{"id":481,"date":"2023-08-30T21:20:49","date_gmt":"2023-08-30T21:20:49","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=481"},"modified":"2026-04-19T15:33:10","modified_gmt":"2026-04-19T15:33:10","slug":"wazuh-siem-lab","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=481","title":{"rendered":"Wazuh SIEM Lab"},"content":{"rendered":"\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained wp-container-1 is-position-sticky\"><div id=\"guten-qLkEcH\" class=\"guten-element guten-nav-menu nav-menu break-point-tablet submenu-click-title \" data-item-indicator=\"fas fa-angle-down\" data-item-indicator-type=\"icon\" data-item-indicator-svg=\"\" data-close-on-click=\"1\" aria-label=\"\">\n\t\t\t<div class=\"gutenverse-hamburger-wrapper\">\n\t\t\t\t<button class=\"gutenverse-hamburger-menu\" aria-label=\"\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\n\t\t\t\t<\/button>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"gutenverse-menu-wrapper\"><div class=\"gutenverse-menu-container\"><ul id=\"menu-wazuh-lab-menu\" class=\"gutenverse-menu\"><li id=\"menu-item-550\" class=\"menu-item-550  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=481\/#WazuhDeployment\" aria-label=\"Wazuh Deployment\">Wazuh Deployment<\/a><\/li>\n<li id=\"menu-item-551\" class=\"menu-item-551  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=481\/#AddingAgents\" aria-label=\"Adding Agents\">Adding Agents<\/a><\/li>\n<li id=\"menu-item-552\" class=\"menu-item-552  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=481\/#ComplianceSupport\" aria-label=\"Compliance Support\">Compliance Support<\/a><\/li>\n<li id=\"menu-item-553\" class=\"menu-item-553  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=481\/#FileIntegrity\" aria-label=\"File Integrity Module\">File Integrity Module<\/a><\/li>\n<li id=\"menu-item-554\" class=\"menu-item-554  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=481\/#VulnerabilityModule\" aria-label=\"Vulnerability Module\">Vulnerability Module<\/a><\/li>\n<\/ul><\/div>\n\t\t\t\t<div>\n\t\t\t\t\t<div class=\"gutenverse-nav-identity-panel\">\n\t\t\t\t\t\t<div class=\"gutenverse-nav-site-title\">\n\t\t\t\t\t\t\t<a aria-label=\"\" href=\"https:\/\/victorcoil.tech\" class=\"gutenverse-nav-logo\"><\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<button class=\"gutenverse-close-menu\" aria-label=\"\"><i aria-hidden=\"true\" class=\"fas fa-times\"><\/i><\/button>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\" id=\"WazuhDeployment\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Deployment<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Deploying Wazuh onto Active Directory<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-1 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Heavy Resources<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\">The DC VM, Client1, and the Wazuh server will be using 10-12 vCPU, 12 GB of RAM, and 110 GB of storage. I will make a separate document that covers Wazuh using Linode so that the lab environment isn\u2019t too resource-heavy.<\/p>\n\n\n\n<p>If you have 20+ Logical Processors and 32 GB of RAM, this lab can be easily done without Linode. <\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-3 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Lab Brief Summary<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\">This lab will cover the deployment of a Wazuh Server onto Active Directory. It will guide you through adding agents to Wazuh, using the CIS Benchmark tool to ensure compliance, and configuring the File Integrity monitor to detect integrity violations on user desktops. Additionally, the configuration of the vulnerability module will be covered at the end.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-5 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Wazuh OVA Download<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\"><a href=\"https:\/\/documentation.wazuh.com\/current\/deployment-options\/virtual-machine\/virtual-machine.html \">https:\/\/documentation.wazuh.com\/current\/deployment-options\/virtual-machine\/virtual-machine.html <\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Now, to get started with this lab, we need to get the Wazuh OVA.<\/p>\n\n\n\n<p>We can obtain it either by searching for \u201cwazuh ova\u201d on Google (or your preferred browser) and clicking the first result, as shown below, or by following the link provided above.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"865\" height=\"469\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC1.png\" alt=\"\" class=\"wp-image-486\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC1.png 865w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC1-300x163.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC1-768x416.png 768w\" sizes=\"(max-width: 865px) 100vw, 865px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Once there, click on the \u201cvirtual appliance (OVA)\u201d link as shown below.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"729\" height=\"381\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC2.png\" alt=\"\" class=\"wp-image-487\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC2.png 729w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC2-300x157.png 300w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Save the OVA file in a location that you can easily recall. Then, open VirtualBox and go to the \u201cFile\u201d menu at the top left corner. From there, select \u201cImport Appliance\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"460\" height=\"368\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC3.png\" alt=\"\" class=\"wp-image-488\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC3.png 460w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC3-300x240.png 300w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Click on the little folder with the green arrow to browse to the location where you saved the OVA file and select \u201cOpen\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"620\" height=\"360\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC4.png\" alt=\"\" class=\"wp-image-489\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC4.png 620w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC4-300x174.png 300w\" sizes=\"(max-width: 620px) 100vw, 620px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In the application settings, leave everything as default, then click \u201cFinish\u201d. After importing the OVA, ensure that the Wazuh VirtualBox is selected, then click \u201cSettings\u201d at the top.