Wazuh TrainingCourseSyllabus
Wazuh TrainingCourseSyllabus
Wazuh TrainingCourseSyllabus
Course Syllabus
Overview
This four-day training course is designed for security engineers and consultants responsible for implementing,
configuring and operating a Wazuh HIDS/SIEM system. It covers all the main components of Wazuh, and how to
get the most out of them. Special focus is given to the tuning of the Wazuh ruleset through the creation of
custom rules and decoders. You will get direct experience with many of the Wazuh features, and learn many
ways to bring these features together synergistically for advanced purposes.
This course consists of lectures and hands-on exercises performed in a virtual lab environment provided to you
by our team. The exercises teach you to perform configuration and operational tasks by following along with
procedures laid out in provided lab guides, to exercise the features in focus throughout the training.
Throughout the duration of the course, you will have unrestricted access to your lab environment which will
continue to be available for additional practice for 24 hours after the class ends. Comprehensive course
materials containing theory and practical exercises will be provided during the course. Copies of the slide decks
will also be provided at the end of the training.
Table of Contents
Day 1
Introduction to Wazuh
Architecture and secure communication
Deployment and agent registration methods
Wazuh dashboard
Agent push upgrades
Wazuh configuration
Day 2
Log Analysis
Wazuh Indexer and dashboard
Wazuh ruleset
Decoders and Rules
CDB lists
Wazuh Ruleset Traversal
Indexer advanced pipeline configuration
Day 3
File Integrity Monitoring
Agent Inventory Collection and Vulnerability Detection
Rootkit Detection
Wazuh Integration System
Active response
Security Configuration Assessment
Day 4
MITRE ATT&CK techniques
Docker integration
Tour of Amazon CloudTrail integration
Osquery integration
Sysmon integration
Touring the Wazuh Manager Cluster
Course Syllabus
Course Syllabus
Introduction to Wazuh
The course introduction provides students with a general overview. You will learn what Wazuh is and why
companies use this tool. You will learn about Wazuh’s principal capabilities and get a little bit of background
on the project itself.
● List and describe the basic Wazuh components on both the manager and agent sides.
● Understand how the data flows.
● Describe Wazuh communication between components, including encryption and authentication.
● Installation via packages (Windows MSI, plus yum and apt repository).
This module also describes different ways to register agents, such as:
● Self-enrollment.
● Deployment variables during package installation.
● Agent_auth CLI tool.
Considerations for mass deployment and auto-registration of agents will also be addressed, as well as for
upgrading agents.
Course Syllabus
Wazuh dashboard
This module provides an initial introduction to the Wazuh dashboard. Upon completing this module you will
meet these objectives:
● Briefly tour the app in preparation for heavy use of the app during the rest of the training.
Wazuh configuration
This module describes basic Wazuh configuration and shows how to push the configuration from manager
to manager to agents. Upon completing this module you will meet these objectives:
● Identify the files where the configuration occurs, like ossec.conf and agent.conf, as well as which
files and configuration categories can be centrally distributed vs individually maintained on a
manager or agent.
● Know how to make configuration changes via the web app or command line.
● Understand the basic categories of configuration settings for managers and agents.
● Understand how configurations are propagated between managers and from managers to agents.
● Know how to use agent groups and profiles to organize the propagation of the right configuration
elements to the right agents, even when huge numbers of agents are involved.
Day 2
Log Analysis
This module describes the log analysis component and how log messages flow agents to the manager.
Upon completing this module you will meet these objectives:
Wazuh ruleset
This module describes the Wazuh ruleset. It includes these topics:
● Deep exploration of the Wazuh rule hierarchy and the flow of event analysis through the ruleset
CDB lists
This module includes the following topics:
● Deep-dive into how the analysis engine hierarchically traverses through the ruleset while analyzing
an event
● This is critical to understand well, to be able to successfully deploy custom escalation and
whitelisting rules to tune the Wazuh ruleset to do what you need in your specific environment.
● Deploy an advanced ingest node pipeline and observe it at work in your live alert stream.
Course Syllabus
Course Syllabus
Day 3
● Set up rich FIM monitoring on an agent and make changes, observing the resulting FIM alerts.
This module describes the syscollector and vulnerability-detection features in Wazuh, addressing:
● How Wazuh agents can regularly collect and report inventory items to their manager
● How the inventory of installed software packages and their version levels can be automatically
cross-referenced with public vulnerability databases to proactively alert about agents running
vulnerable software.
● Where collected inventory data can be reviewed in the Wazuh Dashboard
● Querying of inventory data via the Wazuh API
● Install an intentionally outdated & vulnerable version of a software package and observe Wazuh's
alert about it
● Explore the Wazuh Dashboard and the Wazuh API's ability to mine agent inventory data
Rootkit Detection
This module describes how the rootcheck component can be used to detect rootkit and malware as well as
application errors. Upon completing this module you will meet these objectives:
● Understand how Wazuh detects both user mode and kernel mode rootkits
● Understand how FIM helps with rootkit detection
● Generate alerts when there is a discrepancy in information regarding a file, process, port or network
interface
Course Syllabus
● Install a rootkit on an agent that cloaks a process, and observe Wazuh detect and alert on it.
Active response
This module describes how to configure Wazuh to trigger actions in response to certain alerts in order to
automate remediation to security violations and threats. Upon completing this module you will meet these
objectives:
● Configure automatic firewall blocking in response to ssh brute force attacks and observe it works by
brute force attacking your own agent.
Day 4
Note that the many different integrations listed under day 4 are too numerous to address in a single day.
Class participants will be polled during the training as to which integrations would be most relevant to their
intended/desired use cases for Wazuh, and based on the findings, the best fit of topics for day 4 will be
determined.
Docker integration
This module describes how Wazuh can monitor Docker servers and container events.
● Install Docker on an agent system. Enable the docker-listener Wazuh agent module and observe
how a subsequent series of container-related actions successfully generate Wazuh alerts.
Osquery integration
This module describes how Wazuh agents can use Osquery as a subagent for deeper audit insight. Wazuh
enables management of Osquery agents, distribution of Osquery configs, scheduled execution of queries,
and routing of the results to the manager.
● Set up an Osquery scenario to track the appearance of new Chrome extensions on Windows
systems, and another one to track the appearance and disappearance of Linux user accounts.
Simulate those events and observe Wazuh alerting about them.
Course Syllabus
Sysmon integration
This module shows how Windows Sysinternals Sysmon can be used with Wazuh for deeper monitoring of
system activity. Wazuh can be used to manage Sysmon on agents.
● Deploy Sysmon on the Windows agent system fully integrated with Wazuh and use it to detect the
execution of a malicious command pattern.