigate the impact of
malware threats on their systems.
V. CONCLUSION
This paper aims to showcase the effectiveness of Wazuh in detecting
attacks on web servers, which are highly vulnerable to various threats.
Wazuh operates on an agent-manager system, where agents installed
on hosts send log data to the manager for processing. The analysis
includes statistics on different attack types, with a focus on well-
known attacks like SSH brute force, successfully detected in real-time.
Future work suggests expanding agent installation to all infrastructure
devices and integrating Wazuh with antivirus software for deeper
malware inspection. Additionally, integrating Wazuh with a Network
Intrusion Detection System like Suricata could enhance security by
providing insight into server network traffic.
REFERENCES
[1]SHI DONG AND MUDAR SAREM,” Threat Detection Attack
Detection Method Based on Improved KNN With the Degree of Threat
Detection Attack in Software-Defined Networks”, IEEE Access (
Volume: 8), DOI: 10.1109/ACCESS.2019.2963077
[2]SHAHZEB HAIDER, ADNAN AKHUNZADA, IQRA
MUSTAFA , TANIL BHARAT PATEL, AMANDA FERNANDEZ ,
KIM-KWANG RAYMOND CHOO, AND JAVED IQBAL,” A Deep
CNN Ensemble Framework for Efficient Threat Detection Attack
Detection in Software Defined Networks”, IEEE Access ( Volume: 8),
DOI: 10.1109/ACCESS.2020.2976908
[3]DERYA ERHAN AND EMİN ANARIM,” Hybrid Threat
Detection Detection Framework Using Matching Pursuit Algorithm”,
IEEE Access ( Volume: 8), DOI: 10.1109/ACCESS.2020.3005781
[4]LIANG TAN , YUE PAN , JING WU, JIANGUO ZHOU , HAO
JIANG AND YUCHUAN DENG,” A New Framework for Threat
Detection Attack Detection and Defense in SDN Environment”, IEEE
Access ( Volume: 8), DOI: 10.1109/ACCESS.2020.3021435
[5]MOHAMMAD TAYYAB, BAHARI BELATON, AND
MOHAMMED ANBAR,” ICMPv6-Based SIEM and Threat
Detection Attacks Detection Using Machine Learning Techniques,
Open Challenges, and Blockchain Applicability: A Review”, IEEE
Access ( Volume: 8), DOI: 10.1109/ACCESS.2020.3022963
[6]Nagarathna Ravi and S. Mercy Shalinie,” Learning-Driven
Detection and Mitigation of Threat Detection Attack in IoT via SDN-
Cloud Architecture”, IEEE Internet of Things Journal ( Volume: 7,
Issue: 4, April 2020), DOI: 10.1109/JIOT.2020.2973176
[7]Keval SIEMhi , Yasin Yilmaz and Suleyman Uludag,” Timely
Detection and Mitigation of Stealthy Threat Detection Attacks Via IoT
Networks”, IEEE Transactions on Dependable and Secure Computing
( Volume: 18, Issue: 5, 01 Sept.-Oct. 2021),
DOI: 10.1109/TDSC.2021.3049942
[8]JOSY ELSA VARGHESE AND BALACHANDRA MUNIYAL,”
An Efficient IDS Framework for Threat Detection Attacks in SDN
Environment”, IEEE Access (Volume: 9), DOI:
10.1109/ACCESS.2021.3078065
[9]AHAMED ALJUHANI,” Machine Learning Approaches for
Combating Cyber Attacks in Modern Networking Environments”,
IEEE Access ( Volume: 9), DOI: 10.1109/ACCESS.2021.3062909
[10]ABIMBOLA O. SANGODOYIN, MOBAYODE O. AKINSOLU,
PRASHANT AND VIC GROUT ,“Detection and Classification of
Threat Detection Flooding Attacks on Software-Defined Networks: A
Case Study for the Application of Machine Learning” IEEE Access (
Volume: 9), DOI: 10.1109/ACCESS.2021.3109490
[11]Kimmi Kumari and M. Mrunalini,” Detecting Denial of Service
attacks using machine learning algorithms”, Journal of Big Data
(2022) ,DOI: 10.1186/s40537-022-00616-0
[12]NOE M. YUNGAICELA-NAULA, CESAR VARGAS-
ROSALES, JESUS ARTURO PEREZ-DIAZ, EDUARDO JACOB
AND CARLOS MARTINEZ-CAGNAZZO,“Physical Assessment of
an SDN-Based Security Framework for Threat Detection Attack
Mitigation: Introducing the SDN-SlowRate-Threat Detection
Dataset”, IEEE Access ( Volume: 11), DOI:
10.1109/ACCESS.2023.3274577
[13]WALID I. KHEDR , AMEER E. GOUDA , AND EHAB R.
MOHAMED,” FMDADM: A Multi-Layer Threat Detection Attack
Detection and Mitigation Framework Using Machine Learning for
Stateful SDN-Based IoT Networks”, IEEE Access ( Volume: 11),
DOI: 10.1109/ACCESS.2023.3260256
[14]Abdussalam Ahmed Alashhab, Mohd Soperi Mohd Zahid ,
Mohamed Alashhab , Shehabuldin Alashhab,” Online Machine
Learning Approach to Detect and Mitigate Low-Rate Threat Detection
Attacks in SDN-Based Networks”, 2023 IEEE International
Conference on Artificial Intelligence in Engineering and Technology
(IICAIET), DOI: 10.1109/IICAIET59451.2023.10291787
[15]YOUSIF AL-DUNAINAWI, BILAL R. AL-KASEEM AND
HAMED S. AL-RAWESHIDY,” Optimized Artificial Intelligence
Model for Threat Detection Detection in SDN Environment”, IEEE
Access ( Volume: 11), DOI: 10.1109/ACCESS.2023.3319214