SlideShare a Scribd company logo

A plenarily integrated SIEM solution and it’s Deployment

Bangladesh Network Operators Group
Bangladesh Network Operators Group

A plenarily integrated SIEM solution and it’s Deployment

Technology
1 of 26
Download to read offline
Md. Rashedul Hasan E-mail: rashedul.engr@gmail.com Dhaka, Bangladesh A plenarily integrated SIEM solution and it’s Deployment.
SIEM & It’s Deployment Planning 2
Why Wazuh SIEM? Some of the more common use cases of the Wazuh solution- • Intrusion detection • Log data analysis • File integrity monitoring • Anomaly and Malware detection • Vulnerability detection • VirusTotal integration • Configuration assessment • Incident response • Regulatory compliance • Cloud security • Containers security 3
HowWazuhWorks 4
Wazuh Deployment Architecture • The Wazuh architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via Syslog or using their API. • The diagram below represents aWazuh deployment architecture and its components. 5
• TheWazuh server also receives syslog messages from devices that do not support the installation ofWazuh agents, ensuring seamless integration and coverage across your entire network environment. 6 Wazuh Deployment Architecture (Cont…)
Deploying WAZUH 7
Preparing for the Installation • Operating System: Wazuh can be installed on various operating systems, including CentOS, Debian, Ubuntu, Windows, and macOS. • Hardware Specifications: Hardware requirements highly depend on the number of protected endpoints and cloud workloads. • Software Dependencies: Wazuh requires several software components, including Elastic Stack, Filebeat, and Wazuh Manager. Elastic Stack is a set of open-source tools for data processing and analysis, including Elasticsearch, Logstash, and Kibana. Filebeat is a lightweight agent that collects log data from different sources and forward it to Elasticsearch. Wazuh Manager is the central component of the Wazuh architecture, which receives data from the WazuhAgents and processes it to generate alerts and notifications. 8
Step-by-Step Installation • Step 1: Set Up Wazuh Server • Install Wazuh • Install Wazuh Manager • Install Elasticsearch • Install Filebeat • Install Kibana WAZUH SEIM Linux Server 9
• Step 2: Install and Configure Wazuh Agents • Configure Windows Agent into Windows Host • Configure Windows Agent into Linux Host Linux Host Switch Windows Host Step-by-Step Installation (Cont.) 10
Syslog Server Step 3: Install and Configure Syslog Server • Configure Linux Server as a Syslog Server • Configure Wazuh Agent into this Syslog Server Linux Server Step-by-Step Installation (Cont.) 11
Syslog Server Router Firewall Step 4: Configure Network Devices to Send the Log to the Syslog Server • Set the Destination Address to Send the Log from the Devices to Syslog Server. • Check the Incoming Logs From the Syslog Server. • Configure Wazuh Server to Receive the Log From the Wazuh Server. • Check the Incoming Logs for Syslog Server Step 5: Configure Security Event Collection Step 6: Enable Real-time Monitoring and Alerting Step 7: Perform Regular Log Analysis and Incident Investigation Step 8: Continuously Enhance Security Posture Step-by-Step Installation (Cont.) 12
Complete Diagram with Wazuh SIEM Linux Host Switch Windows Host Syslog Server Router Switch Firewall WAZUH SEIM 13
Data Flow between Wazuh and connected devices. Linux Host Windows Host Syslog Server Router Firewall WAZUH SEIM
Custom rules and decoders We can use Wazuh to build decoders that will match on ANYTHING.This flexibility allows us to ingest any type of log intoWazuh, which in turn is written into Elasticsearch and viewable within Kibana. Customize theWazuh ruleset to fit your needs and enhance detection capabilities. To achieve this, we can: • Modify the default rules and decoders. • Add new custom rules and decoders. 15
Adding new decoders and rules • This example on how to create new decoders and rules. The following log corresponds to a program called example: Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100’ 16
Adding a new decoder…… • Add a new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information: <decoder name="example"> <program_name>^example</program_name> </decoder> <decoder name="example"> <parent>example</parent> <regex>User '(w+)' logged from '(d+.d+.d+.d+)'</regex> <order>user, srcip</order> </decoder> 17
Adding Rule ….. • Add the following rule to /var/ossec/etc/rules/local_rules.xml. <group name="custom_rules_example,"> <rule id="100010" level="0"> <program_name>example</program_name> <description>User logged</description> </rule> </group> • Run /var/ossec/bin/wazuh-logtest. • Restart theWazuh manager to load the updated rules and decoders: #systemctl restart wazuh-manager 18
Wazuh SIEM Demo 19
Agents overview All configured Host (Agent) is showing into the Agents List withActive, Disconnected, Pending Never Connected List. 20
Security Events Monitoring (Failed Login Attempts) 21
Security Events Monitoring (Successful Login Attempts) 22
File Integrity Monitoring If any content of a file has changed intentionally or unintentionally then we can monitor this changing from the Integrity Monitoring. 23
Next Plan • As Specific Agent is not available for Network Devices, I have added Network Devices through Syslog Server. Now I am working to add network devices directly into the Wazuh Server • Configure Notification and Policies to get more advantage. • Detecting and removing malware usingVirusTotal integration 24
Resources • For Installation: • https://github.com/wazuh/wazuh • https://documentation.wazuh.com/current/deployment-options/elastic-stack/all-in-one- deployment/index.html • Understanding Wazuh Decoders • https://socfortress.medium.com/understanding-wazuh-decoders-4093e8fc242c • https://www.youtube.com/watch?app=desktop&v=2HMo4h7elAA • Windows Agent Configuration: • https://www.songer.pro/install-and-configure-wazuh-agent-windows/ • Linux Agent Configuration: • https://thelinuxos.com/ 25
26

