Blue Team Training: Threat Detection with Wazoo

Jul 17, 2024

Blue Team Training Series: Threat Detection with Wazoo

Overview

  • Speaker: Hackersploit and Linode
  • Tool: Wazoo
  • Objective: Explore threat detection with Wazoo

Introduction to Wazoo

  • Free and open-source platform
  • Used for threat detection, prevention, and response
  • Protects networks, virtualized environments, containers, and cloud environments
  • SIM (Security Information Event Management) tool
    • Collects, analyzes, aggregates, indexes data
    • Detects intrusions, attacks, vulnerabilities, malicious activity

How Wazoo Works

  • Components:
    • Agent: Cross-platform endpoint security agent/program
    • Server: Analyzes data from agents, matches against rule sets
    • Elastic Stack: Displays and indexes alerts
      • Elasticsearch: Search and analytics engine
      • Logstash: Data processing pipeline
      • Kibana: Data visualization
  • Non-agent devices: Logs data from devices like routers and firewalls, sends logs to Wazoo server

Key Features of Wazoo

  • Security analytics
  • Intrusion detection
  • Log data analysis
  • File integrity monitoring
  • Vulnerability detection
  • Incident response
  • Cloud and container security
  • Regulatory compliance

Practical Setup and Deployment

  • Deploying on Linux using cloud images for simplicity
  • Lab Environment:
    • 1 x Windows system
    • 1 x Linux server (Wazoo server deployed)
    • 1 x Attacker system
    • Wazoo agents installed on all devices

Deployment Models

  • All-in-One: Wazoo server and ELK stack on same system
  • Distributed: Suitable for large environments, components set up on separate servers

Deployment Steps

  1. Set up Server on Linode
  • Use Linode's cloud image for Wazoo
  • Specify system resources
  1. Access Wazoo interface
  • Log in to Wazoo's web interface
  • Reset default admin password

Components of Wazoo Interface

  • Modules Page: Security events, integrity monitoring, threat detection, vulnerability detection
  • Management Tab: Rules, decoders, groups, configurations
  • Agents Tab: Lists all active agents
  • Tools: API console, rule set test
  • Settings: Logs, miscellaneous, modules

Demonstrating Threat Detection and Mitigation

  • Real-time detection of brute force attack on Linux server
  • Active Response: Configure Wazoo to block IPs
    • Example active response rule with firewall drop

Specific Features and Usage

  • Security Events: Detailed alerts on security events
  • Integrity Monitoring: Monitors file changes
  • SCA: Security Configuration Audit
  • Vulnerabilities: Detects system vulnerabilities
  • Miter Attack: Displays adversary tactics and techniques

Examples

  • Windows Agent: Download and configure agent through GUI
  • Linux Agent: Install and configure via command line

Conclusion

  • Real-life scenario: Detected and responded to an active brute force attack
  • Next video: Intrusion Detection with Suricata

Additional Resources

  • Refer to Wazoo's official documentation for detailed instructions
  • Join Hackersploit's Discord for community support