Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Wazuh FIM

Wazuh FIM
Wazuh FIM icon

Out-of-the-Box Security For Wazuh FIM Includes:

Alerts - 13

Stay on top of Wazuh FIM key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Wazuh - Windows Kerberos Pre-Authentication Failed

This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn''t have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user''s password has expired, or the wrong password was provided. Impact - When pre-authentication fails, it indicates that an attacker may be attempting to brute-force or manipulate authentication processes. - Attackers could potentially gain unauthorized access by exploiting weaknesses in the Kerberos authentication process. Mitigation The reason for the authentication should be investigated and reset the user password if required. MITRE Tactic: TA0001 MITRE Technique: T1078

Wazuh - Windows Password Spray Attack Detected

Detects when login failures observed for multiple users from a single host address in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to login. If it wasn't investigate further the source of the login attempt to determine a possible compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Wazuh - Windows Special Privileges Assigned to New Logon

The alert detects that special privileges have been assigned during a new user logon. This could indicate an attempt to escalate privileges or perform unauthorized actions on the system Note- Whitelist the administrative account that is expected to have the listed Privileges. Impact Unauthorized elevation of privileges could lead to the execution of malicious actions, compromise of sensitive data, or further exploitation of the system. Mitigation Review and limit the privileges assigned to users. Ensure that users only have the necessary permissions for their roles MITRE Tactic: TA0004 MITRE Technique: T1088

Wazuh - No Logs from Wazuh in 12 Hrs

This rule detects if there are no logs in last 12 hrs for Wazuh in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique: T1562

Wazuh - Unix System DNS Settings Modified

This alert detects modification to /etc/resolv.conf file which is a system-wide configuration file that specifies the DNS servers that the system should use to resolve domain names to IP addresses. Impact An attacker with unauthorized access to a system may manipulate the file to redirect traffic to attacker controlled DNS server. Mitigation Validation of DNS entries must be conducted when making modifications. Exclusively utilize well-known or internal DNS servers. MITRE Tactic : TA0005 MITRE Technique : T1036

Wazuh - Unix Account Manipulation Detected

This alert detects SSH key/password modification on the endpoint. Impact To maintain persistence on a target endpoint, adversaries may modify the SSH authorized_keys file or password in Linux. Mitigation Verify if the changes to the authorized key or shadow file are approved/expected due to key change of the mentioned user. If the changes to the key are unauthorised then delete the key immediately and investigate further action for the user who changed the key. MITRE Tactic : TA0003 MITRE Technique : T1098

Wazuh - Unix Sudoers File Modified

The /etc/sudoers file is a configuration file in Unix and Unix-like operating systems. It defines the rules and permissions for the sudo command which allows users to execute commands with the privileges of another user, typically the root user (superuser or administrator). Impact The proper configuration of the /etc/sudoers file is critical for system security. Incorrect configurations can lead to security vulnerabilities, allowing unauthorized users to execute privileged commands. Mitigation It's important to approach the configuration of the /etc/sudoers file with caution and adhere to best practices to ensure proper access control and system security. MITRE Tactic : TA0004 MITRE Technique : T1548

Wazuh - Unix Local host DNS Config Modified

This alert detects modification to /etc/hosts file. The /etc/hosts file is a plain text file commonly found on Unix and Unix-like operating systems, including Linux. It serves as a local DNS (Domain Name System) lookup table, mapping IP addresses to hostnames. This file allows the system to resolve domain names to IP addresses without the need for a DNS server. Impact An attacker with unauthorized access to a system may manipulate the file to redirect traffic or conduct other malicious activities. Mitigation This file is generally not intended for extensive use in a production environment, as DNS servers are better suited for managing a large number of hostnames. MITRE Tactic : TA0005 MITRE Technique : T1036

Wazuh - Windows Firewall Exception Rule Modified

This rule triggers when Windows Firewall rule was modified on localhost. Impact Increased Vulnerability: Unauthorized modifications or deletions of firewall rules can create security gaps, exposing the network to potential threats and unauthorized access. Disrupted Connectivity: Incorrect or deleted rules can lead to disruption in services or connectivity issues for legitimate users or services trying to access network resources. Compliance Risks: Changes to firewall rules might violate compliance requirements, leading to audit failures and potential regulatory penalties. Mitigation Ensure verification of the firewall rule and promptly revert it if unauthorized. MITRE Tactic : TA0005 MITRE Technique: T1562

Wazuh - Windows A User Account was Deleted

The alert detects the user account deletion Impact Deletion of a user account can disrupt access to resources, applications, or data associated with that account, affecting day-to-day operations.An adversary can delete a user to harm or evade detection. Mitigation Implement a robust process for user account creation, maintenance, and deletion, adhering to established policies and procedures. MITRE Tactic : TA0005 MITRE Technique: T1070

Wazuh - Windows Audit Policy Changed

This indicates the system''s audit policy was modified. "+" indicate auditing is enabled, "-" indicate it is disabled. Impact Changes to Windows audit policies can have significant security implications. If audit policy settings are modified by unauthorized users or malware, it can lead to the manipulation or suppression of crucial security event logging. This, in turn, may result in the evasion of detection mechanisms, hindering the ability to monitor and investigate security incidents effectively. Unauthorized changes to audit policies can impact the integrity and availability of security logs, making it difficult to track and respond to security events. Mitigation Any modifications to the audit policy must undergo validation. MITRE Tactic : TA0005 MITRE Technique: T1562

Wazuh - Windows Bruteforce Attack Detected

Detects when there are multiple login failures in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Review the connecting IPs and investigate if there were seen before for this user and verify with the user these are legitimate login attempts. If there are not, block user access and investigate further. MITRE Tactic: TA0006 MITRE Technique: T1110

Wazuh - Windows Multiple Login Failures for Admin Account

Detects when there are multiple login failures in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Review the connecting IPs and investigate if there were seen before for this user and verify with the user these are legitimate login attempts. If there are not, block user access and investigate further. MITRE Tactic: TA0006 MITRE Technique: T1110

Documentation

Learn more about Coralogix's out-of-the-box integration with Wazuh FIM in our documentation.

Read More
Schedule Demo