Recommended

Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshBangladesh Network Operators Group
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage Virtualizationrjain51
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Hypervisor
HypervisorHypervisor
Hypervisorkalpita surve
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsiRoom 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsiVietnam Open Infrastructure User Group
 
Zabbix Monitoring Platform
Zabbix Monitoring Platform Zabbix Monitoring Platform
Zabbix Monitoring Platform Seyedmajid Etehadi
 

Recommended

Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshBangladesh Network Operators Group
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage Virtualizationrjain51
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Hypervisor
HypervisorHypervisor
Hypervisorkalpita surve
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsiRoom 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsiVietnam Open Infrastructure User Group
 
Zabbix Monitoring Platform
Zabbix Monitoring Platform Zabbix Monitoring Platform
Zabbix Monitoring Platform Seyedmajid Etehadi
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Active directory slides
Active directory slidesActive directory slides
Active directory slidesTimothy Moffatt
 
Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariDataWorks Summit
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsHan Zhou
 
Proxmox for DevOps
Proxmox for DevOpsProxmox for DevOps
Proxmox for DevOpsJorge Moratilla Porras
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
NETWORK FILE SYSTEM
NETWORK FILE SYSTEMNETWORK FILE SYSTEM
NETWORK FILE SYSTEMRoshan Kumar
 
VMware vSphere Networking deep dive
VMware vSphere Networking deep diveVMware vSphere Networking deep dive
VMware vSphere Networking deep diveSanjeev Kumar
 
Nagios, Getting Started.
Nagios, Getting Started.Nagios, Getting Started.
Nagios, Getting Started.Hitesh Bhatia
 
Directory services
Directory servicesDirectory services
Directory servicesChristalin Nelson
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
Gerenciamento de Redes com Zabbix
Gerenciamento de Redes com ZabbixGerenciamento de Redes com Zabbix
Gerenciamento de Redes com ZabbixAndré Déo
 
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.IZabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.IAécio Pires
 
VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5Sanjeev Kumar
 
Failover cluster
Failover clusterFailover cluster
Failover clusterChinmoy Jena
 
VMware Overview
VMware OverviewVMware Overview
VMware OverviewMadhu Bala
 
High Availability for OpenStack
High Availability for OpenStackHigh Availability for OpenStack
High Availability for OpenStackKamesh Pemmaraju
 
Active directory
Active directory Active directory
Active directory deshvikas
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 

More Related Content

What's hot

active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariDataWorks Summit
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsHan Zhou
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
NETWORK FILE SYSTEM
NETWORK FILE SYSTEMNETWORK FILE SYSTEM
NETWORK FILE SYSTEMRoshan Kumar
 
VMware vSphere Networking deep dive
VMware vSphere Networking deep diveVMware vSphere Networking deep dive
VMware vSphere Networking deep diveSanjeev Kumar
 
Nagios, Getting Started.
Nagios, Getting Started.Nagios, Getting Started.
Nagios, Getting Started.Hitesh Bhatia
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
Gerenciamento de Redes com Zabbix
Gerenciamento de Redes com ZabbixGerenciamento de Redes com Zabbix
Gerenciamento de Redes com ZabbixAndré Déo
 
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.IZabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.IAécio Pires
 
VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5Sanjeev Kumar
 
VMware Overview
VMware OverviewVMware Overview
VMware OverviewMadhu Bala
 
High Availability for OpenStack
High Availability for OpenStackHigh Availability for OpenStack
High Availability for OpenStackKamesh Pemmaraju
 
Active directory
Active directory Active directory
Active directory deshvikas
 

What's hot (20)

active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache Ambari
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
 
Proxmox for DevOps
Proxmox for DevOpsProxmox for DevOps
Proxmox for DevOps
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
NETWORK FILE SYSTEM
NETWORK FILE SYSTEMNETWORK FILE SYSTEM
NETWORK FILE SYSTEM
 
VMware vSphere Networking deep dive
VMware vSphere Networking deep diveVMware vSphere Networking deep dive
VMware vSphere Networking deep dive
 
Nagios, Getting Started.
Nagios, Getting Started.Nagios, Getting Started.
Nagios, Getting Started.
 
