{"id":443,"date":"2022-11-01T00:53:32","date_gmt":"2022-11-01T10:53:32","guid":{"rendered":"https:\/\/wroberts.me\/?p=443"},"modified":"2022-12-08T09:05:15","modified_gmt":"2022-12-08T19:05:15","slug":"wazuh-siem-setup-in-proxmox-for-homelab","status":"publish","type":"post","link":"https:\/\/wroberts.me\/?p=443","title":{"rendered":"Wazuh SIEM Setup in Proxmox"},"content":{"rendered":"<div class=\"pps-series-post-details pps-series-post-details-variant-classic pps-series-post-details-865\" data-series-id=\"14\"><div class=\"pps-series-meta-content\"><div class=\"pps-series-meta-text\">This entry is part 6 of 6 in the series <a href=\"https:\/\/wroberts.me\/?series=cyber-defense-monitoring-homelab\">Cyber Defense Monitoring Homelab<\/a><\/div><\/div><\/div>\n<p id=\"bkmrk-wazuh-is-a-siem-%28sec\">Wazuh is a SIEM (Security Information and Event Management) system that can be used to centralize logs and other security related information from systems on our networks. Using this information, analysts can detect and respond to intrusions, attacks and other malicious activity.&nbsp; For this homelab, Wazuh will be used in conjunction with Suricata to monitor our networks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-installation\"><span class=\"ez-toc-section\" id=\"Installation\"><\/span>Installation<span class=\"ez-toc-section-end\"><\/span><\/h2><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/wroberts.me\/?p=443\/#Installation\" >Installation<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/wroberts.me\/?p=443\/#Container_Setup\" >Container Setup<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/wroberts.me\/?p=443\/#Update_System\" >Update System<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/wroberts.me\/?p=443\/#Install_Dependencies\" >Install Dependencies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/wroberts.me\/?p=443\/#Run_Installation_Script\" >Run Installation Script<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/wroberts.me\/?p=443\/#Change_Admin_Password\" >Change Admin Password<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/wroberts.me\/?p=443\/#Configuring_Wazuh\" >Configuring Wazuh<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/wroberts.me\/?p=443\/#Initial_Setup\" >Initial Setup<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/wroberts.me\/?p=443\/#Configure_Firewall_Rules\" >Configure Firewall Rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/wroberts.me\/?p=443\/#Logging_In\" >Logging In<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/wroberts.me\/?p=443\/#Enable_Vulnerability_Detector\" >Enable Vulnerability Detector<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/wroberts.me\/?p=443\/#Create_Groups\" >Create Groups<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/wroberts.me\/?p=443\/#Deploy_Agents\" >Deploy Agents<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/wroberts.me\/?p=443\/#Windows_System_Agent\" >Windows System Agent<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/wroberts.me\/?p=443\/#Testing_Alerts\" >Testing Alerts<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/wroberts.me\/?p=443\/#Linux_Agent\" >Linux Agent<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/wroberts.me\/?p=443\/#Threat_Detection_and_Active_Response\" >Threat Detection and Active Response<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/wroberts.me\/?p=443\/#Detection\" >Detection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/wroberts.me\/?p=443\/#Active_Response\" >Active Response<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/wroberts.me\/?p=443\/#Confirming_Threat_Mitigation\" >Confirming Threat Mitigation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/wroberts.me\/?p=443\/#Index_Management\" >Index Management<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/wroberts.me\/?p=443\/#Create_New_Policy\" >Create New Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/wroberts.me\/?p=443\/#Add_Delete_State\" >Add Delete State<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/wroberts.me\/?p=443\/#Edit_Hot_State\" >Edit Hot State<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/wroberts.me\/?p=443\/#Edit_Cold_State\" >Edit Cold State<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/wroberts.me\/?p=443\/#Apply_Policy_to_Indices\" >Apply Policy to Indices<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-container-setup\"><span class=\"ez-toc-section\" id=\"Container_Setup\"><\/span>Container Setup<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-create-a-new-ubuntu-\">Create a new Ubuntu LXC.<\/p>\n\n\n\n<ul class=\"wp-block-list\" id=\"bkmrk-storage%3A-30-gb-cpu%3A-\">\n<li>Storage: 30 GB<\/li>\n\n\n\n<li>CPU: 2 Cores<\/li>\n\n\n\n<li>Memory: 4 GB<\/li>\n\n\n\n<li>Network: vmbr0 &#8211; Static IP: 10.80.80.60<\/li>\n\n\n\n<li>DNS: Host Settings<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-update-system\"><span class=\"ez-toc-section\" id=\"Update_System\"><\/span>Update System<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-start-the-machine-an\">Start the machine and update the system:<\/p>\n\n\n\n<pre id=\"bkmrk-apt-update-%26%26-apt-up\" class=\"wp-block-code\"><code>apt update &amp;&amp; apt upgrade -y<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-install-dependencies\"><span class=\"ez-toc-section\" id=\"Install_Dependencies\"><\/span>Install Dependencies<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-run-the-following-co\">Run the following commands to install the dependencies for Wazuh:<\/p>\n\n\n\n<pre id=\"bkmrk-apt-install-curl-dns\" class=\"wp-block-code\"><code>apt install curl dnsutils net-tools sudo gnupg -y<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-run-installation-scr\"><span class=\"ez-toc-section\" id=\"Run_Installation_Script\"><\/span>Run Installation Script<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-install-wazuh%3A\">Navigate to the tmp folder then download the script.<\/p>\n\n\n\n<pre id=\"bkmrk-cd-%2Ftmp-curl--so-htt\" class=\"wp-block-code\"><code>cd \/tmp\ncurl -sO https:\/\/packages.wazuh.com\/4.3\/wazuh-install.sh\nbash .\/wazuh-install.sh -a<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-once-the-installatio\">Once the installation is finished, you&#8217;ll receive the password to log in to the dashboard. But, we&#8217;re going to change the password before logging in. Alternatively, this password can be stored in a password manager instead of changing it.