SIEM Architecture

Ali
Digitally signed
by Ali Ali
DN: c=LB,
st=Beirut, l=AA,
o=MISC,

Ali
ou=ISC, cn=Ali
Ali
Date:
2024.10.23
20:47:52 +03'00'

With Ali Ali

Module 3: SIEM Architecture

Wazuh
 SIEM Components
General Best Practices for SIEM Architecture

 Scalability and Performance: The architecture should handle large

volumes of data from diverse sources efficiently and scale horizontally to
accommodate future growth
 Centralized Log Management: All security data should be collected and
stored in a central location for easier analysis and investigation
 Comprehensive Analytics: Utilize a combination of rule-based and
behavioral analytics to detect both known and unknown threats

 Threat Intelligence Integration: Integrate threat intelligence feeds to stay

updated on the latest threats and improve detection accuracy

 Openness and Flexibility: The architecture should be open and flexible to

integrate with various security tools and technologies

 User-Friendly Interface: The SIEM interface should be intuitive and easy

to navigate for security analysts to investigate incidents and manage the
system
 SIEM Components
Comparing Wazuh with Common Architectures

 Centralized vs. Distributed Architecture:

1. Centralized: Wazuh employs a centralized architecture with a central server
and agents on endpoints. This simplifies management but can bottleneck at
high data volumes
2. Distributed: Some SIEMs have distributed architectures with multiple
servers, offering better scalability but increased complexity
 Agent-Based vs. Agentless Architecture:
1. Agent-Based: Wazuh uses lightweight agents for comprehensive data
collection. This requires agent deployment and potential performance impact
on endpoints
2. Agentless: Some SIEMs collect data via network traffic analysis, offering
lighter footprints but potentially missing endpoint-specific details
 Open Source vs. Commercial Solutions:
1. Open Source: Wazuh is open-source, offering flexibility and lower costs, but
requiring more setup and maintenance expertise
2. Commercial: Commercial SIEMs provide pre-built features and support, but
often come with higher licensing costs
AA0
SIEM Components
WAZUH

 The Wazuh platform provides XDR and SIEM features to

protect your cloud, container, and server workloads
 These include log data analysis, intrusion and malware
detection, file integrity monitoring, configuration assessment
(work with Agent like pfsence FW), vulnerability detection,
and support for regulatory compliance
 The central components are:
1. The Wazuh indexer, (DB)
2. The Wazuh Manager (server) (collect from
logs from Agents to Indexer)
3. The Wazuh dashboard
4. The Wazuh agent, if agentless the syslog will
control by Endpoint Not by Wazuh (Limited)
and Wazuh need decoder and maybe rules
Slide 5

AA0 The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts
generated by the Wazuh server.
The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look
for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale
horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them
remotely when necessary.
The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for security
events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring
data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh
configuration and to monitor its status.
Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat
prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and
HP-UX.
Ali Ali, 2024-02-12T20:03:14.332
 SIEM Components
WAZUH

 In addition to agent-based monitoring capabilities, the Wazuh

platform can monitor agent-less devices such as firewalls,
switches, routers, or network IDS, among others

 For example, a system log data can be collected via Syslog,

and its configuration can be monitored through periodic
probing of its data, via SSH or through an API

 We can link the agent with third party for enrichment purpose
Monitor usage, Viewing environment usage metrics like CPU, RAM. Metricbeat helps you monitor
your servers and the services they host by collecting metrics from the operating system and services.
This guide describes how to get started quickly with metrics collection. You’ll learn how to:
install Metricbeat on each system you want to monitor
specify the metrics you want to collect
send the metrics to Elasticsearch
visualize the metrics data in Kibana
SIEM Components
WAZUH
 SIEM Components
Wazuh, Indexer

 The Wazuh indexer is a highly scalable, full-text search and

analytics engine
 The Wazuh indexer stores data as JSON documents
 Wazuh uses four different indices to store different event
types:

Index Description
wazuh-alerts Stores alerts generated by the Wazuh server. These are created
each time an event trips a rule with a high enough priority.
wazuh-archives Stores all events (archive data) received by the Wazuh server,
whether or not they trip a rule.
wazuh-monitoring Stores data related to the Wazuh agent status over time. It is used
by the web interface to represent when individual agents are or
have been Active, Disconnected, or Never connected.
wazuh-statistics Stores data related to the Wazuh server performance. It is used by
the web interface to represent the performance statistics.
SIEM Components
Wazuh, Indexer
 SIEM Components
Wazuh, Manger-Server

 The Wazuh server component analyzes the data received from

the agents, triggering alerts when threats or anomalies are
detected. It is also used to manage the agents configuration
remotely and monitor their status
 The Wazuh server uses threat intelligence sources to improve its
detection capabilities. It also enriches alert data by using the
MITRE ATT&CK framework and regulatory compliance
requirements such as PCI DSS, GDPR, HIPAA, CIS, and NIST 800-
53, providing helpful context for security analytics
 Additionally, the Wazuh server can be integrated with external
software, including ticketing systems such as ServiceNow, Jira,
and PagerDuty, as well as instant messaging platforms like
Slack. These integrations are convenient for streamlining
security operations
 SIEM Components
Wazuh, Manger-Server Components

