__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

Wazuh Cheatsheet

← Back to cheatsheets

← Home

Wazuh is an open-source security monitoring platform that provides intrusion detection, vulnerability detection, incident response, and compliance management. It integrates with the MITRE ATT&CK framework for threat detection and hunting.

Service Management

  • systemctl start wazuh-manager - Start Wazuh manager
  • systemctl stop wazuh-manager - Stop Wazuh manager
  • systemctl restart wazuh-manager - Restart Wazuh manager
  • systemctl status wazuh-manager - Check manager status
  • systemctl start wazuh-agent - Start Wazuh agent
  • systemctl status wazuh-agent - Check agent status
  • /var/ossec/bin/wazuh-control status - Check all components status
  • /var/ossec/bin/wazuh-control start - Start all components
  • /var/ossec/bin/wazuh-control stop - Stop all components
  • /var/ossec/bin/wazuh-control restart - Restart all components

Agent Management

  • /var/ossec/bin/agent_control -l - List all agents
  • /var/ossec/bin/agent_control -e - Restart agent
  • /var/ossec/bin/agent_control -r - Remove agent
  • /var/ossec/bin/agent_control -a - List active agents
  • /var/ossec/bin/agent_control -i - Show agent info
  • /var/ossec/bin/agent_control -u - Upgrade agent remotely
  • /var/ossec/bin/agent_control -s - Show agent statistics
  • /var/ossec/bin/manage_agents - Manage agent keys

Log Files

  • /var/ossec/logs/ossec.log - Main Wazuh manager log
  • /var/ossec/logs/alerts/alerts.json - JSON formatted alerts
  • /var/ossec/logs/alerts/alerts.log - Standard alert log
  • /var/ossec/logs/archives/archives.log - Archived logs
  • tail -f /var/ossec/logs/alerts/alerts.log - Monitor alerts in real-time
  • tail -f /var/ossec/logs/ossec.log - Monitor main log

Rule Configuration

  • /var/ossec/etc/rules/local_rules.xml - Custom local rules
  • /var/ossec/etc/rules/ - Rules directory
  • /var/ossec/etc/ossec.conf - Main configuration file
  • wazuh-logtest - Test rule matching
  • wazuh-logtest -f - Test rules against log file

Searching Alerts

  • grep -i "rule.id" /var/ossec/logs/alerts/alerts.log - Search by rule ID
  • grep -i "agent.id" /var/ossec/logs/alerts/alerts.log - Search by agent ID
  • jq '.rule.id' /var/ossec/logs/alerts/alerts.json - Query JSON alerts
  • jq '.rule.mitre.id' /var/ossec/logs/alerts/alerts.json - Filter by MITRE ATT&CK ID
  • jq 'select(.rule.level >= 10)' /var/ossec/logs/alerts/alerts.json - High severity alerts

MITRE ATT&CK Framework Integration

Wazuh automatically maps detection rules to MITRE ATT&CK tactics, techniques, and sub-techniques. Alerts include ATT&CK metadata for threat hunting and correlation.

ATT&CK Metadata in Rules

<rule id="100200" level="12">
  <if_sid>1002</if_sid>
  <match>authentication failure</match>
  <description>Multiple authentication failures detected</description>
  <mitre>
    <id>T1110</id>
    <tactic>Credential Access</tactic>
    <technique>Brute Force</technique>
  </mitre>
</rule>

Querying ATT&CK Techniques

# Search for T1110 (Brute Force) alerts
jq 'select(.rule.mitre.id == "T1110")' /var/ossec/logs/alerts/alerts.json

# Search by tactic
jq 'select(.rule.mitre.tactic[] | contains("Credential Access"))' /var/ossec/logs/alerts/alerts.json

# Search for specific technique
jq 'select(.rule.mitre.technique == "Brute Force")' /var/ossec/logs/alerts/alerts.json

Common ATT&CK Mappings

  • T1003 - OS Credential Dumping (password file access)
  • T1018 - Remote System Discovery (network scanning)
  • T1021 - Remote Services (SSH, RDP connections)
  • T1047 - Windows Management Instrumentation (WMI abuse)
  • T1055 - Process Injection (suspicious process behavior)
  • T1070 - Indicator Removal (log deletion)
  • T1071 - Application Layer Protocol (network traffic)
  • T1105 - Ingress Tool Transfer (file downloads)
  • T1110 - Brute Force (authentication failures)
  • T1548 - Abuse Elevation Control Mechanism (sudo/privilege escalation)

Threat Hunting with ATT&CK

# Hunt for credential access techniques
jq 'select(.rule.mitre.tactic[] | contains("Credential Access")) | {time: .timestamp, agent: .agent.name, rule: .rule.description, mitre_id: .rule.mitre.id}' /var/ossec/logs/alerts/alerts.json

