Endpoint Protection Platforms (EPP)s are security solutions that allow for monitoring and controlling security.

Endpoint detection and response (EDR) is a type of solution designed to counter zero-day exploits by monitoring registries, processes, libraries, and analyze every minor change.

Scenario:

You work as a security engineer at Commensurate Technology (ComTech). New company policy dictates that workstations must be reinforced with additional security controls. In light of this decision, the IT Security and Operations teams have agreed to implement the Wazuh solution, with Wazuh agents deployed on all workstations. Elasticsearch and Kibana, integrated with the Wazuh manager, will be used as a backend to provide fast full-text search and data visualization for the health and security monitoring of company assets.

Walkthrough:

Local

Wazuh is an EDR that provides both IDS and IPS.

For this scenario, there is already a central Wazuh server (SIEM). I’ll be installing Wazuh agents on the local machine.

Authenticating to the Wazuh server web portal recognizes that there is no agent installed on the Windows machine I’m working off of, and offers a wizard to set up an agent.

The wizard generates a powershell command to be run and sets up the agent smoothly.

Remote

$computer = "windows11"
$scriptInstallApp = {
  Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.2-1.msi -OutFile D:\wazuh-agent-4.5.2.msi;
  Start-Process PowerShell -Verb runAs -Wait {msiexec.exe '/i' "D:\wazuh-agent-4.5.2.msi", '/passive' WAZUH_MANAGER='manager.commensuratetechnology.com' WAZUH_REGISTRATION_SERVER='manager.commensuratetechnology.com'}
  start-sleep -s 5
  Start-Service WazuhSvc
  Get-Service WazuhSvc
  }
Invoke-Command -Credential(Get-Credential) -ComputerName $computer -ScriptBlock $scriptInstallApp -Authentication Credssp

This script connects to a windows11 machine on the network and sets up a Wazuh agent easily. It just needs authentication via WinRM.

Mass Deployment

Ansible is an open-source automation tool that can be used for application deployment. To deploy a Wazuh agent with Ansible, we need to write an Ansible Playbook (essentially a blueprint for automated tasks). Once the ansible playbook is written, you can:

  1. SSH into Ansible host
  2. Navigate to Ansible directory
  3. Run the playbook ansible-playbook playbook.yml