Read on Twitter
Day 1️⃣0️⃣ - Becoming a SOC analyst 💙
How to install SIEM agents on WIN & LINUX in your HomeLab:
How to install SIEM agents on WIN & LINUX in your HomeLab:
In the last thread you installed a SIEM in your HomeLab:
But a SIEM in itself is not really useful without one magic ingredient 🪄
Log files 🗃️
But a SIEM in itself is not really useful without one magic ingredient 🪄
Log files 🗃️
https://twitter.com/2477324742/status/1733968803120247087
Whats a log file? 🪵
What does wood have to do with CyberSecurity? 🤔
Why do we need logs inside containers 📦?
Let us answer these questions now 👀
dive into 🤿 logging & monitoring
What does wood have to do with CyberSecurity? 🤔
Why do we need logs inside containers 📦?
Let us answer these questions now 👀
dive into 🤿 logging & monitoring
Organizations have a looooot of services
Be it web applications, databases or HR tools
Those typically run on servers and sometimes (😅🤣 “sometimes”, sure) these services break 💔
But how do you know if a service is not working 🚧?!
Be it web applications, databases or HR tools
Those typically run on servers and sometimes (😅🤣 “sometimes”, sure) these services break 💔
But how do you know if a service is not working 🚧?!
Great question! 🚀🤓
You would need something 🤖 that collects:
system information
meta data
potential errors
and alerts you if something is wrong 🚨‼️
You would need something 🤖 that collects:
system information
meta data
potential errors
and alerts you if something is wrong 🚨‼️
This whole process is called monitoring
the collected information (e.g. ▶️ started, ⏹️ stopped, 🤬 error) is usually stored in text files (also called log files / logs)
they are forwarded to your SIEM by programs that we call “agents”
the collected information (e.g. ▶️ started, ⏹️ stopped, 🤬 error) is usually stored in text files (also called log files / logs)
they are forwarded to your SIEM by programs that we call “agents”
Enough theory let’s get some of those beautiful agents shall we?!
Prerequisites:
1x SIEM VM/container (@wazuh)
1x Windows VM
1x Linux VM/container
Prerequisites:
1x SIEM VM/container (@wazuh)
1x Windows VM
1x Linux VM/container
@wazuh You will now install a wazuh agent on the windows machine first
Start the Windows VM and open the following url in your browser
documentation.wazuh.com/current/instal…
Start the Windows VM and open the following url in your browser
documentation.wazuh.com/current/instal…
@wazuh We will use the Graphical User Interface (GUI) of the wazuh agent to set everything up
You can get the installer here:
You need administrative privileges to set everything up - keep that in mindpackages.wazuh.com/4.x/windows/wa…
You can get the installer here:
You need administrative privileges to set everything up - keep that in mindpackages.wazuh.com/4.x/windows/wa…
@wazuh Download & Double click that bad boy as if there is no tomorrow
and then do the following…
and then do the following…
@wazuh You can change the location of the install via the “advanced” button
but generally the “Install” button should be your best friend, so click that one
but generally the “Install” button should be your best friend, so click that one
@wazuh When the install is finished there is a checkbox that you can try to click on
“Run Agent configuration interface”
For me that sometimes work and sometimes does not
Here is a trick that always works:
“Run Agent configuration interface”
For me that sometimes work and sometimes does not
Here is a trick that always works:
@wazuh open C:\Program Files\ossec-agent
and double click on win32ui.exe
That will spawn a management window where you enter the IP of your SIEM server, click on Save and pray that you get an Authentication Key back
IF not…
and double click on win32ui.exe
That will spawn a management window where you enter the IP of your SIEM server, click on Save and pray that you get an Authentication Key back
IF not…
@wazuh You need to make sure that the wazuh-server is running
that the machines are on the same subnet / have a working connection
You should see the agent in your wazuh dashboard if all went well 🥳🎊
that the machines are on the same subnet / have a working connection
You should see the agent in your wazuh dashboard if all went well 🥳🎊
@wazuh 🥳 1 down, 1 to go for today.
