Wazuh Install - Worlds Best OpenSource EDR!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey Defenders welcome back in this video we are going to cover part three of our series which will be our log analyzer in the open source tool that we will be using for analysis will be Wazoo now Wazoo is an open source EDR solution made up of a manager and an agent and allows us to collect logs from our endpoints at scale right because we don't want to have to be logging onto every endpoint to view its you know event logs or other system messages it doesn't scale well and we need a way to collectively collect all this information run it through some log analysis and then store it in our backend so our sock team can review and Wazoo is the perfect tool for that Wazoo also includes rule sets and these rules are what are actually analyzing your raw logs that are coming in and that allows us to quickly spot potential malicious activity we can these rules are also fully customizable so we can create our own role tools to fit our own environment and there's a lot you can do with the Wahoo rules that we will look at in later videos but Wazoo really gives us the freedom to kind of build out what works best for our environment which is really awesome so a little bit of what the architecture it looks like so we have our monitored endpoints in Wazoo out of the box supports Windows Mac Linux uh AWS Linux as well so it it supports pretty much all of the common operating systems of choice which makes our lives easier and then it is composed of a Wazoo manager and this is the guy that the agents will forward all of their logs to so we'll have an endpoint agent running on of course our endpoints and these guys will send all of their log the log analysis is happening here on the agents the agents are doing some other tasks besides collecting logs like doing file Integrity analysis dumping out listening ports so it is doing a little more than just log collection but no analysis is being done on the endpoint the Wazoo manager after receiving the logs will then crunch it through the rules to determine if it wants to actually trigger an alert out of this rule or not and that's another flexibility that we have too we can also use was do to discard noisy alerts so you know every log that keep in mind every log we ingest gets stored on our back-end storage and that is taking up this space so for spammy alerts that may not give us much information from a security standpoint and we don't want to Bear the weight of storing those on disks for for and taking up disk space from other logs we can use Roz manager to actually drop those and tune those out and all right so I also put together a medium post which I will detail in the description below if you would like to follow along with the commands that we will run this video will cover only the installation of our Wazoo manager I will cover the agents in our next video and Wazoo is an EDR agent and what this will allow us to do you know you may be under the misconception that but but I have an antivirus agent running on my endpoint I should be good right well and a virus really can only give you one side of the coin let's say for example your antivirus stops malware getting alert it says Hey we've quarantined this malicious file from running but you may have the question how did it even get there in the first place and that's not something in a virus is going to provide however that is something that an EDR like wazoo will provide for us so we could watch the whole timeline of okay what happened before the file got onto the Box what exactly brought the file onto the Box and what program actually executed the file and attempted to get it to run right so the our EDR will paint us this full picture and allow us to understand the full chain of attack rather than just aren't a virus saying hey we blocked this with Wazoo we will be able to collect a ton of metadata and some of the detail that we're able to collect are network connections commands ran Powershell spawns process spawns and that's and so much more we'll we'll get into the depth of all the Telemetry that we're collecting in future videos but this just gives you an idea of how much more insight an EDR agent actually provides so why do we pick Wazoo well it doesn't just give us our log analysis it allows us to do file Integrity monitoring vulnerability detection helps us meet Regulatory Compliance standards and I alluded to how just kind of customizable it is right so we're able to create our own Integrations we're able to create our own rule sets our own decoders we're pretty much free to add on to the Wazoo stack whatever we want which makes it really powerful because now we can fit Wazoo to to meet any use case whether that be integrating with some other third-party apis so we'll get into that in later videos as well Wazoo comes with a python Library built in that we're actually able to write our own python code and interact with wazoo's socket we're actually sending what our Python scripts are collecting directly to Wazoo sake we're not having to write it to file we're able to build Wazoo rules to detect off of the data that we're collecting with our integration and allows us to interact with just about anything such as Office 365 rapid7 Sentinel one any third-party tool that provides an API will be able to interact with with Wazoo so that really opens up the door to really infinite possibilities to be honest Wazoo also has a really rich restful API that we can use to automate certain actions such as run a vulnerability scan on this endpoint run a active response on this endpoint so their apis