Directory services
Directory servicesDirectory services
Directory services
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
Gerenciamento de Redes com Zabbix
Gerenciamento de Redes com ZabbixGerenciamento de Redes com Zabbix
Gerenciamento de Redes com Zabbix
 
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.IZabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
Zabbix: Uma ferramenta para Gerenciamento de ambientes de T.I
 
VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5
 
Failover cluster
Failover clusterFailover cluster
Failover cluster
 
VMware Overview
VMware OverviewVMware Overview
VMware Overview
 
High Availability for OpenStack
High Availability for OpenStackHigh Availability for OpenStack
High Availability for OpenStack
 
Active directory
Active directory Active directory
Active directory
 

Similar to A plenarily integrated SIEM solution and it’s Deployment

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
Common WSUS Issues in Deployment Operations and Diagnostics
Common WSUS Issues in Deployment Operations and DiagnosticsCommon WSUS Issues in Deployment Operations and Diagnostics
Common WSUS Issues in Deployment Operations and DiagnosticsSolarWinds
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorWSO2
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vaultuzzal basak
 
Tech Ed 2008 Israel Server Management 360
Tech Ed 2008 Israel Server Management 360Tech Ed 2008 Israel Server Management 360
Tech Ed 2008 Israel Server Management 360Amit Gatenyo
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
Sa106 – practical solutions for connections administrators
Sa106 – practical solutions for connections administratorsSa106 – practical solutions for connections administrators
Sa106 – practical solutions for connections administratorsSharon James
 
Log Analytics by VMware Log Insight
Log Analytics by VMware Log InsightLog Analytics by VMware Log Insight
Log Analytics by VMware Log InsightKiss Tibor
 
Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring WSO2
 
Datasheet was pluginforrd
Datasheet was pluginforrdDatasheet was pluginforrd
Datasheet was pluginforrdMidVision
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAmazon Web Services
 
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...xKinAnx
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS Amazon Web Services
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 

Similar to A plenarily integrated SIEM solution and it’s Deployment (20)

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Common WSUS Issues in Deployment Operations and Diagnostics
Common WSUS Issues in Deployment Operations and DiagnosticsCommon WSUS Issues in Deployment Operations and Diagnostics
Common WSUS Issues in Deployment Operations and Diagnostics
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise Integrator
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
 
Pvs slide
Pvs slidePvs slide
Pvs slide
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vault
 
Tech Ed 2008 Israel Server Management 360
Tech Ed 2008 Israel Server Management 360Tech Ed 2008 Israel Server Management 360
Tech Ed 2008 Israel Server Management 360
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Sa106 – practical solutions for connections administrators
Sa106 – practical solutions for connections administratorsSa106 – practical solutions for connections administrators
Sa106 – practical solutions for connections administrators
 
Log Analytics by VMware Log Insight
Log Analytics by VMware Log InsightLog Analytics by VMware Log Insight
Log Analytics by VMware Log Insight
 
Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring
 
Datasheet was pluginforrd
Datasheet was pluginforrdDatasheet was pluginforrd
Datasheet was pluginforrd
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
 
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 

More from Bangladesh Network Operators Group

Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

A plenarily integrated SIEM solution and it’s Deployment

  • 1. Md. Rashedul Hasan E-mail: rashedul.engr@gmail.com Dhaka, Bangladesh A plenarily integrated SIEM solution and it’s Deployment.
  • 2. SIEM & It’s Deployment Planning 2
  • 3. Why Wazuh SIEM? Some of the more common use cases of the Wazuh solution- • Intrusion detection • Log data analysis • File integrity monitoring • Anomaly and Malware detection • Vulnerability detection • VirusTotal integration • Configuration assessment • Incident response • Regulatory compliance • Cloud security • Containers security 3
  • 5. Wazuh Deployment Architecture • The Wazuh architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via Syslog or using their API. • The diagram below represents aWazuh deployment architecture and its components. 5
  • 6. • TheWazuh server also receives syslog messages from devices that do not support the installation ofWazuh agents, ensuring seamless integration and coverage across your entire network environment. 6 Wazuh Deployment Architecture (Cont…)
  • 8. Preparing for the Installation • Operating System: Wazuh can be installed on various operating systems, including CentOS, Debian, Ubuntu, Windows, and macOS. • Hardware Specifications: Hardware requirements highly depend on the number of protected endpoints and cloud workloads. • Software Dependencies: Wazuh requires several software components, including Elastic Stack, Filebeat, and Wazuh Manager. Elastic Stack is a set of open-source tools for data processing and analysis, including Elasticsearch, Logstash, and Kibana. Filebeat is a lightweight agent that collects log data from different sources and forward it to Elasticsearch. Wazuh Manager is the central component of the Wazuh architecture, which receives data from the WazuhAgents and processes it to generate alerts and notifications. 8
  • 9. Step-by-Step Installation • Step 1: Set Up Wazuh Server • Install Wazuh • Install Wazuh Manager • Install Elasticsearch • Install Filebeat • Install Kibana WAZUH SEIM Linux Server 9
  • 10. • Step 2: Install and Configure Wazuh Agents • Configure Windows Agent into Windows Host • Configure Windows Agent into Linux Host Linux Host Switch Windows Host Step-by-Step Installation (Cont.) 10
  • 11. Syslog Server Step 3: Install and Configure Syslog Server • Configure Linux Server as a Syslog Server • Configure Wazuh Agent into this Syslog Server Linux Server Step-by-Step Installation (Cont.) 11
  • 12. Syslog Server Router Firewall Step 4: Configure Network Devices to Send the Log to the Syslog Server • Set the Destination Address to Send the Log from the Devices to Syslog Server. • Check the Incoming Logs From the Syslog Server. • Configure Wazuh Server to Receive the Log From the Wazuh Server. • Check the Incoming Logs for Syslog Server Step 5: Configure Security Event Collection Step 6: Enable Real-time Monitoring and Alerting Step 7: Perform Regular Log Analysis and Incident Investigation Step 8: Continuously Enhance Security Posture Step-by-Step Installation (Cont.) 12
  • 13. Complete Diagram with Wazuh SIEM Linux Host Switch Windows Host Syslog Server Router Switch Firewall WAZUH SEIM 13
  • 14. Data Flow between Wazuh and connected devices. Linux Host Windows Host Syslog Server Router Firewall WAZUH SEIM
  • 15. Custom rules and decoders We can use Wazuh to build decoders that will match on ANYTHING.This flexibility allows us to ingest any type of log intoWazuh, which in turn is written into Elasticsearch and viewable within Kibana. Customize theWazuh ruleset to fit your needs and enhance detection capabilities. To achieve this, we can: • Modify the default rules and decoders. • Add new custom rules and decoders. 15
  • 16. Adding new decoders and rules • This example on how to create new decoders and rules. The following log corresponds to a program called example: Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100’ 16
  • 17. Adding a new decoder…… • Add a new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information: <decoder name="example"> <program_name>^example</program_name> </decoder> <decoder name="example"> <parent>example</parent> <regex>User '(w+)' logged from '(d+.d+.d+.d+)'</regex> <order>user, srcip</order> </decoder> 17
  • 18. Adding Rule ….. • Add the following rule to /var/ossec/etc/rules/local_rules.xml. <group name="custom_rules_example,"> <rule id="100010" level="0"> <program_name>example</program_name> <description>User logged</description> </rule> </group> • Run /var/ossec/bin/wazuh-logtest. • Restart theWazuh manager to load the updated rules and decoders: #systemctl restart wazuh-manager 18
  • 20. Agents overview All configured Host (Agent) is showing into the Agents List withActive, Disconnected, Pending Never Connected List. 20
  • 23. File Integrity Monitoring If any content of a file has changed intentionally or unintentionally then we can monitor this changing from the Integrity Monitoring. 23
  • 24. Next Plan • As Specific Agent is not available for Network Devices, I have added Network Devices through Syslog Server. Now I am working to add network devices directly into the Wazuh Server • Configure Notification and Policies to get more advantage. • Detecting and removing malware usingVirusTotal integration 24
  • 25. Resources • For Installation: • https://github.com/wazuh/wazuh • https://documentation.wazuh.com/current/deployment-options/elastic-stack/all-in-one- deployment/index.html • Understanding Wazuh Decoders • https://socfortress.medium.com/understanding-wazuh-decoders-4093e8fc242c • https://www.youtube.com/watch?app=desktop&v=2HMo4h7elAA • Windows Agent Configuration: • https://www.songer.pro/install-and-configure-wazuh-agent-windows/ • Linux Agent Configuration: • https://thelinuxos.com/ 25
  • 26. 26