<\/p>\n\n\n\n<p>Inside the newly popped-up settings window, click on display on the left-hand side, and change the Graphics Controller to \u201cVMSVGA\u201d as shown in the picture below. The official documentation states that we have to change the graphics controller settings to VMSVGA, or else the Virtual Machine may start crashing.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"787\" height=\"435\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC5.png\" alt=\"\" class=\"wp-image-490\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC5.png 787w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC5-300x166.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC5-768x424.png 768w\" sizes=\"(max-width: 787px) 100vw, 787px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The recommended configuration for 1-25 agents\/clients is 4 vCPU, 8 GB of RAM, and 50GB of storage. I will be using the 4 processors and the 50 GB of storage, but bump down the RAM to 4 GB (4096). Depending on your setup, you can do the same, or you may be able to bump down the processors to 2 instead of 4. You can change these settings under the \u201cSystem\u201d tab.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"616\" height=\"394\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC6.png\" alt=\"\" class=\"wp-image-491\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC6.png 616w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC6-300x192.png 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Then go to the \u201cNetwork\u201d tab and make sure that the network adapter is on the \u201cInternal Network\u201d with the name \u201cintnet\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"618\" height=\"402\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC7.png\" alt=\"\" class=\"wp-image-492\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC7.png 618w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC7-300x195.png 300w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After that, go to &#8220;General&#8221; and put the shared clipboard and Drag\u2019n\u2019Drop to \u201cBidirectional.\u201d<\/p>\n\n\n\n<p>At this point, make sure the DC virtual machine is \u201con\u201d so the Wazuh server can obtain an IP address.<\/p>\n\n\n\n<p>I used the domain admin account, which was in the \u201ca-XXXXX\u201d format, to log in.<\/p>\n\n\n\n<p>Once the DC VM is on and running, start up the Wazuh Server VM.<\/p>\n\n\n\n<p>It might take a bit for it to start up. Once you see the screen shown below, then you\u2019re all set. Log in using the credentials shown.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"388\" height=\"292\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC8.png\" alt=\"\" class=\"wp-image-493\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC8.png 388w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC8-300x226.png 300w\" sizes=\"(max-width: 388px) 100vw, 388px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"663\" height=\"406\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC9.png\" alt=\"\" class=\"wp-image-494\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC9.png 663w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC9-300x184.png 300w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>You can do a \u201csudo -i\u201d to change to the root account.<\/p>\n\n\n\n<p>We&#8217;ll need to know the IP Address to access the Wazuh website.<\/p>\n\n\n\n<p>It\u2019ll be very easy to tell if you have an IP, as logs will appear in the console indicating that the time is being synced. But you can check by running an \u201cIP a\u201d command on the Wazuh Server, or by checking on the Domain Controller in \u201cServer Manager\u201d -> \u201cTools\u201d -> \u201cDHCP\u201d, then look for \u201cAddress leases\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"727\" height=\"803\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC10.png\" alt=\"\" class=\"wp-image-495\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC10.png 727w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC10-272x300.png 272w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The IP addresses seem to match up.&nbsp;<\/p>\n\n\n\n<p>I also started the Client1 Machine and logged in using the same account as on the DC machine.<\/p>\n\n\n\n<p>Once logged in, open Microsoft Edge (or Chrome, or any browser of your choosing), then navigate to \u201chttps:\/\/&lt;WazuhIP>,\u201d as shown below.<br><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"720\" height=\"669\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC11.png\" alt=\"\" class=\"wp-image-496\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC11.png 720w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC11-300x279.png 300w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The user and pass for this page are \u201cadmin:admin\u201d. Once everything has finished loading, you\u2019ll be greeted by the dashboard.<\/p>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"AddingAgents\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Adding Agents<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Adding Agents to the Wazuh server<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<p>Let\u2019s add the DC and Client 1 machines as agents so that we can explore Wazuhs functionalities. Click on Add agent.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"977\" height=\"718\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC12.png\" alt=\"\" class=\"wp-image-497\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC12.png 977w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC12-300x220.