Posts

Showing posts from December, 2024

Wazuh Server Detecting unauthorized processes

By
  Wazuh Server Detecting unauthorized processes Ubuntu endpoint Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint. Add the following configuration block to the Wazuh agent  nano/var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes: <ossec_config>   <localfile>     <log_format>full_command</log_format>     <alias>process list</alias>     <command>ps -e -o pid,uname,command</command>     <frequency>30</frequency>   </localfile> </ossec_config> Restart the Wazuh agent to apply the changes: $ sudo systemctl restart wazuh-agent Install Netcat and the required dependencies: $ sudo apt install ncat nmap -y   Wazuh server Add the following rules to the /var/ossec/etc/rules/local_rules....
Post a Comment
Read more

Remove agents using the CLI Wazuh Server

By
  Remove agents using the CLI Wazuh Server The  /var/ossec/bin/manage_agents  tool can also remove Wazuh agents using the command line interface (CLI). Run the following command on the Wazuh server: Sudo   /var/ossec/bin/manage_agents   You can run the following command on the Wazuh server and specifiy the Wazuh agent ID by using the -r option. Replace <WAZUH_AGENT_ID> with the agent ID of the Wazuh agent: /var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID> (agent id)
Post a Comment
Read more

Wazuh File integrity monitoring

By
  Wazuh File integrity monitoring:- Edit the Wazuh agent /var/ossec/etc/ossec.conf   <directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/code/config</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/usr/</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/home/ubuntu</directories>   sudo systemctl restart wazuh-agent     https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html      
Post a Comment
Read more

Slack Integration Wazuh Server : Alerts in Critical, High, and Medium Slack Channels

By
  Slack Integration Wazuh Server : Alerts in Critical, High, and Medium Slack Channels 1. Set Up a Slack App: Go to the Slack API website and log in to your workspace. Navigate to “Your Apps” and click on “Create New App.” Enter a name for your app (e.g., “Wazuh Alerts”) and select the workspace where you want to install the app. Create three channels named “Critical”, “High” and “Medium”. In the app settings, go to “Incoming Webhooks” and enable it. Click on “Add New Webhook to Workspace” to generate a webhook URL. Note down this URL for the three channels, as you’ll need it later. https://api.slack.com/apps   Edit Wazuh Configuration File: Edit /var/ossec/etc/ossec.conf in the Wazuh server and include a configuration block such as the following. <integration> <name>slack</name> <hook_url>https://hooks.slack.c...
Post a Comment
Read more