LDRL

Setting up a SIEM [wip]

🚧 This post is a work in progress 🚧

This post is a work in progress.

Table of contents
Setup overview
Endpoint detection
Network Traffic Monitoring and intrusion prevention
SIEM
Sysmon
What is Sysmon ?
Deploying Sysmon
Osquery
Deploying Osquery
Wazuh
Deploying Wazuh
Zeek

Motivation and objectives #

The goal of this project is to set up a SIEM (Security Information and Event Management) system.

Explain what a SIEM is

I'll send logs from two devices to a central SIEM.
This setup will help me gain hands-on experience with both endpoint detection and network traffic monitoring, which are crucial for a SOC (Security Operations Center) role.

Setup overview #

For now, I'll monitor 2 devices, a linux server and a windows 10 client.

First, I’ll install and configure all the tools manually on a single host. This way, I can troubleshoot any issues before moving on to automation.

Once everything is working manually, I’ll write Ansible playbooks to automate the installation and configuration process. This will allow me to deploy the setup across multiple hosts quickly and consistently.

Endpoint detection #

What is endpoint detection ?

For Endpoint Detection, I'll use

Network Traffic Monitoring and intrusion prevention #

I'll use zeek and snort and/or suricata

SIEM #

ALl those logs will be sent to Wazuh. I'll try to implement this with other SIEM solutions such as Splunk and ELK later.

Sysmon #

What is Sysmon #

Explanation + a few resources or link to my learning post

Sysmon to track and log system activities like process creation, network connections, and file changes. Configuration is crucial because it determines which events Sysmon logs.

Sysmon configuration is done in an XML file.

Installing Sysmon #

On Windows #

Download Sysmon from Windows Sysinternals page. Download Sysmon

-Extract it.

Download the xml Configuration File

Save it in the Sysmon's folder.

Run Powershell as administrator and use this command to run Sysmon with the configuration I downloaded.

sysmon.exe -accepteula -i YOURFILE.xml

Sysmon installation

Sysmon is now running.

To see the events logged, we can go to Event viewer.

In the Event Viewer, Sysmon logs are stored in: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

There are only 20 events right now, so we can go through them.

The first (older) one is Event ID 16 It makes sense because it i

Event ID 16: ServiceConfigurationChange

Then Event ID 4: Sysmon service state changed

The service state change event reports the state of the Sysmon service (started or stopped).

1 13 22

Check configuration a bit more

Check MITRE TTP number used in configuration

On Linux #

Sysmon Configuration for Linux I’ll install Sysmon for Linux. Next, I’ll choose a suitable Sysmon configuration file.

I spent a bit of time trying to understand how the configuration file works. But I'm not yet at the point where I can write one myself, so I'll use this well-known configuration.

It can be better to write your own, because I guess if everybody uses a very well-known it's easier for attackers to circumvent it.

Adding Sysmon configuration #

sysmon -i sysmon/mstic_sysmon_main.xml

Testing that the Sysmon logging works #

Use script to run a few events and check logging work

Osquery #

Installing Osquery #

I’ll install Osquery on both Windows and Linux. Osquery lets me query the system as if it were a database, which is super handy for endpoint monitoring. The plan is to send Osquery logs to Wazuh, which has built-in SIEM capabilities. Osquery and Wazuh is a common combination because Wazuh can efficiently manage Osquery logs.

I chose to install it with the binary from the downloads page

At this point, osqueryi did not work globally, but only from its installation directory, so I added the installation directory to the PATH environment variable.

Osquery is installed

Wazuh #

Finally, I’ll configure Wazuh to act as the central SIEM. Wazuh will collect logs from both endpoint detection tools (Sysmon and Osquery) and network monitoring tools (Zeek and Snort). This centralized setup will help me correlate different types of security data, giving me a better understanding of potential threats.

I’ll also explore the Endpoint Detection and Response (EDR) features in Wazuh to see how they can enhance security monitoring.

Wazuh server installation #

I'll install Wazuh with Docker. We have a choice between single ans multiple node installation.

A single-node that deploys one Wazuh manager, indexer, and dashboard node will be more than sufficient for this project.

Wazuh instructions for Docker installation
Wazuh instructions for installation

  1. Clone the Wazuh repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.2
  1. Provide certificates for each node in the stack to secure communication between the nodes. We'll generate self-signed certificates for each cluster node. Wazuh provides a Docker image to automate certificate generation using the Wazuh certs gen tool.
    docker-compose -f generate-indexer-certs.yml run --rm generator

Certificates are saved into the config/wazuh_indexer_ssl_certs directory.

  1. Start the Wazuh single-node deployment using docker-compose:
docker-compose up

![[Pasted image 20240904121324.png]]

![[Pasted image 20240904121440.png]]

After installing, go to https://localhost and enter Wazuh credentials The default credentials for the Wazuh dashboard are admin and SecretPassword

Because we use a self-signed certificate, the browser will warn that it cannot verify its authenticity.

But then we have access to the Wazuh dashboard

Now we need to add agents to monitor.

Wazuh agent installation #

See Wazuh installation notes

Collect logs #

Check my notes Wazuh agent configuration

From Osquery #

Configure Wazuh to collect data from Osquery and create rules and alerts. Configure Osquery to log events in a structured format. Modify the Osquery configuration file to include useful tables (e.g., processes, listening ports, scheduled tasks). Configure Wazuh to read Osquery logs. Ensure the Wazuh agent is correctly parsing Osquery logs and forwarding them to the Wazuh manager. Create custom decoders in Wazuh for Osquery logs if necessary.

From Sysmon #

Network Traffic Monitoring #

I’ll install Zeek and Suricata to monitor network traffic.

Intrusion Detection/Prevention System #

Snort and/or Suricata

I can send the logs from Zeek and Suricata logs directly to Wazuh. This will centralize all the logs, making it easier to correlate data between network traffic and endpoint activities.