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC12-768x564.png 768w\" sizes=\"(max-width: 977px) 100vw, 977px\" \/><\/figure>\n\n\n\n<p>Inside the new agent menu, click on Windows, Windows 7+, and the last option should be auto-selected. Then, for step 4, since the Wazuh server is on the internal network, we can use its IP address.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"658\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC14-1024x658.png\" alt=\"\" class=\"wp-image-498\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC14-1024x658.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC14-300x193.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC14-768x494.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC14.png 1028w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>For step 5, I named the agent \u201cClient1-VC\u201d and clicked on the default group.<\/p>\n\n\n\n<p>While keeping the page open, search for PowerShell in the bottom-left corner and run it as an administrator. Click Yes if it asks whether you want PowerShell to make changes to the system.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"685\" height=\"677\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC15.png\" alt=\"\" class=\"wp-image-499\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC15.png 685w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC15-300x296.png 300w\" sizes=\"(max-width: 685px) 100vw, 685px\" \/><\/figure>\n\n\n\n<p>For step 6, click the PowerShell command to copy it, then paste it into the PowerShell window. It will say that the service has started successfully once done running.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"581\" height=\"249\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC16.png\" alt=\"\" class=\"wp-image-500\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC16.png 581w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC16-300x129.png 300w\" sizes=\"(max-width: 581px) 100vw, 581px\" \/><\/figure>\n\n\n\n<p>We can head back to the dashboard and reload the page to confirm that the agent is active. Which seems like it is. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"806\" height=\"223\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC17.png\" alt=\"\" class=\"wp-image-501\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC17.png 806w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC17-300x83.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC17-768x212.png 768w\" sizes=\"(max-width: 806px) 100vw, 806px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"ComplianceSupport\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Compliance Support<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Wazuh can be used to support compliance<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<p>This section will provide a quick overview of the agent dashboard and explain how the CIS Benchmark tool can help organizations become compliant with industry standards and laws.<\/p>\n\n\n\n<p>We can then click on the \u201c1\u201d below either the total or active agents.<\/p>\n\n\n\n<p>Scroll down and click on the actual agent.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"919\" height=\"430\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC18.png\" alt=\"\" class=\"wp-image-502\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC18.png 919w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC18-300x140.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC18-768x359.png 768w\" sizes=\"(max-width: 919px) 100vw, 919px\" \/><\/figure>\n\n\n\n<p>This dashboard is now for the Client1 machine.<\/p>\n\n\n\n<p>On the left-hand side, it shows which top tactics were identified and can be used against the machine.<\/p>\n\n\n\n<p>On the right, it shows us the number of recommendations we can make to help with compliance with specific laws and standards.<\/p>\n\n\n\n<p>At the very bottom, there is the File Integrity monitor, which reports to us whether a specific file was created, modified, or deleted in specific locations.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC19-1024x632.png\" alt=\"\" class=\"wp-image-503\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC19-1024x632.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC19-300x185.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC19-768x474.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC19.png 1071w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Below the FIM is an Event count.<\/p>\n\n\n\n<p>And even further down, we can see that the client1 machine was tested against a CIS benchmark. And we seem to have failed it miserably, at 32%.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC20-1024x614.png\" alt=\"\" class=\"wp-image-504\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC20-1024x614.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC20-300x180.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC20-768x461.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC20.png 1029w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can click on the benchmark for more information.<\/p>\n\n\n\n<p>We will see which checks we have failed and which we have passed. By clicking on an entry, we can see which compliance it is tied to, why we should care, how to fix it, and what it checks to confirm it.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"543\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC21-1024x543.png\" alt=\"\" class=\"wp-image-505\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC21-1024x543.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC21-300x159.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC21-768x407.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC21.png 1041w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"521\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC22-1024x521.png\" alt=\"\" class=\"wp-image-506\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC22-1024x521.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC22-300x153.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC22-768x391.