Unveiling the beast of SIEM + XDR — PART 1

ja1ir4m
4 min readOct 22

--

Hi All, Hope you are doing great. Its been a week since I see you all. This week blog is going to be little interesting. Trust Me!!!!. It is not related to red teaming tools, penetration testing strategies or Zero day walkthrough.

Blog Index:

content : Technical

Sub category: Overview — Part 1

Proficiency : Beginner

Target audience : Blue teamers and InfoSec analyst who needs exposure in blue team activities

Today we are going to be on the Blue Side of the information security.

I mean……………..

Yes, today we are going to explore a unified SIEM and XDR product, which is open source, rocking the field for many years. As seen in the highlights video, it has been awarded the best SIEM solution by SC for 2023.

Now Lets do what we do. Lets breakdown each components of the open source SIEM solution.

OOPS!! Sorry forgot to mention the name of the unified open source solution for SIEM and XDR. The name is WAZUH

https://wazuh.com/

Lets check the resume from wazuh to know him better.

capabilities of wazuh

I can understand, lets halt for a minute and first get an idea on SIEM and XDR.

SIEM is known as Security Information and Event Management, which monitors our organization architecture to defend from threats faster before business is disrupted.

XDR is Extended detection and response, which is a Software as a service tool which provides us with the analytics, detection, investigation and response for organization endpoints, cloud applications and more solutions

I know, what your brain is processing. We might have heard SIEM team, when working in an organization where they work on collecting and analyzing the logs for an intrusion or threat factor and act accordingly.

Now what is XDR and how is it different form SIEM? Many of the InfoSec analyst who works as part of blue team will have more idea on what is SIEM, SOAR and XDR. But its my responsibility to cover some basics for the non blue teamers like me.

Hold your breath for few minutes, we gonna deep dive and capture the key features which are needed to identify the difference

SIEM vs XDR

Now we are done uncovering the difference between SIEM ad XDR successfully. Now lets start digging in to Wazuh to know about its internal components which helps wazuh to do its work

Wazuh architecture

Below are the four main components which wazuh needs to perform its tasks. The components are as below

· Wazuh Indexer

· Wazuh Server

· Wazuh Dashboard

· Wazuh Agent

Lets separate the four components in to two major division.

Central Components:

1. Wazuh Indexer — Search and analytics engine, responsible for Indexing and storing alerts generated from Wazuh server

2. Wazuh Server — It is the master brain of the wazuh architecture, where it host the rules and decoders to dismantle the logs and detect any anomalies with the rules defined. The data needed for analysis are received from the agents and are processed in server. Wazuh Server can manage upgrades and configuration for all the agents remotely

3. Wazuh Dashboard — It is the Web UI component to visualize the alerts, analytics, critical findings and monitor the status of the agents(active/inactive)

Agent component:

1. Agent — They are installed on the monitored endpoint to collect the logs and relay to the server for analysis.

With the above components, wazuh is capable of performing the below activities.

1. Configuration Assessment

2. Malware detection

3. File Integrity Monitoring (FIM)

4. Threat Hunting

5. Log data analysis

6. Vulnerability detection

If my blog helped you in understanding the basic of WAZUH open source tool for SIEM + XDR solution, don't forget to show your support by following and encouraging by hitting claps :) .

--

--

ja1ir4m

I am Jayaraman M, a passionate information security Analyst/Penetration Tester/Red Teamer who thrives hard to achieve greater heights in the cyber security.