there's a lot of a lot of actions that will be that we'll get into in later videos another key feature is the active response so with Wazoo we're actually able to invoke scripts that are sitting on our endpoints to do a certain action maybe I want to create a local firewall rule on the endpoint to block network connections out to this known malicious IP maybe I want to sinkhole this particular domain on my endpoints which we'll get into in later videos as well we need we now have the ability to automate some of our responses to stop attacks you know maybe right in the middle of the attack and that's what makes Wazoo super powerful as well we have the ability to create our own scripts that will do whatever use case we're looking to to solve all right so now let's actually get into the installation of Wazoo and installation is pretty straightforward it is really not too bad and all right so here I am on my Wazoo manager you can deploy the Wesley manager on just about any Linux operating system I am on a Debian 11 box and this tutorial so let's first actually install our prereqs so I'll go ahead and copy these commands here and I'm having to just jump onto GitHub because I can't copy from The Medium post yet because I haven't actually posted it you guys following along will be able to just copy and paste directly from here so the apologies about that bouncing around they'll just make my editing life that much more fun all right and all right get update so with our prereqs done now let's go ahead and actually install Wazoo and it's as simple as one command so they make it easy for us which is nice we like easy so this will bring in Roxy manager uh and our Wazoo API back in the day these used to be separate services but they've bundled it all together into just a Wazoo manager now but I I think that happened like kind of a while ago like with their 4.0 release all right Roi Zoom manager is now installed so let's go ahead and hit it with a Reload and we'll go ahead and enable this guy so that the Box will start it at boot time and then let's go ahead and start our Wazoo manager all right cool that came back good if I do a status okay everything's active so the Wazoo service is actually made up of multiple different processes and I'll just kind of quickly show you that to you guys real quick so if I do a PSX graph for wazoo oh and actually this will apply to zoo dashboards and the Wazoo indexer but you should also see all of these child processes of the Wazoo manager Service as well that are handling different tasks throughout Wazoo so auth D will handle our agents registering to our actual Wazoo manager we have our log collector so all of these other child processes also make up the Wazoo manager so now with our onesie manager installed we actually need to because we're using gray log to actually write the logs to our Wazoo indexer we're not using filebeat anymore so in the past and if you follow Asus documentation they Implement filebeat to actually forward the logs from the Wazoo manager to greylog we're sorry to the Wazoo indexer but we're actually going to use gray log because greylog will allow us to do a lot more with our logs before actually writing them to the Wazoo indexer and to do that we first need to stand up a listening input Within greylog so if you felt the last video which I'll link in the uh on the screen right now I'll pop up on the screen and Link in the description below right now please watch that video first before continuing on with this one uh because this is an important step we will need to do so I'm going to go ahead and log on to my greylog box so I actually have gray log running on the same server that's why my Zoo manager in a production environment I would not recommend this you need to I definitely recommend putting them on their own individual servers so we need to First tell greylog hey I want you to accept messages from our Wazoo manager and in greylog's terms that is going to be us configuring a input so I'll go ahead and click my menus select system and I will go down into inputs and on my inputs page here Greylock supports a ton of these by default so feel free to kind of play around with these and Tinker with these on your own but in our use case we're going to use the raw plain text TCP so I'm going to select that guy I'm going to select launch new input I'll give it a title of just Wazoo events Fun Band fluent fluent Dash TCP we then set our bind address here if you have multiple interfaces on your Greylock box you know maybe one's an internal one and one's in external then you could pick which which of these interfaces you want greylog to actually listen to receive these logs from so you can customize it there if needed we're going to select our port and I'm just going to keep at 55.55 as the default this of course has to be a free Port so we can't have any other processes consuming this port or we're going to have an error you can Tinker with the buffer size you can also enable TLS I'm not going to do that in this demo just because it'll take even even more time so but in a production environment I I highly recommend setting your encryption and we will go ahead and select save and now our input is now running so if I do my netstat command again we see gray log is now listening on 55.55 so that's looking good and you'll see our Network we have no input output right so while this port is listening nothing is actually sending anything to it so let's actually go ahead and change that so we just configured our gray log input we're going to take advantage of a package called fluent bit and what this guy is going to do very similar to