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC22.png 1039w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>It\u2019s very important for organizations to be compliant. Not doing so can put them at risk of hefty fines, loss of reputation and trust, and even prison time.<\/p>\n\n\n\n<p>I also made the domain controller into an agent. The CIS benchmark test returned a 72% Score on the first assessment.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"626\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC32-2-1024x626.png\" alt=\"\" class=\"wp-image-532\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC32-2-1024x626.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC32-2-300x184.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC32-2-768x470.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC32-2.png 1056w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I messed around for a bit and remediated 10 failures. Managing to bring the score up to 90%. It was a lot of group policy changes. Going through the remediations is great practice and a learning opportunity. Client1 has 260+ failures, and I plan on going through those on my own time.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"368\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC33-1-1024x368.png\" alt=\"\" class=\"wp-image-533\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC33-1-1024x368.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC33-1-300x108.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC33-1-768x276.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC33-1.png 1066w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"FileIntegrity\" class=\"wp-block-group is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns has-zeever-bgsoft-background-color has-background is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">File integrity<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Monitors for any changes made to specified locations<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<p>Let\u2019s take a look at file integrity. But first, let&#8217;s go over how and where to configure Wazuhs configuration file for the FIM.<\/p>\n\n\n\n<p>Open client1\u2019s \u201cFile Explorer\u201d, click on \u201cThis PC\u201d, then double click on \u201cLocal Disk\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"718\" height=\"465\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC23.png\" alt=\"\" class=\"wp-image-508\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC23.png 718w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC23-300x194.png 300w\" sizes=\"(max-width: 718px) 100vw, 718px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Then double click &#8220;Program Files (x86)&#8221;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"527\" height=\"162\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC24.png\" alt=\"\" class=\"wp-image-509\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC24.png 527w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC24-300x92.png 300w\" sizes=\"(max-width: 527px) 100vw, 527px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After that, double-click on \u201cossec-agent\u201d. Click \u201ccontinue\u201d if the permissions pop-up appears.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"556\" height=\"393\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC25.png\" alt=\"\" class=\"wp-image-510\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC25.png 556w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC25-300x212.png 300w\" sizes=\"(max-width: 556px) 100vw, 556px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Scroll down until you find \u201cossec.conf\u201d, then right-click and open it with \u201cNotepad\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"510\" height=\"387\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC26.png\" alt=\"\" class=\"wp-image-511\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC26.png 510w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC26-300x228.png 300w\" sizes=\"(max-width: 510px) 100vw, 510px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Once inside the Notepad, do a \u201cCtrl+F\u201d and search for \u201csyscheck\u201d. It will take you to the file integrity monitoring section. Here we can add what directories and files we want to monitor.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"647\" height=\"515\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC27.png\" alt=\"\" class=\"wp-image-512\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC27.png 647w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC27-300x239.png 300w\" sizes=\"(max-width: 647px) 100vw, 647px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is the line that I added to monitor the desktop of the \u201ca-vcoil\u201d account. Make sure you put your username. After that, just save the file.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"925\" height=\"387\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC28.png\" alt=\"\" class=\"wp-image-513\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC28.png 925w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC28-300x126.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC28-768x321.png 768w\" sizes=\"(max-width: 925px) 100vw, 925px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Once saved, open up &#8220;PowerShell&#8221; with administrator privileges and run the command \u201crestart-service -name wazuh\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"497\" height=\"226\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC29.png\" alt=\"\" class=\"wp-image-514\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC29.png 497w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC29-300x136.png 300w\" sizes=\"(max-width: 497px) 100vw, 497px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>I already had a \u201csuperSecret\u201d note on my desktop before doing the changes. But you can make one and change the file.<\/p>\n\n\n\n<p>The integrity monitor will show you any changes made to files and if any files were deleted.