As an intern for Total Cyber Security, one of my tasks is to provide a quick overview of Wazuh through a blog post. Wazuh is a tool that provides free, open-source security monitoring with different types of threat detection. Today, I’ll be going over how to access Wazuh, as well as how to navigate through its many features such as adding new agents and viewing security assessments.
Getting Started
To begin, you will need to go to the IP associated with Wazuh. You’ll be prompted with entering your account information which must be created in Elasticsearch. If you haven’t done so yet, you can log in with the default credentials for the admin account that was created when Wazuh was first installed. If you’ve already done so, skip ahead to the next section.
On the left side of the screen, click on the hamburger menu and scroll down until you find Security. Once selected, head to Internal users and choose the blue Create internal user button.
Here, you can enter new user credentials where you can personalize who can log onto Wazuh and what they can access. For example, if you wanted to create a new admin account you would add the backend role “admin,” but this is optional.
Once you’ve typed in all the information you desire, you can save the account by clicking the blue Create button on the bottom right.
Adding New Agents
Back on the main page of Wazuh, head to the next tab called Agents.
There will be an option to add new agents on the right side of the page that says + Deploy new agent.
Depending on your operating system, choose the one that applies to you. For the server address, you want to be sure you put your server IP into that box otherwise it defaults to localhost. Next, pick whichever group you want to assign the agent to, then copy the command that is generated at the bottom.
Load up Windows PowerShell as an administrator and paste the command into the prompt. You want to be sure that the computer name matches up with that of the agent being added.
Security Configuration Assessment
To view the SCA policies of added agents, head back to the Wazuh main page of modules. Under Auditing and Policy Monitoring, select Security configuration assessment.
You will have to pick a specific agent to view the SCA policies, so click on select agent to continue.
On the next page, you will have a view of different widgets. One displays a simple circle chart with three different results: pass, fail and not applicable. To view more details on each policy, select the box below the chart.
Information describing each policy is shown, such as the location of the registry, why it is failing (for those policies that don’t pass) and a fix to make it pass (if applicable). It also displays an overall score for each passing policy. This feature from Wazuh is a great way to keep track of anything out of place or things that need updating to ensure the security of your computer system.
That’s all there is too it! Wazuh has even more features that can be explored, but this was a simple way to start off your navigation with Wazuh to get an idea of the different features it’s capable of and what you can expect to see about the agents you’ve added so far. Go ahead and click back to the modules page and click around on the different sections to see more. Good luck and have fun on your Wazuh journey!