Wazuh & Other SIEM Integration

2,518 views
Skip to first unread message

Eric

unread,
Jun 1, 2021, 5:44:20 AM6/1/21
to Wazuh mailing list

We are using Wazuh integrating it with TheHive/Cortex to manage IR in AWS for a company, and it's useful. Now I'm looking to get some ideas from the rest of the community. Let me point out the situations and the problem I'm facing. My company has many branches in different geographical locations that they use with other SIEM different as Splunk, ArcSight, and QRadar. 

How do Wazuh integrate with other SIEM? What solutions/ideas are the Wazuh suggesting that still use old SIEM (Splunk/ ArcSight/ QRadar) to run with Wazuh?

Regards,

Alexander Bohorquez

unread,
Jun 1, 2021, 3:04:19 PM6/1/21
to Wazuh mailing list
Hello,

Thank you for using Wazuh!

Wazuh can be integrated with other SIEMs. In this specific case, do you want to send alerts generated from Wazuh to another of these SIEMs or do you want to send data from another SIEM and have it processed by Wazuh?

Both options can be achieved:

In order to send Wazuh alerts to another SIEM, We'd recommend you to use our Syslog output feature. It lets you configure a Syslog server (in this case it can be QRadar, ArcSight) to which you are going to send any fired alerts that you want based on alert level, id, group, location.



If you need to receive information from another SIEM via Syslog. The following blog explains how to Configure the Wazuh manager to receive Syslog messages:


Once the logs are received, you can create decoders/rules to generate alerts based on your requirements.

On the other hand, since you mention Splunk. There is a Wazuh app for Splunk that offers a UI to visualize Wazuh alerts and Wazuh API data. Here you can find more information about this:



I hope this information helps. Please let me know if you have any other questions!

Best regards,

Alexander Bohorquez

Eric

unread,
Jun 1, 2021, 10:32:03 PM6/1/21
to Alexander Bohorquez, Wazuh mailing list
Hi Alexander, 

Thank you for your email.

I am a bit confused about your answer. I want to send alerts generated from QRadar, ArcSight, to Wazuh Manager & processing them. At this point, as far as I know, raw data events have been processed by (QRadar, ArcSight) then  --> decoding --> rule matching --> Security alerts. Why do we have to send alerts generated to the Wazuh Manager to process it again? What is the benefit of this action? 

As you suggested to me in the previous email, You said using Syslogs to receive information from other SIEMs. You mentioned it's "Raw data events". Is this correct? At this point, I have to create decoders/rules to generate alerts based on my requirements.

What do you think if we send alerts generated from other SIEMs directly to Elastic Stack? 

Regards,


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c5f4a147-eed0-4d6c-860b-e1253f8c6d29n%40googlegroups.com.

Alexander Bohorquez

unread,
Jun 4, 2021, 2:29:47 PM6/4/21
to Wazuh mailing list
Hello,

Sorry for the delay,

Answering your questions, 

If you want to receive the events in the Wazuh App, what is required is to configure the Wazuh manager to receive Syslog messages as explained here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#example-of-configuration and then if the log format received is allowed (The log must comply with the standard Syslog format and if the log contains JSON format it would be better processed), you could simply generate a rule using the IP of said SIEM and we will receive all the alerts in Kibana.

Example: 

<group name="local,">
  <rule id="100001" level="3">
    <location>SIEM_IP_ADDRESS</location>
    <description>my_SIEM_log grouping rule.</description>
  </rule>
</group>

But this would bring us only the "full_log" field with the original event without being parsed in fields. If you want to parse the information, you must create decoders in order to generate fields that then allow you to use the Kibana/Elasticsearch tools for data co-relation, visualizations, or dashboards.

About the question, you ask "What do you think if we send alerts generated from other SIEMs directly to Elastic Stack?" This is also possible, by configuring Rsyslog to receive events from these SIEMs (Where Filebeat is installed) and then configuring Filebeat to read the file where the events are received and send them to Elasticsearch as mentioned in this guide:


But since the data will be sent to a different index pattern, not the "wazuh-alerts", you will not be able to correlate this data with the Wazuh data. And the format/decoding in which it would arrive will depend on what you configure in Filebeat to process that data.

To give you a better example of the rule to configure and generate alerts. You could configure Remote Syslog in your Wazuh Manager with the indications explained above and then enable the "logall_json" option at the wazuh server (/var/ossec/etc/ossec.conf) to log all the events no only the alerts. So we can identify how the events are been generated/received from the required SIEM:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
...
  </global>

You can send us the example of the log received from the SIEM and we could tell you how to receive it in Kibana properly.  

I hope this information helps. I await your reply.

Eric

unread,
Jun 6, 2021, 11:07:15 AM6/6/21
to Alexander Bohorquez, Wazuh mailing list
Hi Alexander, 

Thank you for your email.

It was exactly what I was looking for. I'm considering replacing other SIMEs with Wazuh. I will try harder myself first. Keep an eye on this case, I will give feedback to you as soon as possible.  

Regards, 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3b7920e3-46fb-4234-9597-7f771064f963n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages