end point detection and response (EDR)

286 views
Skip to first unread message

Geoff Nordli

unread,
Dec 25, 2020, 3:34:59 PM12/25/20
to Wazuh mailing list
Hi.

On another thread I see lots of the things wazuh is working on.

Is there any thoughts on EDR, especially when it comes to sysmon and
active responses (process termination)?

thanks,

Geoff



Yana Zaeva

unread,
Dec 28, 2020, 8:42:07 AM12/28/20
to Wazuh mailing list
Hi Geoff,

Sorry for the late response. Regarding the Active Response module, you can check some information about it in the following links:

- How to block attacks using Active Response: https://wazuh.com/blog/blocking-attacks-active-response/

Concerning sysmon, you can check below how to monitor sysmon events and collect Windows events using Wazuh:


Hope I was helpful. Let me know if you need anything else.

Yana.

Geoff Nordli

unread,
Dec 29, 2020, 3:30:25 PM12/29/20
to Wazuh mailing list

Hi Yana.

I looked at the sysmon and active response modules.  

I looked at the things you are planning on working on.   I don't see anything in there expanding  this capability (endpoint process and network monitoring/termination).  Is it something that doesn't fit within the project goals of Wazuh and should be handled by a different tool?

thanks,

Geoff

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2e999698-075b-43f8-b6c5-2f8d1835d5e4n%40googlegroups.com.

Bin Do Tuan Anh

unread,
Jan 20, 2021, 12:04:56 PM1/20/21
to Wazuh mailing list
Hi, 

Sorry for the late reply. 

Wazuh monitoring and active response work in real-time. The Log Collection module fetches the logs coming from the agents and parse them with our decoders. 

And with the Active response module, you will be able to set the automated response to a specific scenario base on a specific alert, alert level, or rule group that was triggered. 

In addition, there is a way to also set the alerts to inform you via email or Slack base on the scenario. 


In order to integrate network devices such as routers, firewalls, etc where you can not install Wazuh Agent to monitor network events,  the log analysis component can be configured to receive log events through rsyslog. You will need to set the configuration in the file /var/ossec/etc/ossec.conf so it will allow to receive the logs. Here is the example:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>IP_OF_YOUR_FIREWALL</allowed-ips>
  <local_ip>IP_OF_THE_WAZUH</local_ip>
</remote>

With the above configuration, you will only need to configure Rsyslog from your Firewall to forward the logs to the Wazuh.


Be aware that you can always extend the decoders and rules in Wazuh by creating your own custom ones. To add custom decoders and rules you will need to modify these files: 
- /var/ossec/etc/decoders/local_decoders.xml
- /var/ossec/etc/rules/local_rules.xml

In case you are interested in custom rules and decoders I would recommend you to check this blog post: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Also, I will leave this documentation page: https://documentation.wazuh.com/4.0/learning-wazuh/suricata.html

Please let me know if you need further assistance. 

Kind regards,
Bin.

Geoff Nordli

unread,
Jan 22, 2021, 9:00:50 PM1/22/21
to Wazuh mailing list

Hi.

Are people then relying on AV/NGAV to manage the local malware and actively shut it down?  

thanks,

Geoff

Reply all
Reply to author
Forward
0 new messages