In this blog post, we shall be reviewing how Wazuh can be used to deliver some of the capabilities expected from a Security Operation Center.
First and foremost, Wazuh is an Open-Source Security Platform with Unified XDR and SIEM protection for endpoints and cloud workloads. Extensively the Wazuh platform will provide a SIEM capability which is the heart of the SOC alongside Endpoint Detection and Response capability.
The expectation of the SOC is to provide monitoring, detection, and alerting of security events and incidents. Another is the provision of analysts with real-time correlation and context from endpoints on which agents are installed giving room for Active responses of endpoint and remediation. With Wazuh you have the above capabilities alongside some other key activities required by the SOC as File Integrity Monitoring, Regulatory Compliance, Vulnerability Detection, and Configuration Assessment.
Understanding the Wazuh architecture provides a clear picture of how security information and events arrived at the SOC, and how important data can be retrieved from all the network environments within the enterprise. The architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via Syslog, SSH, or using their API.
Here three components (Wazuh indexer, server and dashboard) are expected to work together to work the magic which can be installed separately or using the AIO setup which comes as an OVA. You can choose to follow the documentation for more information on which installation process fits your environment.
In this scenario, we have the latest version of the Wazuh Dashboard which provides a powerful user interface for data visualization and analysis of data coming from the agents installed on endpoints. Using the various modules available, analysts can have data supporting the expecting capabilities the SOC is providing as shown below.
Wazuh can also be integrated with other open-source tools like TheHive, Cortex and VirusTotal to aid analysts’ efficiency when delivering SOC expectations to the constituents they are supporting. All of these use-cases have been tested and implemented to make life easier dealing with security incidents that need to be investigated and acted upon swiftly.
By Augustine Ani and Mustapha Kasim