MSSP for Wazuh

676 views
Skip to first unread message

SelienK Max

unread,
Feb 3, 2021, 9:52:37 PM2/3/21
to Wazuh mailing list
Hi all,

I want to use Wazuh for many customer. My paradigm draft

wazuh-Page-2 (1).jpg

- This's best practice ??
- I should use RabbiMQ or Kafka?
- Customer just see their system(wazuh customer)?
- My team see all customer with only kibana dashboard?

Thanks so much

Jesus Linares

unread,
Feb 8, 2021, 4:28:05 AM2/8/21
to Wazuh mailing list
Hi,

Let me help with your questions.

The right side of your diagram looks correct: Every customer has their own Wazuh manager cluster running in their infrastructure.

In the MSSP section, what is the goal of the Wazuh manager? internal monitoring?

Some notes:
  • For elasticsearch, you will need to create separate indices like "<customer1>-wazuh-alerts-<date>". In this way, you can create the proper roles to limit access.
  • An outage or update in Elasticsearch will impact all your customers.
  • Kibana (Wazuh plugin) needs access to the Wazuh API of each Wazuh cluster. So, there is a missing arrow from kibana to the Wazuh manager master of your customers.
  • You will need to create a limited role for each customer to access their indices. Then, in the Wazuh plugin, they need to select the Wazuh API and index pattern that corresponds to their manager. This could be not the best UX experience.
  • A misconfiguration in your roles could lead to grant access to the data of other customers.
  • It could be a good idea to create 1 kibana per customer with a limited user and the configuration of only their manager. Then, 1 kibana for your team with all the customers and more privileges. At least if you got compromised at kibana level, it will impact only 1 customer.
I recommend you to test this configuration with at least "2 customers" and review all the security concerns as well as the user experience. Then, you can review the performance issues and review tools like kafka.

That said, we offer an MSSP program that could be really interesting for you (we already have a lot of MSSP customers). If you go with the MSSP program and Wazuh cloud, you will have:
  • 1 fully isolated environment for each customer. They can access their kibana.
  • 1 "centralized" environments where your team can see all the environments from the same kibana.
  • Everything hosted in Wazuh Cloud, you just need to deploy the agents in your customers and use Wazuh from the Wazuh WUI (kibana).
If you are interested in this program, contact us using this form.

I'm happy to help if you have more questions.
Regards.



Tamir Goldman

unread,
Sep 8, 2022, 2:32:03 AM9/8/22
to Wazuh mailing list
Following an old question and a few more questions :
what is the recommended architecture of Wazuh for MSSP ?
is there a solution to intergrade external IOC json files (in STIX format) ?
what is the recommended solution of keeping all the raw data for future ML models development?

Thanks Jesus
Reply all
Reply to author
Forward
0 new messages