what fileby does there's just some more plugins that you can do and it interacts with gray log a lot easier in my opinion than fileby does so I like to use flumet in this use case and why we are using it is because our manager after a log after it receives a log analyzes it against his rule set if there is a match it will write it to the alerts.json file so if I actually copy this value here and run a tail here we'll see some of our alerts that that Wazoo has analyzed so in this case I don't have any agents connected to this guy so it's not going to be big so I'm not having any wealth of Vlogs coming in but if I trigger a login real quick so if I just trigger an SSH login we should see a log populate here and here we go so I just logged in we see login session opened so every time Wazoo receives a log and says yep I want to store this it will write it to the alerts.json file so what we need fluent so what we need flumin to do is pick up this file and send it to greylog and then greylog will do our further analysis and then write it to our Wazoo index greylog provides a nice and easy install script that we'll use so I'll just go ahead and copy and run this guy here that was fast so we should now have a directory under Etc called fluent Dash bit if I LSS out you'll see our flowinbit.com and if I go ahead and open this guy this will be our configuration file that we will that we will apply our settings to send to our Greylock box so I'm going to go ahead and edit this guy and I have our default config already built out for you guys so as we mentioned the alerts.json so this will be our input path so this is telling fluent hey this is this is what I want you to pick up we can add tags if you want this is fully customizable so if you have you know multiple different Wazoo managers that you won the name you could do that if you wanted we this alerts.json is of course in a Json format so we are going to use the Json parser from fluent bin that comes as built in so we don't have to do anything there we do need to change our output though I just called it ingest foreign there and now we will set our Port which was 55 55 and I'll go ahead and save that off and now we should be good to enable and then start flowing bit and then we'll go ahead and check out the logs to make sure that we are connected we're going to VAR log TD agentbit.log and okay we see our workers started so that looks good if I now go back into gray log and so see we have still no network i o but let's see if we can change that so I'll go ahead and log on to the Box again and now we should see this guy bump up and sure enough now we are at 1.9 kilobytes which was how much data was sent as part of this SSH login so we've now verified that we are receiving that our Wazoo manager is actually forwarding its logs to greylog and if we go ahead and show extracted messages we can see our logs here really quickly what we will get into in the next gray log video is that you notice that this message field is not parsed at all it's all one blob and that's sort as message so we will tell greylog how to Json decode this in the next gray log video so stay tuned stay tuned for that one so we have now deployed our Wazoo manager and we have connected it to greylog and have verified that we are sending our Json file to greylog however the Wazoo installation by default doesn't have all of the configurations that I would recommend enabled by default so so in this last part of this video I just want to take you some of the few kind of config tweaks that I always like to do with every manager installation and the first is going to be creating a registration password so Wazoo is now listening for so our Wazoo manager is now listening for agent registrations on Port 1515. so an agent will say hey I want to I want to register with you the manager will say okay I'll allow you and here is your client key and it'll generate a client key and pass that to the agent and that's what will encrypt all of the communication going forward between the two but at the moment that's just a blind acceptance so any any agent that tries to connect to 1515 or was your manager will register it and we want to go ahead and change that we want to add some security around that in and actually tell our Zoo manager that any agent that tries to connect has to provide the correct password so we'll so let's go ahead and enable the password authentication option and we'll be able to create our own password so I'm going to go ahead and open up the osec.com file which is the main configuration file that we'll use for anything wazoo I'll go ahead and scroll down to the off the block here and I'll go down to use password and instead of no I will go ahead and change that to yes we'll go ahead and save that out and now let's go ahead and set our own password by by creating this auth D dot pass so I'll go ahead and copy this command here and I will replace custom password with my own I'll just say please subscribe all right so now this file should exist and should contain my password yep that looks good now let's go ahead and change the file permissions and ownership so that the wazoo process is actually able to read it all right that looks good so we now have password authentication enabled now let's enable the vulnerability detection so Wazoo can also do vulnerability analysis for us on our endpoints that's another that's another benefit of of Wazoo but we need to actually go ahead and enable that first so I'm going to open up again my osec.com file I'll scroll down to my vulnerability detector block here and you'll see that enabled is set to no so let's go ahead and