Hi All, Hope you are doing great. Its been a week since I see you all. This week blog is going to be little interesting. Trust Me!!!!. It is not related to red teaming tools, penetration testing strategies or Zero day walkthrough.
content : Technical
Sub category: Overview — Part 1
Proficiency : Beginner
Target audience : Blue teamers and InfoSec analyst who needs exposure in blue team activities
Today we are going to be on the Blue Side of the information security.
Yes, today we are going to explore a unified SIEM and XDR product, which is open source, rocking the field for many years. As seen in the highlights video, it has been awarded the best SIEM solution by SC for 2023.
Now Lets do what we do. Lets breakdown each components of the open source SIEM solution.
OOPS!! Sorry forgot to mention the name of the unified open source solution for SIEM and XDR. The name is WAZUH
Lets check the resume from wazuh to know him better.
I can understand, lets halt for a minute and first get an idea on SIEM and XDR.
SIEM is known as Security Information and Event Management, which monitors our organization architecture to defend from threats faster before business is disrupted.
XDR is Extended detection and response, which is a Software as a service tool which provides us with the analytics, detection, investigation and response for organization endpoints, cloud applications and more solutions
I know, what your brain is processing. We might have heard SIEM team, when working in an organization where they work on collecting and analyzing the logs for an intrusion or threat factor and act accordingly.
Now what is XDR and how is it different form SIEM? Many of the InfoSec analyst who works as part of blue team will have more idea on what is SIEM, SOAR and XDR. But its my responsibility to cover some basics for the non blue teamers like me.
Hold your breath for few minutes, we gonna deep dive and capture the key features which are needed to identify the difference
Now we are done uncovering the difference between SIEM ad XDR successfully. Now lets start digging in to Wazuh to know about its internal components which helps wazuh to do its work
Below are the four main components which wazuh needs to perform its tasks. The components are as below
· Wazuh Indexer
· Wazuh Server
· Wazuh Dashboard
· Wazuh Agent
Lets separate the four components in to two major division.
1. Wazuh Indexer — Search and analytics engine, responsible for Indexing and storing alerts generated from Wazuh server
2. Wazuh Server — It is the master brain of the wazuh architecture, where it host the rules and decoders to dismantle the logs and detect any anomalies with the rules defined. The data needed for analysis are received from the agents and are processed in server. Wazuh Server can manage upgrades and configuration for all the agents remotely
3. Wazuh Dashboard — It is the Web UI component to visualize the alerts, analytics, critical findings and monitor the status of the agents(active/inactive)
1. Agent — They are installed on the monitored endpoint to collect the logs and relay to the server for analysis.
With the above components, wazuh is capable of performing the below activities.
1. Configuration Assessment
2. Malware detection
3. File Integrity Monitoring (FIM)
4. Threat Hunting
5. Log data analysis
6. Vulnerability detection
If my blog helped you in understanding the basic of WAZUH open source tool for SIEM + XDR solution, don't forget to show your support by following and encouraging by hitting claps :) .