 Agent enrollment service: It is used to enroll new agents

 Agent connection service: This service receives data from the
agents
 Analysis engine: It uses decoders to identify the type of
information being processed (Windows events, SSH logs, web
server logs, and others). These decoders also extract relevant
data elements from the log messages, such as source IP address,
event ID, or username
 Wazuh RESTful API: This service provides an interface to interact
with the Wazuh infrastructure
 Wazuh cluster daemon: This service is used to scale Wazuh
servers horizontally, deploying them as a cluster
 Filebeat: It is used to send events and alerts to the Wazuh
indexer. It reads the output of the Wazuh analysis engine and
ships events in real time
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Dashboard
SIEM Components
Wazuh, Agent Architecture
 SIEM Components
Wazuh, Agent Architecture
Agent Modules
 Log collector: This agent component can read flat log files and
Windows events, collecting operating system and application log
messages
 Command execution: Agents run authorized commands periodically,
collecting their output and reporting it back to the Wazuh server for
further analysis
 File integrity monitoring (FIM): This module monitors the file system,
reporting when files are created, deleted, or modified
 Security configuration assessment (SCA): This component provides
continuous configuration assessment, utilizing out-of-the-box checks
based on the Center of Internet Security (CIS) benchmarks
 System inventory: This agent module periodically runs scans,
collecting inventory data such as operating system version, network
interfaces, running processes, installed applications, and a list of open
ports. Scan results are stored in local SQLite databases that can be
queried remotely
 SIEM Components
Wazuh, Agent Architecture
Agent Modules
 Malware detection: Using a non-signature-based approach, this component
is capable of detecting anomalies and the possible presence of rootkits.
Also, it looks for hidden processes, hidden files, and hidden ports while
monitoring system calls
 Active response: This module runs automatic actions when threats are
detected, triggering responses to block a network connection, stop a
running process, or delete a malicious file. Users can also create custom
responses when necessary and customize, for example, responses for
running a binary in a sandbox, capturing network traffic, and scanning a file
with an antivirus
 Container security monitoring: This agent module is integrated with the
Docker Engine API to monitor changes in a containerized environment. For
example, it detects changes to container images, network configuration, or
data volumes
 Cloud security monitoring: This component monitors cloud providers such
as Amazon AWS, Microsoft Azure, or Google GCP. It natively communicates
with their APIs
SIEM Components
Wazuh Architecture
 SIEM Components
Wazuh, Agent, Wazuh server communication

 The Wazuh agent continuously sends events to the Wazuh server for
analysis and threat detection
 To start shipping this data, the agent establishes a connection with the
server service for agent connection, which listens on port 1514 by default
(this is configurable)
 The Wazuh server then decodes and rule-checks the received events,
utilizing the analysis engine
 Events that trip a rule are augmented with alert data such as rule ID and rule
name
 Events can be spooled to one or both of the following files, depending on
whether or not a rule is tripped:
 The file /var/ossec/logs/archives/archives.json contains all events whether they tripped a
rule or not
 The file /var/ossec/logs/alerts/alerts.json contains only events that tripped a rule with
high enough priority (the threshold is configurable)
 The Wazuh messages protocol uses AES encryption by default, with 128 bits per block and
256-bit keys. Blowfish encryption is optional
 SIEM Components
Wazuh, Agent, Wazuh indexer communication

 Wazuh server uses Filebeat to send alert and event data to the Wazuh
indexer, using TLS encryption
 Filebeat reads the Wazuh server output data and sends it to the Wazuh
indexer (by default listening on port 9200/TCP)
 Once the data is indexed by the Wazuh indexer, the Wazuh dashboard is
used to mine and visualize the information
 The Wazuh dashboard queries the Wazuh RESTful API (by default listening
on port 55000/TCP on the Wazuh server) to display configuration and status-
related information of the Wazuh server and agents
 It can also modify agents or server configuration settings through API calls.
This communication is encrypted with TLS and authenticated with a
username and password
 SIEM Components
Wazuh, Ports

Component Port Protocol Purpose

1514 TCP Agent connection service
Agent connection service (disabled
1514 UDP
by default)
1515 TCP Agent enrollment service
1516 TCP Wazuh cluster daemon
Wazuh server
Wazuh Syslog collector (disabled by
514 UDP (default)
default)
Wazuh Syslog collector (disabled by
514 TCP (optional)
default)
55000 TCP Wazuh server RESTful API
Wazuh indexer 9200 TCP Wazuh indexer RESTful API
Wazuh indexer cluster
9400-9300 TCP
communication
Wazuh dashboard 443 TCP Wazuh web user interface
It’s NOT BUSINESS, It’s Very PERSONAL
Questions

Jehad Lala