revert that to yes there are some scan options you can tweak that's provided further in wazoo's documentation so you can go ahead and check that out and then we also need to enable all of the operating systems that we want to run the vulnerability detector on so was Wazoo will be able to enumerate the operating system that the Wazoo agent is running on and will then use that to run its vulnerability detections but I need to go ahead and enable these to yes for any of these that I want to set and okay good so that looks good so I'll go ahead and save and close that file now the other thing I like to do is configure individual agent group files based on the operating system of my endpoints so for example any of my Linux endpoints will get this group config file in any of these in any Windows endpoints we'll get this group config file because Within These config files will be different file Integrity monitoring settings different paths to log files so I like to keep these separate and Wazoo gives us the ability to centrally maintain these so anytime I make a change to a group config file that will automatically get pushed out to the agent so it enables us to manage our agents configs in a scalable fashion which is really nice so to do this I actually like to go on to the Wazoo web UI you will see this error pop up and this is because uh Wazoo is expecting this index pattern which we we haven't set yet so uh disregard this error message for now we can uh we'll we'll deal with it later but I'll go ahead and go into settings we can still interact with the Wazoo with wazoo's web app here even with that error so we don't we don't really need to worry about it at the moment I'll go into management I'll go into groups and then here we have just this default Group which you actually can't delete so this guy always has to exist but I'll go ahead and create a new group and I'll just call it Linux now I will copy the Linux group so go ahead and copy and I'll go ahead and select the pencil on this new group and erase all that and paste that there save that off so we got files successfully added so Wazoo has now created this new group for us and so any agents we put in this group will get the configuration that we apply here and again any changes that we make Wazoo will Auto restart the agent for us and apply those new settings they'll also do the same for Windows and all right that's looking good now the last thing we need to restart our Wazoo manager to actually apply all these settings that we did such as the registration password and setting the vulnerability detector and enabling the vulnerability detector so I'll go ahead and restart our Wazoo manager and then once that restarts and come back and comes back up we'll then add our Advanced custom rules so if you haven't checked out one of our previous posts we do have a GitHub repo we do have a GitHub repo called Wazoo rules that has some of our custom rules that we've built out and are wanting to share back to the community that Wazoo by default doesn't have the best uh default rule sets and so we've put some work into creating these what we you know call quote unquote Advanced custom rules that are categorized uh to fit whatever integration you're looking to fit maybe you want to bring in Office 365 alerts well now you have uh rules that are also enriched with miter IDs so just kind of give you that extra enrichment and are actually set to appropriate rule levels go ahead and check that out if you like but I always like to include these as part of my base install of wazoo and we have actually put together a script and I have put together a bash script that you can just copy and run this guy and it will bring in all of the alert and it'll bring in all of the rules and decoders that are stored within this repo oh word of caution though that this will replace your custom Wazoo rules so if you have if you've already built some of your own custom roads I highly recommend taking a backup before running the script and also make aware of the rule IDs there can't be any conflicting rule IDs so just also make sure of that so just fair warning there um so I'll say yes I want to continue oh I don't have git installed so go ahead and install that real quick you will need to install git if it hasn't been found then you'll get a little messaging that you need to install it so go ahead and say yes and so now the script is cloning this repo bringing these uh rule files in and is modifying the file uh ownership and permissions so that Wazoo is able to load them correctly so we download it and now we are restarting the Wazoo manager service and verifying that it comes back in a healthy state and cool our Wazoo manager service has come back healthy if we see the and tavar osei Etc rules and LSS out we now see all of our custom rules that we brought in and then these are also viewable within the web UI as well so if I go into manage rules custom rules we see all of our custom rules here so that looks good so all right we now have our wetsuit manager installed we've connected it to greylog we have made some configuration tweaks and Roi manager is now in a place for us to proceed to install our Wazoo agents which we which we will cover in the next video so I think their app set up for this one I appreciate you guys hanging out with me and I will see you in the next one

Info

Channel: Taylor Walton

Views: 27,954

Rating: undefined out of 5

Keywords: wazuh, opensource, infosec, edr, siem, soc, elasticsearch, wazuh-indexer, socfortress, opensecure

Id: nM-h-R293tk

Channel Id: undefined

Length: 26min 23sec (1583 seconds)

Published: Fri Oct 14 2022