Elastic Stack Wazuh Manager SIEM
Pro and Cons

What will wait for you when you put Elastic Stack Wazuh Manager to work in a production environment?

The Open Source Security Platform Wazuh Manager is based on Elasticsearch and is an open-source industry-proven software stack, providing a complete SIEM, log manager, and threat hunting tool.

 

Its agent was previously called OSSEC, is now renamed to Wazuh agent, and can be installed on Windows, Linux, and macOS.

Pros

 

1- Centralized Security Log Management for all Endpoints logs (servers, network appliances, Clients, and applications). Since its underlying text search engine is Elasticsearch and Kibana, there is an endless amount of options on how you can search inside your logs and how you require to visualize them.

2- It has a proprietary agent, which can be installed on Linux or Windows endpoints to gather security logs and shipped them formatted to the Wazuh manager for log analyses.
Also in the case of Windows, the agent can be rolled out via a Domain GPO, yet the agent will be authenticated, and traffics between the agent and the manager will be encrypted.

 

3- The agent scans the monitored system for rootkits, malware, suspicious anomalies, and so on, providing a complete HIDS (Host-based intrusion detection) and it does this very effectively.

4- The agent pulls the software inventory data on endpoints and sends this information to the manager, where it is assessed against open-source CVE databases such as NVD, which are continuously being updated. It provides a full agent-based Vulnerability Detection across your monitored systems.

5- File Integrity Monitoring (FIM) is another cool aspect of Wazuh. Here you can define some specific files or paths, even with their recursion level, and let their content be monitored. As soon as a change on them happens, you will see in the manager, who, when, changed what and how (which command)

6- Even more interesting than FIM is the syscall-based monitoring if the monitored system is Linux. Here you can define your required paths in the rule file of the Auditd tool on Linux and Wazuh will trigger an alarm if your important files are touched, edited, or deleted. Literally, every single file activity will be watched and logged centrally. A common use case for this would be if there is very highly sensitive information in your system whose file activity must be monitored.


7- System hardening monitoring is one of those lovely features of Wazuh. You can assess your monitored systems against CIS Benchmarks (the official organization that provides system hardening standards) and get informed how many passes and how many fail your systems are identified with.

8-Based on pre-defined rules in Wazuh, security events will also be categorized in different industry standards and information security regulations such as GDPR for Europe or PCI DSS (Payment Card Industry Data Security Standard), NIST, and so on. You can also define your own custom rules for events specific to your company and make them shown (if any) under these categories for your compliance reports.

9- It does not cost a penny! Due to its open-source and crowd-sourced nature of the underlying technologies (Linux, Opendistro Elastic Stack Wazuh, Open Source online databases…), you will not have to be worried about licenses and the number of your monitored systems and data volume and such.
Scalability is another very important feature. Since it is Elasticsearch, you can add your nodes and build up your cluster as your endpoints grow.


Cons


Although Wazuh provides out-of-the-box active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met, this area is still new in Wazuh and it is not yet mature enough to activate it in a real production environment.

10- Lack of enough training materials for the entire stack. For example, in many cases, one should go on and define his own decoders (RegEx-based matches to extract required fields) and rules for those decodes, and trust me it is not that easy! However, it is worth learning.


Bottom line


Elastic Stack Wazuh Manager will give you a complete security platform to manage your cybersecurity events and standard compliance on thousands of endpoints across your network. Its learning curve is a bit time-consuming, but once learned, it saves a lot of money in the company, will bring a great impact on business security. There might be better tools out there with much more features especially when it comes to incident response and ticket assignments to analysts, but one should not forget that licensing schema and pricing of such commercial tools are sometimes insane! So there is a clear trade-off here to be decided by all stakeholders.

Applied Ethical Hacking and Rules of Engagement

# +40 hours hands-on

# +5h Live Hacking on HTB

# +15 hours Ethical hacking

# 4 Courses in 1

# +5 hours Red Teaming

# +5 hours SIEM using Elastic Stack Wazuh

# +4.5 Udemy Rating

Applied Linux Command Line and Shell Scripting Zero to Elite

# +9 hours hands-on

# Learning +200 Linux tools

# Project-based shell scripting

# Terminal productivity

# Dive in Linux Firewall

# Mastery on Linux networking, security, system visibility

# +4.5 Udemy Rating