Tryhackme - Wazuh

Tryhackme – Wazuh

In this walk through, we will be going through the Wazuh room from Tryhackme. In this room we will learn about Wazuh, which is a free, open source and enterprise-ready security monitoring solution for threat detection and integrity monitoring. So, let’s get started without any delay.

Wazuh

Task 1 – Introduction

Question 1 – When was Wazuh released?

2015

Question 2 – What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats?

Agent

Question 3 – Lastly, what is the term for a device that is responsible for managing these devices?

Manager

Task 1 - Introduction

Task 2 – Required: Deploy Wazuh Server

Question 1 – Login to the Wazuh management server on HTTPS://10.10.183.190 before proceeding with this room’s tasks.

Done

Open Distro for Elasticsearch

Task 2 - Required: Deploy Wazuh Server

Task 3 – Wazuh Agents

Question 1 – Ensure that you are logged in to the Wazuh management server on HTTPS://10.10.183.190

Done

Question 2 – Navigate to the “Agents” tab by pressing Wazuh -> Agents

Done

Agents Tab

Question 3 – How many agents does this Wazuh management server manage?

Wazuh management server manage

 2

Question 4 – What are the status of the agents managed by this Wazuh management server?

Agent status

Disconnected

Task 3 - Wazuh Agents

Task 4 – Wazuh Vulnerability Assessment & Security Events

Question 1 – Ensure that you are logged in to the Wazuh management server on HTTPS://10.10.183.190

Done

Question 2 – Navigate to the Agents tab by pressing Wazuh -> Agents like so

Done

Wazuh Agents

Question 3 – Select the agent named “AGENT-001

Done

Wazuh Agent

Question 4 – How many “Security Event” alerts have been generated by the agent “AGENT-001”?

Note: You will need to make sure that your time range includes the 11th of March 2022

Wazuh Security events

196

Task 4 - Wazuh Vulnerability Assessment & Security Events

Task 5 – Wazuh Policy Auditing

Question 1 – Ensure that you are logged in to the Wazuh management server on [10.10.183.190](https://tryhackme.com/room/MACHINE_IP target=)

Done

Question 2 – Navigate to the “Modules” tab by pressing Wazuh -> Modules and open the “Policy Management” module like so:

Task 4 - Wazuh Policy Auditing

Done

Task 6 – Monitoring Logons with Wazuh

Question 1 – Ensure that you are logged in to the Wazuh management server on [10.10.229.53](https://tryhackme.com/room/10.10.229.53 target=)

Done

Question 2 – Navigate to the “Management” tab by pressing Wazuh -> Management and open the “Rules” module like so:

Done

Wazuh Administration

Wazuh Management

Task 7 – Collecting Windows Logs with Wazuh

Question 1 – What is the name of the tool that we can use to monitor system events?

Sysmon

Question 2 – What standard application on Windows do these system events get recorded to?

Event Viewer

Task 7 - Collecting Windows Logs with Wazuh

Task 8 – Collecting Linux Logs with Wazuh

Question 1 – What is the full file path to the rules located on a Wazuh management server?

/var/ossec/ruleset/rules

Task 8 - Collecting Linux Logs with Wazuh

Task 9 – Auditing Commands on Linux with Wazuh

Question 1 – What application do we use on Linux to monitor events such as command execution?

auditd

Question 2 – What is the full path & filename for where the aforementioned application stores rules?

/etc/audit/rules.d/audit.rules

Task 9 - Auditing Commands on Linux with Wazuh

Task 10 – Wazuh API

Question 1 – What is the name of the standard Linux tool that we can use to make requests to  the Wazuh management server?

curl

Question 2 – What HTTP method would we use to retrieve information for a Wazuh management server API?

GET

Question 3 – What HTTP method would we use to perform an action on a Wazuh management server API?

PUT

Question 4 – Navigate to Wazuh’s API console.

Done

Question 5 – Use the API console to find the Wazuh server’s version.

Note: You will need to add the “v” prefix to the number for this answer. For example v1.2.3

v4..2.5

Task 10 - Wazuh API

Task 11 – Generating Reports with Wazuh

Question 1 – Use Wazuh’s “Report” feature to generate a report of an agent.

Done

Wazuh Dashboard

Generate report

Question 2 – Navigate to the Wazuh “Report” dashboard

Done

Wazuh Reporting

Question 3 – Analyse the report. What is the name of the agent that has generated the most alerts?

Top 5 Agents

agent-001

Task 11 - Generating Reports with Wazuh

Task 12 – Loading Sample Data

Question 1 – I’ve imported the sample data!

Done

Wazuh Settings sample data

Sample Data

Question 2 – I have played around with the sample data.

Done

Wazuh Sample data

Task 12 - Loading Sample Data

Also Read: Tryhackme – Vulnversity

So that was “Wazuh” for you. In this room, we have learned about the fundamentals of EDR solutions, where an EDR liked Wazuh can be used and then we took a dive into how to access Wazuh. Moving on, we learned how to navigate around Wazuh and create rules and alerts for it. At last, we looked into log digestion in both Windows and Linux environment with Wazuh and had a peek on Wazuh API for further extending its capabilities. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top