brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(kb): improve articles about wazuh

Browse Source
This commit is contained in:
Michele Cereda
2024-05-24 17:56:25 +02:00
parent d1bd448b60
commit 471fb307db
6 changed files with 87 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.vscode/settings.json vendored
View File

@@ -255,6 +255,7 @@
"sdkman",
"setfacl",
"setfattr",
"siem",
"slurm",
"spiffe",
"sshfs",
@@ -290,6 +291,7 @@
"userspace",
"vaultwarden",
"venv",
"wazuh",
"whalebrew",
"winget",
"wlan",

2
knowledge base/acronyms and abbreviations.md
View File

@@ -78,6 +78,7 @@
| RPM | RPM Package Manager | Package management system used by Linux distributions like Red Hat, (open)SuSE and Fedora |
| SAFE | Scaled Agile FramEwork | |
| SBOM | Software Bill Of Materials | See [SBOM at a Glance] |
| SIEM | [Security Information and Event Management)][siem] | |
| SOPS | Secrets OPerationS | |
| SPIFFE | Secure Production Identity Framework for Everyone | |
| SQL | Structured Query Language | |
@@ -131,6 +132,7 @@
[fish]: fish.md
[iac]: iac.md
[kubernetes]: kubernetes/README.md
[siem]: siem.md
[ssh]: ssh.md
[sssd]: sssd.md
[terraform enterprise]: terraform%20enterprise.md

17
knowledge base/siem.md
View File

@@ -1,30 +1,19 @@
# Security information and event management
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
## Further readings
- [Wazuh]
## Sources
All the references in the [further readings] section, plus the following:
<!--
References
Reference
═╬═Time══
-->
<!-- Upstream -->
<!-- In-article sections -->
[further readings]: #further-readings
<!-- Knowledge base -->
<!-- Files -->
<!-- Others -->
[wazuh]: https://wazuh.com/
[wazuh]: wazuh/README.md

48
knowledge base/wazuh.md
View File

@@ -1,48 +0,0 @@
# Wazuh
Open source security platform.
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
<!-- Uncomment if needed
<details>
<summary>Installation and configuration</summary>
</details>
-->
<!-- Uncomment if needed
<details>
<summary>Usage</summary>
</details>
-->
<!-- Uncomment if needed
<details>
<summary>Real world use cases</summary>
</details>
-->
## Further readings
- [Website]
- [Github]
### Sources
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
[github]: https://github.com/wazuh/wazuh
[website]: https://wazuh.com/
<!-- Others -->

80
knowledge base/wazuh/README.md Normal file
View File

@@ -0,0 +1,80 @@
# Wazuh
Open source security platform.<br/>
Provides unified XDR and SIEM protection for endpoints and cloud workloads.
1. [Components](#components)
1. [Indexer](#indexer)
1. [Server](#server)
1. [Dashboard](#dashboard)
1. [Agent](#agent)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## Components
| Component | Type | Description |
| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Indexer | Central | Full-text search and analytics engine.<br/>Indexes and stores alerts generated by the server. |
| Server | Central | Analyzes data received from the agents.<br/>Can set up in a cluster.<br/>Manages the agents. |
| Dashboard | Central | Web UI for data visualization and analysis.<br/>Used to configure and monitor Wazuh. |
| Agent | Endpoint | Installed on monitored endpoints (i.e.: laptops, servers, cloud instances, virtual machines).<br/>Used for threat prevention, detection, and response. |
Wazuh can also monitor agent-less devices (e.g: firewalls, switches, routers) via Syslog, SSH or APIs.
![components and data flow](components%20and%20data%20flow.png)
### Indexer
Stores data as JSON documents.
_Indexes_ are collections of documents related to each other.<br/>
The stored documents are distributed across multiple different _shards_.<br/>
Shards are distributed on multiple nodes for redundancy.
Different indices store different event types.
| Index | Content | Notes |
| ------------------ | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| `wazuh-alerts` | Alerts generated by the server | Created each time an event trips a rule with a high enough priority. |
| `wazuharchives` | Events received by the server | Created whether or not events trip a rule. |
| `wazuhmonitoring` | Data related to the agent's status over time | Used by the web interface to show when individual agents are or have been _active_, _disconnected_, or _never connected_. |
| `wazuhstatistics` | Data related to the server's performance | Used by the web interface to show performance statistics. |
One can interact with the indexer cluster using its REST API.
### Server
TODO
### Dashboard
TODO
### Agent
TODO
## Further readings
- [Website]
- [Github]
### Sources
- [Documentation]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
[documentation]: https://documentation.wazuh.com/current/
[github]: https://github.com/wazuh/wazuh
[website]: https://wazuh.com/
<!-- Others -->

BIN
knowledge base/wazuh/components and data flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB