Wazuh SIEM & XDR Agent Installation - Virtual Lab Building Series: Ep9

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this part of the series we are going to explore security information and event management platforms abbreviated as a seam and i'm going to show you how to install wazoo a well-known open source theme to use in your cybersecurity lab let's get started [Music] [Music] hey guys i'm lal and welcome back to my channel in this episode of our cyber security lab building series we're going to start building our security operations center or sock by installing wazoo as our seam so what is a sim a seam is the abbreviation for security information and event management which is a software platform that collects data such as logs configurations and events from endpoints via agent api call syslog or even a stream like snmp which is simple network management protocol or netflow or ipfix once the seam ingests all this data it aggregates organizes and indexes it and through various rules and methods begins to analyze the data for any anomalies threats trends patterns compliance issues and so on should the seam detect something of concern it alerts the issues and can remediate these issues if it's been configured to do so finally all the alerts compliance issues and so on are presented to the cyber security analyst usually through an intuitive web-based dashboard where further investigation can be carried out and remediation steps can be actioned if deemed necessary so what is wazoo wazoo is an open source security platform that uses an extended detection and response agent or xdr for short that feeds data back from the endpoints that has the ability to respond to events if configured to do so azu's core components consist of an indexer service that searches and analyzes the data a server cluster that manages all the agents reporting back to the seam as well as worker nodes that process the data against rules filters and decoders looking for any anomalies and finally a dashboard component which is where we as analysts will be spending most of our time analyzing the information was you alerted us to as well as using it to configure and fine-tune the scene wazoo is highly scalable and can be installed in both single node which is the case of this lab or multi-node configurations depending on the number of agents you have in your environment they also have a cloud hosted sas solution should you not want to install and maintain the server cluster yourself so what is was you capable of this is just a quick summary of all the features and capabilities that wazoo has to offer it offers cloud security threat detection compliance and monitoring via its api configuration assessment to detect vulnerabilities unpatched or insecurely configured applications vulnerability detection to help find weaknesses before they're exploited container security and docker integration bile integrity monitoring incident response where we can use it to restrict and block malicious activities intrusion detection was you can detect malware rootkits network anomalies etc log data analysis all endpoint logs are made available for us to analyze security analytics processing of collected data through rules and decoders used in threat intelligence to look out for any issues and finally regulatory compliance so it can be used to help you meet any technical compliance requirements for pci dss gdpr etc you should now have a better understanding of what a sem is and how is an ideal low cost starting point to get some hands-on experience using a sim let's jump straight into the installation process there are many installation options you could consider depending on the size of your environment and unique requirements ranging from hosting single node configurations to containerization to ready-to-use options such as amazon machine images or amis which can be deployed directly into the cloud for large scale deployments multi-node cluster configuration is recommended however for this lab we're going to go with a single node option that we're going to spin up using the pre-built virtual machine or ova which is an open virtual format which we'll download and deploy in either to virtualbox vmware or like in my case with a quick conversion into hyper-v a few things to keep in mind regarding your hardware requirements we generally want to set up our virtual machine to have four virtual cpus eight gigs of ram and at least 50 gigs of storage for a single node configured like this which will be enough to manage 1 to 25 agents and have enough storage to query up to 90 days of historical data which is more than enough for our lab environment i will link the complete installation guide in the description for you to check out all the deployment options so the first step is you're going to head over to the wazoo download page i'll put the link in the description and then you're going to come over to this hyperlink where it says download the virtual appliance or ova if you are using virtualbox you'll open up virtualbox and click on the import button and then you'll come over to this icon on the right and it will give you a file dialog box and from there you can just navigate to wherever you downloaded your ova file and simply follow the prompt and it will configure wazoo for your environment automatically and you should be able to get up and running fairly quickly with that if you are using vmware it's a similar process i have put a link in the description below with the the vm the vmware equivalent of importing that ovo if you are using hyper-v you first have to extract the dot vmdk file using 7-zip so that's the file there then once you've extracted the file you then need to use virtualbox's command line tools by firstly opening powershell or command prompt and then navigating to c program files oracle virtualbox like i have and then the command that you're going to be running is vbox manage.exe clone medium and then we're going to be formatting this vmdk file as a vhd like i've done over here and then the input file is going to be the directory and the name of the vmdk file which you will have to put in there and then the output file is going to be whatever you want to call that output file dot vhd you can hit enter it's going to take a couple of minutes and it's going to convert to the vhd file for you the final step of the process is we're going to have to create the virtual machine within hyper-v so you're going to come over to your hyper-v manager and you're going to say on the right-hand side new and virtual machine and this is just the the prompt that you'll have to follow so we can just click next we're going to give the virtual machine a name the next step is it's going to ask us to specify the generation of our virtual machine because this is a vhd file we're just going to leave it as generation 1 for now and you'll click next we're then going to allocate our memory to it as i mentioned earlier i suggest at least eight gigs of memory to make this work and you don't have to use dynamic memory allocation for this you can just uh uncheck that if you if you wish if you just wanna give it a static amount of eight gigs of memory the next step is we'll configure the network so in this case i've set up a lab net virtual switch and we'll assign it to that and then the final part of the step is mounting the virtual hard drive so what we'll do in this case is we're not going to create a new virtual hard drive we're going to use a existing hard drive and over here we will then select or browse to where you've created the the vhd the vhd file in the previous step you will then mount that to this particular virtual machine and you'll click finish and then hyper-v will complete the the installation for you and you'll be able to then run the machine and see it present under all your other virtual machines in this part of the gui so once you have wazoo configured in whichever virtual machine environment you're going to be using we're going to then start upwarzoo so in this case i'm just going to right click and then say start click connect and you'll see that in a couple of seconds that was you has booted up the default username and password for this virtual machine is wazu dash user as the username and the password is just wazu and we'll be logged into our server this particular virtual machine is based on centos and by default the network interface that has been configured is set up to be running as a dhcp in bridge mode so we need to make sure that we update our settings to reflect how how we wish to join this machine into our lab environment if you look at my previous open sense firewall installation videos i showed you how to configure virtualbox network settings so similar methods can be followed here in order to get was you linked up to our network i recommend that for your lab you create a internal virtual network and then you configure a static ipa address so to do this in centers you need to firstly find your network adapter name so we'll just run a ipa and if we look at the output we'll see that ethernet 0 or eth0 is the name of our particular interface in order to configure a static ip address on our network interface we need to head over and change the following network config so we'll use a sudo vi and the file we're looking for is in etc network scripts and then we're going to use if cfg dash and whatever the name of your interfaces that we discovered earlier so in this case it would be e0 we're going to hit enter we're then going to supply our read password and hit enter and then you'll see that we have this configuration file initially this will look slightly different you will see that it'll have the the type set as ethernet and the device set as ethernet and on boot and so forth but there won't be any ip address configure or net mask or gateway or anything like that it will just have the hcp configured so then we would need to go into this file and insert everything in your like i've done where you need to give it a name an ip address whatever ip address your lab network uses mine runs on 10.200.200.x so i've configured this as five and it's running on a class c network and the gateway i've supplied is that of my open sense firewall and i'm just using google's dns 8.8.8.8 once you've inserted the new information into this file you will then hit shift colon and you will then follow by typing wq which basically just says write and quit uh for you for those of you that aren't familiar with vr to be able to insert data into this file you'll hit shift i and then you can navigate to the line that you need to insert the data and type it in as normal now we'll be back in our command line the next step is we need to completely restart the network service on our server so to do this we will type in sudo system udl and then we will up restart and then network and hit enter and then the network service will restart if you go back and check your ip address you'll see that it's been configured and if you like you can also reboot your virtual machine it'll have the same result we're then going to head back to our windows 10 desktop that's connected to the same lab network and we're going to open up our browser and we're going to head across to 10.200.200.5 which was the ip address of our wazoo machine and we're going to hit enter initially you'll have a certificate warning that will pop up this is just because the certificate has been self-signed and then you'll be presented with the default wazu login page the default credentials for this particular virtual machine is just admin the password is admin we're going to click login and then wazzu will do some checks and it will log us directly into this dashboard because this is a fresh installation of wazoo there's going to be no real information for us to see here yet so the next step of the installation is to configure some agents which we're going to be installing on this windows 10 machine as well as a linux version on one of the ubuntu 2004 servers that i've set up so to do this