Wazuh. Initial Usage - Nico's Knowledge Base

# Intro I'm not going to talk too much about the install phase, because Wazuh. offers [a Quickstart script](https://documentation.wazuh.com/current/quickstart.html). I deployed a fresh 24.04LTS Ubuntu VM inside my Proxmox cluster to be solely dedicated to this project. I made sure to meet the minimum recommended requirements of 4x vCPUs, 8GB of RAM, and 50GB of storage. This will also be a fantastic candidate for high-availability in the future. --- # Agent Install After quickstart success, I deployed an agent to my daily driver W11 installation via the dashboard. ![[Pasted image 20250406200716.png]] This is super cool. Just needed to make sure that the Powershell command ``` NET START WazuhSvc ``` was done as admin. I thought it was just Step 4 that this instruction was for. --- # Dashboard Exploration At this point the agent took a while to connect to the manager. I didn't set a timer, but let's just say if it's over 5 minutes, you might need to double-check your configuration. When it finally is registered by the manager, your dashboard will look like this: ![[Pasted image 20250406201125.png]] And clicking on the endpoint itself gives us another dashboard which give an overview of the endpoint. ![[Pasted image 20250406201701.png]] Nothing crazy here. You'll note there's a tone of compliance flags on the right, and I only pass 26% of the CIS Benchmark with this device. There's a lot here I have no prior knowledge about, but I look forward to learning about the remediations I need to make. --- # Alert Exploration If I go back to the main dashboard, I can see I have quite a few alerts. Over 500 in fact. None high, but 350 in the medium category. ![[Pasted image 20250406202106.png]] Let's see what these are and how to remediate them. There's a ton of alerts after I click on 350 and frankly, I'm not interested in sanitizing all my data before I post it online. Let's follow along by description for a bit. The default search is "wazuh-alerts-\*" which is completely fine for now with this fresh installation. Earlier, we saw that we don't meet CIS recommendations. Let's filter by "CIS" first. ![[Pasted image 20250406202934.png]] Quite a few, as expected. But I want to know how to fix this stuff. Let's see if that data is available. ![[Pasted image 20250406203625.png]] Now we're cooking. 349 hits. Don't we have 350 hits without that filter? That's pretty good! That means there's instructions to help with basically every alert. The only thing that would make this better is if they're all the same remediation steps and I only have to do them once! ![[Pasted image 20250406204135.png]] The remediation field gives me a pretty good idea of what I need to do here. It looks like the check.title field also sums it up very nicely, which is good to know. Going through the rest of the alert, this doesn't seem like it's a necessary change to make at all for a home user, but I could see why this would be needed in a business environment. I'm going to make these changes now and see what happens. I don't expect the alerts to disappear, but maybe we'll get some movement on the endpoint dashboard. (This next step is a group policy edit, which is outside the scope of this post, and what I'm trying to demonstrate.) --- It doesn't look like the changes will be caught anytime soon. From what I can tell from this quick overview before I sleep, polling is every 86400 seconds by default. That could be wrong. But I don't have much more time tonight, so I'll be wrapping it up here for now. # Conclusion This SIEM is going to be a fantastic place for me to play around with what I'm actively learning right now. However, unless I introduce a way to manufacture dummy security events, I don't expect to have very many. So for now, this will be my way to help hardening my network, as I continue to learn how to be an asset when it comes to active defense techniques.