Wazuh

Description

The Open Source EDR Wazuh can be deployed within the simulation. Currently, the agent can communicate with the Wazuh's Dashboard embedded in the simulation.

Configuration

The configuration of Wazuh in M&NTIS contains the default alert rules.

How to enable

To enable Wazuh, you only need to activate both:

• Wazuh agent
• Wazuh manager

Usage

Once the simulation is running, you can access the Wazuh manager by clicking on the Topology tab. Then, you need to copy the IP address of the node wazuhmanager. This IP can differ from a run to another.

Once the IP is copied, navigate to the Interactive view tab. You have to connect and log in a client machine as a regular user.

Then, you can open a web browser, and connect to the remote wazuh manager using the HTTPS protocol. You can fetch the IP of the wazuh manager from the topology tab. You have to accept the security alert about the certificate. Wazuh should now be loading:

You can log in the Wazuh manager using the credentials :code:admin:admin.

On the landing page, you can check which Wazuh EDR agents are registered against the manager. In order to view the security events, click on the home tab:

and click on Security events on the left block in the page:

The Security events are then listed: