endpoint securityFeaturedAugust 2024

Endpoint Detection & Response with Wazuh

Deployed and configured Wazuh SIEM on virtualized Kali Linux server for 24/7 security monitoring with 99% log collection rate and real-time threat detection.

WazuhSysmonElasticsearchKibanaPythonKali LinuxWindows 11Ubuntu

Problem

Organizations need visibility into endpoint activity but commercial EDR solutions are expensive. Open-source alternatives exist but require proper configuration to be effective against real threats.

Architecture

**Components:**
- Wazuh Manager deployed on virtualized Kali Linux server
- Wazuh Agents on Ubuntu and Windows 11 endpoints
- Sysmon for enhanced Windows telemetry
- Elasticsearch + Kibana for visualization
- Custom Python scripts for automated response

**Data Flow:**
1. Endpoints generate security events (process creation, network connections, file changes)
2. Sysmon enriches Windows events with detailed process lineage
3. Agents forward logs to Wazuh Manager via encrypted channel
4. Manager applies detection rules and triggers alerts
5. Active response scripts execute containment actions

Detection Logic

**Custom Detection Rules:**
- Suspicious PowerShell execution patterns (encoded commands, download cradles)
- LSASS memory access attempts (credential dumping)
- Lateral movement indicators (PsExec, WMI remote execution)
- Persistence mechanisms (registry run keys, scheduled tasks)
- Living-off-the-land binary (LOLBin) abuse

**Active Response:**
- Automatic IP blocking for brute force attempts
- Process termination for known malicious hashes
- User account lockout after suspicious authentication patterns

Outcome

Achieved 99% log collection rate across all endpoints. Reduced mean-time-to-detect (MTTD) through automated alerting and custom detection rules. Conducted security incident analysis, log correlation, and vulnerability assessment in real-time.

MITRE ATT&CK Coverage

T1059.001 ↗T1003.001 ↗T1021.002 ↗T1053.005 ↗T1547.001 ↗

Click any technique ID to view details on the MITRE ATT&CK website.

$ Loading...

**Components:** - Wazuh Manager deployed on virtualized Kali Linux server - Wazuh Agents on Ubuntu and Windows 11 endpoints - Sysmon for enhanced Windows telemetry - Elasticsearch + Kibana for visualization - Custom Python scripts for automated response **Data Flow:** 1. Endpoints generate security events (process creation, network connections, file changes) 2. Sysmon enriches Windows events with detailed process lineage 3. Agents forward logs to Wazuh Manager via encrypted channel 4. Manager applies detection rules and triggers alerts 5. Active response scripts execute containment actions

**Custom Detection Rules:** - Suspicious PowerShell execution patterns (encoded commands, download cradles) - LSASS memory access attempts (credential dumping) - Lateral movement indicators (PsExec, WMI remote execution) - Persistence mechanisms (registry run keys, scheduled tasks) - Living-off-the-land binary (LOLBin) abuse **Active Response:** - Automatic IP blocking for brute force attempts - Process termination for known malicious hashes - User account lockout after suspicious authentication patterns