Next up is linux
go to
and click on the cute little 🐧 penguin 🐧 documentation.wazuh.com/current/instal…
Next up is linux
go to
and click on the cute little 🐧 penguin 🐧 documentation.wazuh.com/current/instal…
@wazuh You should be forwarded to this url:
Here you need to select your package manager
Hint:
Amazon Linux / CentOS → Yum
Debian-based (e.g. ubuntu/kali) → APT
Container (Alpine) → APK documentation.wazuh.com/current/instal…
Here you need to select your package manager
Hint:
Amazon Linux / CentOS → Yum
Debian-based (e.g. ubuntu/kali) → APT
Container (Alpine) → APK documentation.wazuh.com/current/instal…
@wazuh Now we need to follow the steps for APT in my case (ubuntu/debian)
copy the first command and paste it into your terminal inside the linux VM
then the 2nd
and so on
Don’t forget to press Enter in between 🤓
copy the first command and paste it into your terminal inside the linux VM
then the 2nd
and so on
Don’t forget to press Enter in between 🤓
@wazuh But what do the commands do?!
First you add the public encryption key to your linux key store (keyring)
Then you add 2 new repositories to your linux source list
The 3rd step updates your local package cache so that you can now use
apt-get install wazuh-agent
to install it
First you add the public encryption key to your linux key store (keyring)
Then you add 2 new repositories to your linux source list
The 3rd step updates your local package cache so that you can now use
apt-get install wazuh-agent
to install it
@wazuh There is a teeny-tiny BUT though…
In order to properly connect your SIEM and the agent you need to feed a variable called WAZUH_MANAGER with the SIEM IP into the command
In order to properly connect your SIEM and the agent you need to feed a variable called WAZUH_MANAGER with the SIEM IP into the command
@wazuh EXCUSE ME - WHAT ARE YOU TALKING ABOUT MR MAIKRO?!
There is some black magic going on behind the scenes that automagically connects your wazuh agent with the SIEM server 🪄
BUT only if you provide the IP address of the server
WAZUH_MANAGER= apt-get install wazuh-agent
There is some black magic going on behind the scenes that automagically connects your wazuh agent with the SIEM server 🪄
BUT only if you provide the IP address of the server
WAZUH_MANAGER= apt-get install wazuh-agent
@wazuh You can however also register the agent after installing by editing
/var/ossec/etc/ossec.conf
& adding the Manager_IP between the address tags:
<client> <server> <address>MANAGER_IP</address> ...
Source: documentation.wazuh.com/current/user-m…
/var/ossec/etc/ossec.conf
& adding the Manager_IP between the address tags:
<client> <server> <address>MANAGER_IP</address> ...
Source: documentation.wazuh.com/current/user-m…
@wazuh If all went well you can now add the agent service to the auto start services by running three commands:
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
@wazuh Once that is done you should see the agent appear in your wazuh dashboard
🔥 CONGRATULATIONS 💙
You installed two @wazuh agents in your HomeLab 🎉
In the next thread 🧵 we will write custom detections for the malware IOCs we found earlier
Stay tuned & curious 🤓
🔥 CONGRATULATIONS 💙
You installed two @wazuh agents in your HomeLab 🎉
In the next thread 🧵 we will write custom detections for the malware IOCs we found earlier
Stay tuned & curious 🤓
@wazuh If you liked this thread
→ follow me @maikroservice for more 30 days to SOC Analyst content
if you LOVED this thread:
→ follow me @maikroservice for more 30 days to SOC Analyst content
if you LOVED this thread:
@wazuh You have ONLY 20 days left to preorder my course
the Practical SOC Analyst 101
for the low price of $50
On January 1st the course is released and the price will go up to $150 for the self-paced version and $400 for the bootcamp
the Practical SOC Analyst 101
for the low price of $50
On January 1st the course is released and the price will go up to $150 for the self-paced version and $400 for the bootcamp
@wazuh Secret-Time: All the preorder people will get a FREE bootcamp spot plus early access to any content updates
GREAT - WHERE CAN I GET IT?
Glad you asked -
academy.maikroservice.com/l/soc101
GREAT - WHERE CAN I GET IT?
Glad you asked -
academy.maikroservice.com/l/soc101
@wazuh @threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