we're going to click on the add agent and it's a four-step process in this case we're going to select the operating system we want to deploy to so in this case we're going to use windows or start with windows first and then the wazoo server address so this can be a ip address or a fully qualified domain name in this case my server address is 10.200.200.5 we're not going to assign this to any agent group yet we haven't created any of those there's just a default group but this could come in handy if you ever are in a situation where you want to separate your your agents based on your device or your operating system or whether it's a desktop endpoint or a server endpoint and so on the next part of the process is the install and enrollment phase so if you scroll down you'll see that wazu just gives us a few warnings here just says that you'll need administrator privileges to perform the installation and powershell 3.0 up and then what it does is it creates a installation script for us which will run in powershell and you'll see that it's pre-populated some of the information in there like the wazoo manager which points back to our ip address and the registration server which also points back to wasu's server ip address we'll then just click on copy the command we're then going to open up powershell as an administrator so we'll just right click on it and say run as administrator say yes and then we will paste that command into powershell and we'll hit enter and we'll give it a few minutes it's then going to download the agent and configure the agent for us automatically we're then going to need to start the agent so to do this we can go back to the configuration page and then there's a command here netstart wazoo svc which will then start the service so we'll come back to powershell pop that in and hit enter and then you'll see the wazoo service is starting and it has successfully started just to confirm that it is actually running we can always go and check it out in the services so if you search for services and you can just type in zoo you'll see that the wazoo service is actually running and now we can head back to our wazoo dashboard and you'll see that we have at the top left total agents one and active agents so we've successfully managed to enroll the one windows agent onto our system if we click on it then we can see there's a whole lot of information that gives us about this particular machine so the registered agent's name how many times is connected and disconnected and various other information here that we'll look at in later videos so the next part of the installation we're going to add another agent for our ubuntu 2004 server as i mentioned earlier so in order to do this we are going to come over to this bit where it says deploy a new agent we are then going to select our operating system so in this case it's a ubuntu operating system our architecture is x 86 64. we're once again going to be pointing it to our wazoo server which is 10.200.200.5 we're not going to worry about any groups and then similar to how it worked with the windows installation it's just given us a script here which we will then click copy we're then gonna open powershell again and we're going to ssh into our winter server so it would be ssh and then the user on that machine is lab at and the ip address is 10.200.200.21 we'll hit enter password and then we logged into that machine and then we're just going to give it some pseudo rights and we're going to then copy the script that we created with the wazoo agent deployment wizard and we're going to hit enter and then the system will go and download all of the things that it needs to make that work and then what we need to do is we need to come to the section and we need to start the agent so we're going to copy all these commands directly from the wizard we'll then hit enter again and what the wazoo agent will then start we can then head back to our wazzu dashboard let's just refresh the page and you'll now see that we have two agents appearing and configured so if you'll click on total agents you can now see that we have a windows 10 machine which we set up earlier and then the newly configured ubuntu 2004 server in later videos we're going to dive into more detail regarding the this particular wazoo dashboard we're going to play around with it play around with some of the settings see what it's capable of for now the main goal of this video was just to get us set up and running and for the future videos that are that will be coming up after this i intend to follow the same idea where we will be configuring all of our socket stock infrastructure first and then once we're up and running and have all of it integrated we'll then dive into the actual dashboards and labs and start configuring and playing and testing various things so to wrap this part of the lab up we've now successfully configured wazoo and deployed two different agents into our lab if you guys have enjoyed this video please don't forget to give me a thumbs up to like and subscribe and keep a lookout over the next couple of weeks i will be adding more videos into the series the next video is coming up is going to be a configuration where we're going to look at the hive and misp and cortex and we're going to look at how we can build that into our sock environment thanks again for watching and i'll see you guys soon cheers for now [Music]

Info

Channel: LS111 Cyber Security Education

Views: 28,312

Rating: undefined out of 5

Keywords: wazuh, siem, wazuh agent, wazuh cloud, security information and event management, cybersecurity, xdr agent, edr, edr agent, endpoint detection and response, endpoint detection & response, what is soc, soc, soc analyst, security operations center, soc analyst training, blue team cyber security, incident response, cybersecurity lab, how to build a cybersecurity lab, threat hunting, threat intelligence plaform, misp

Id: OG8V2O-j9FE

Channel Id: undefined

Length: 24min 41sec (1481 seconds)

Published: Thu Jun 09 2022