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"915\" height=\"615\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC30.png\" alt=\"\" class=\"wp-image-515\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC30.png 915w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC30-300x202.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC30-768x516.png 768w\" sizes=\"(max-width: 915px) 100vw, 915px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>If you click on an event, it will show you the changes made and additional information. As shown below, here are the changes I made to the super secret file.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"568\" height=\"275\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC31.png\" alt=\"\" class=\"wp-image-516\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC31.png 568w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-SC31-300x145.png 300w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"VulnerabilityModule\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Vulnerabilities Module<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Vulnerability Scanner in Wazuh<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<p>In this section, we will cover how to enable the vulnerability module in Wazuh.<\/p>\n\n\n\n<p>By default, the Vulnerability Module is off.<\/p>\n\n\n\n<p>Inside the Wazuh Server, vim into \u201c\/var\/ossec\/etc\/shared\/default\/agent.conf\u201d, and add in the code shown below. Save and quit the file.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"474\" height=\"451\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC1.png\" alt=\"\" class=\"wp-image-541\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC1.png 474w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC1-300x285.png 300w\" sizes=\"(max-width: 474px) 100vw, 474px\" \/><\/figure>\n\n\n\n<p>After adding that, vim into \u201c\/var\/ossec\/etc\/ossec.conf\u201d and you may have to scroll down until you notice \u201cvulnerability detector\u201d. Once found, change the \u201cno\u201d between the \u201cenabled\u201d tags to \u201cyes\u201d. Save and quit the file.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"666\" height=\"405\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC2.png\" alt=\"\" class=\"wp-image-542\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC2.png 666w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC2-300x182.png 300w\" sizes=\"(max-width: 666px) 100vw, 666px\" \/><\/figure>\n\n\n\n<p>Ensure that in the \u201c\/etc\/resolv.conf\u201d file, the nameserver is set to the internal DNS IP. Which will be the Domain Controller IP.<\/p>\n\n\n\n<p>This will allow Wazuh to pull the databases from NVD and MSU.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"411\" height=\"189\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC3.png\" alt=\"\" class=\"wp-image-543\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC3.png 411w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wavuh-vuln-SC3-300x138.png 300w\" sizes=\"(max-width: 411px) 100vw, 411px\" \/><\/figure>\n\n\n\n<p>After making those changes and ensuring the nameserver is correct. Do a &#8220;Systemctl restart wazuh-manager&#8221; to restart the Wazuh service.<\/p>\n\n\n\n<p>After a bit of time, you\u2019ll be able to navigate to the vulnerability module and see it reporting on the vulnerabilities found.<\/p>\n\n\n\n<p>If you need to do additional troubleshooting because it\u2019s not updating. This command helped me a lot. \u201ccat \/var\/ossec\/logs\/ossec.log | grep -i -E \u201cvulnerability.\u201d<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"982\" height=\"667\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC4.png\" alt=\"\" class=\"wp-image-544\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC4.png 982w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC4-300x204.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC4-768x522.png 768w\" sizes=\"(max-width: 982px) 100vw, 982px\" \/><\/figure>\n\n\n\n<p>If you\u2019re interested in the critical vulnerabilities, click the number below. So in this case, the red 22. This will filter for only the critical vulnerabilities.<\/p>\n\n\n\n<p>Scroll down, and you will see them.<\/p>\n\n\n\n<p>For me, they sadly didn\u2019t provide the remediations straight away, unlike with the CIS benchmark tool, but it does give you references. These references usually provide remediation or other ways to fix the vulnerability.<\/p>\n\n\n\n<p>They do give you the condition, and usually when you see the &#8220;KBXXXXXX&#8221;. It just means to update the system.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"709\" height=\"485\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC5.png\" alt=\"\" class=\"wp-image-546\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC5.png 709w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/08\/wazuh-vuln-SC5-300x205.png 300w\" sizes=\"(max-width: 709px) 100vw, 709px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<p><\/p>\n<\/div>\n\n\n\n<p>This concludes the Wazuh Lab.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Deployment Deploying Wazuh onto Active Directory Heavy Resources The DC VM, Client1, and the Wazuh server will be using 10-12 vCPU, 12 GB of RAM, and 110 GB of storage. I will make a separate document that covers Wazuh using Linode so that the lab environment isn\u2019t too resource-heavy. If you have 20+ Logical Processors and 32 GB of RAM, this lab can be easily done without Linode. Lab Brief Summary This lab will cover the deployment of a Wazuh Server onto Active Directory. It will guide you through adding agents to Wazuh, using the CIS Benchmark tool to ensure<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-481","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=481"}],"version-history":[{"count":32,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/481\/revisions"}],"predecessor-version":[{"id":1142,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/481\/revisions\/1142"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}