# Hunt for persistence mechanisms
jq 'select(.rule.mitre.tactic[] | contains("Persistence")) | {time: .timestamp, technique: .rule.mitre.technique, id: .rule.mitre.id}' /var/ossec/logs/alerts/alerts.json

# Hunt for privilege escalation
jq 'select(.rule.mitre.tactic[] | contains("Privilege Escalation"))' /var/ossec/logs/alerts/alerts.json | jq -s 'group_by(.rule.mitre.id) | map({technique: .[0].rule.mitre.technique, count: length, id: .[0].rule.mitre.id})'

Creating Custom Rules with ATT&CK

<group name="custom,mitre_attack,">
  <rule id="100001" level="10">
    <if_sid>5710</if_sid>
    <match>sudo.*su.*root</match>
    <description>Suspicious sudo to su root escalation</description>
    <mitre>
      <id>T1548.003</id>
      <tactic>Privilege Escalation,Defense Evasion</tactic>
      <technique>Sudo and Sudo Caching</technique>
    </mitre>
  </rule>
  
  <rule id="100002" level="12">
    <if_group>web</if_group>
    <match>SQL.*injection</match>
    <description>SQL injection attempt detected</description>
    <mitre>
      <id>T1190</id>
      <tactic>Initial Access</tactic>
      <technique>Exploit Public-Facing Application</technique>
    </mitre>
  </rule>
</group>

File Integrity Monitoring (FIM)

  • /var/ossec/etc/ossec.conf - Configure FIM in <syscheck> section
  • /var/ossec/queue/fim/ - FIM events directory

FIM Configuration Example

<syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin</directories>
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
  <ignore>/etc/mail/statistics</ignore>
</syscheck>

Rootcheck

  • /var/ossec/etc/ossec.conf - Configure rootcheck
  • grep "rootcheck" /var/ossec/logs/alerts/alerts.log - View rootcheck alerts
  • /var/ossec/etc/shared/default/rootcheck.conf - Rootcheck configuration

Vulnerability Detection

  • /var/ossec/wodles/vulnerability-detector/ - Vulnerability detector scripts
  • wazuh-cli -d -u -f /var/ossec/wodles/vulnerability-detector/vulnerability-detector.py - Run vulnerability scan
  • jq 'select(.vulnerability)' /var/ossec/logs/alerts/alerts.json - View vulnerability alerts

API Usage

  • curl -k -u wazuh:wazuh -X GET "https://localhost:55000/agents?pretty" - List agents via API
  • curl -k -u wazuh:wazuh -X GET "https://localhost:55000/agents/?pretty" - Get agent details
  • curl -k -u wazuh:wazuh -X GET "https://localhost:55000/rules?rule_ids=1002&pretty" - Get rule information
  • curl -k -u wazuh:wazuh -X POST "https://localhost:55000/syscollector//hardware?pretty" - System inventory
  • curl -k -u wazuh:wazuh -X GET "https://localhost:55000/rootcheck/?pretty" - Rootcheck results
  • curl -k -u wazuh:wazuh -X GET "https://localhost:55000/syscheck/?pretty" - FIM baseline

Common Commands

  • wazuh-cli -c /var/ossec/etc/ossec.conf -l - List configuration
  • wazuh-logtest - Interactive log testing tool
  • wazuh-keystore - Manage encrypted keys
  • /var/ossec/bin/wazuh-control info - System information
  • /var/ossec/bin/verify-agent-conf - Verify agent configuration
  • /var/ossec/bin/syscheck_update - Update FIM baseline manually

Configuration Locations

  • /var/ossec/etc/ossec.conf - Main configuration (manager/agent)
  • /var/ossec/etc/rules/ - Rule files directory
  • /var/ossec/etc/decoders/ - Log decoders directory
  • /var/ossec/etc/shared/ - Shared configuration for agents
  • /var/ossec/etc/lists/ - CDB lists for rules

Tips

  • Use MITRE ATT&CK metadata in custom rules for better threat hunting
  • Regularly review high-level alerts (level 12+)
  • Use jq for querying and filtering JSON alert logs
  • Create custom rules in local_rules.xml, not in default rule files
  • Test rules with wazuh-logtest before deploying
  • Monitor agent connectivity - disconnected agents can't send alerts
  • Use FIM to monitor critical system files and directories
  • Enable vulnerability detection for compliance scanning
  • Correlate alerts using MITRE ATT&CK tactics to identify attack chains
  • Use the API for automation and integration with other tools
  • Check /var/ossec/logs/ regularly for errors
  • Keep Wazuh updated to get latest detection rules and MITRE mappings
  • Use rootcheck to detect rootkits and suspicious system modifications
  • Create dashboards based on MITRE ATT&CK tactics for threat visibility
  • Archive and analyze historical alerts for threat hunting

← Back to cheatsheets

← Home