Good afternoon,
This is a suggestion not a support request - call it a request for a conversion, or better yet blogs.
Today after receiving my daily Wazuh mailing list update, I found an interesting conversation on pushing files to endpoints. I am now testing this to deploy PowerShell scripts. I do not have a DC in my test network, and I am using Wazuh to watch my family PCs and Linux servers that provide entertainment, NAS and various other functions, mainly in a learning capacity, I am no cybersecurity professional yet, in any shade of grey.
So far, I have learned heaps, like how many pipes Windows makes but that is a topic for another conversation. I am also having issues with Wazuh accessing OneDrive files and numerous errors in relation to the extremely long files names used in certain Windows directories - lots of exemptions have been set in FIM for Windows, and my learning continues.
However, my request has to do with Windows Defender that when online seems to be okay at detecting threats and removing them, according to various testing sites. I find it slightly strange that no expert dev or Wazuh blogger has written on this topic and the fact that we are ingesting logs no dashboard (to my knowledge) has been provided along with other mainstream antivirus vendors, or indeed how to create one.
In fact, the making of a dashboard is highly annoying to say the least considering in a cybersecurity boot camp based on the ELK stack most of us want-to-be's generated not half bad dashboards in 3 hours for various purposes.
Having followed this post
I find it slightly strange that we should not need a python generated executable but rather send a command to windows (along with a follow up full scan please) to execute and terminate nasty little file with remote command enabled obviously - not a prerequisite in the blogs solution. This also leads to removing registry entries that may be utilized for persistence and the like.
This post which leads to another blog
Once again leaves remediation via active response missing. My apologies.
So, if you are an Wazuh dev that lives in Linux like most Dev's can you please write a post on how Wazuh using native Windows commands, with remote execution enabled can be utilized to Wazuh's advantage.
Having now learned to monitor my Windows Wazuh agent log files, the main Wazuh log files, renumber all rules generated by bloggers (thankyou - my local rules file is getting rather long), I have and am learning a great deal, but my main problem with Wazuh is that Linux may rule the server world but it is not on endpoints and installing Yara or other software on endpoints, well - it's not my ideal solution - it simply leads to the supply chain problem (software - numerous examples - LastPass, Go anywhere, OpenVPN, the list goes on).
So, forgive me if I have raised a few hackles, but in my extremely humble opinion Wazuh is great at monitoring Linux servers but since phishing attacks don't happen on servers (bet you don't read your email on a server) Windows endpoints is where it is at.
So having thought long on hard on posting this in the discussion group - let it be and see what becomes of it.
To repeat myself I am not employed in cybersecurity in anyway but love this field, and I appreciate all your work, as I learn. To the developers behind Wazuh, my thanks.
Sincerely
Leon