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"95\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-267.png\" alt=\"\" class=\"wp-image-444\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-267.png 886w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-267-300x32.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-267-768x82.png 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-change-admin-passwor\"><span class=\"ez-toc-section\" id=\"Change_Admin_Password\"><\/span>Change Admin Password<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-download-the-passwor\">Download the password change script:<\/p>\n\n\n\n<pre id=\"bkmrk-curl--so-wazuh-passw\" class=\"wp-block-code\"><code>curl -so wazuh-passwords-tool.sh https:\/\/packages.wazuh.com\/4.3\/wazuh-passwords-tool.sh<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-then-run-the-script-\">Then run the script with:<\/p>\n\n\n\n<pre id=\"bkmrk-bash-wazuh-passwords\" class=\"wp-block-code\"><code>bash wazuh-passwords-tool.sh -u admin -p &lt;newpassword&gt;<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-the-new-password-mus\">The new password must meet complexity requirements so the script will throw an error if they are not met. After the script finishes running, clear the bash history.<\/p>\n\n\n\n<pre id=\"bkmrk-history--c\" class=\"wp-block-code\"><code>history -c<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-then%2C-reboot-the-sys\">Then, reboot the system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-configuring-wazuh\"><span class=\"ez-toc-section\" id=\"Configuring_Wazuh\"><\/span>Configuring Wazuh<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-initial-setup\"><span class=\"ez-toc-section\" id=\"Initial_Setup\"><\/span>Initial Setup<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-configure-firewall-r\"><span class=\"ez-toc-section\" id=\"Configure_Firewall_Rules\"><\/span>Configure Firewall Rules<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-make-sure-your-firew\">If your firewall rules block traffic between the networks the Wazuh server sits on and the machines it monitors, make sure ports 1514 and 1515 are open.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"344\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-1024x344.png\" alt=\"\" class=\"wp-image-447\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-1024x344.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-300x101.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-768x258.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270.png 1188w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"344\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-1024x344.png\" alt=\"\" class=\"wp-image-448\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-1024x344.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-300x101.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270-768x258.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-270.png 1188w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-logging-in\"><span class=\"ez-toc-section\" id=\"Logging_In\"><\/span>Logging In<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-you%27ll-get-a-privacy\">You&#8217;ll get a privacy error when first entering.&nbsp; Hit &#8220;advanced&#8221; then proceed.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"958\" height=\"709\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-268.png\" alt=\"\" class=\"wp-image-445\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-268.png 958w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-268-300x222.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-268-768x568.png 768w\" sizes=\"auto, (max-width: 958px) 100vw, 958px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-log-in-with-%22admin%22-\">Log in with &#8220;admin&#8221; and the password made during installation.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"678\" height=\"531\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-269.png\" alt=\"\" class=\"wp-image-446\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-269.png 678w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-269-300x235.png 300w\" sizes=\"auto, (max-width: 678px) 100vw, 678px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-enable-vulnerability\"><span class=\"ez-toc-section\" id=\"Enable_Vulnerability_Detector\"><\/span>Enable Vulnerability Detector<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-https%3A%2F%2Fdocumentatio\"><\/h3>\n\n\n\n<p id=\"bkmrk-change-vulnerability\">The first thing we&#8217;re going to do is set up the vulnerability detector for the machines we&#8217;re monitoring. On the home screen, click on the arrow next to &#8220;Wazuh&#8221; near the top-left corner. Click &#8220;Management&#8221; then &#8220;Configuration.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"462\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-271.png\" alt=\"\" class=\"wp-image-449\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-271.png 858w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-271-300x162.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-271-768x414.png 768w\" sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-on-the-next-page%2C-cl\">On the next page, click &#8220;Edit Configuration&#8221; in the top-right corner.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"84\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272-1024x84.png\" alt=\"\" class=\"wp-image-450\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272-1024x84.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272-300x25.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272-768x63.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272-1536x126.png 1536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-272.png 1884w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-scroll-down-until-yo\">Scroll down until you find the vulnerability detector line. Change it to yes.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"101\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-273.png\" alt=\"\" class=\"wp-image-451\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-273.png 546w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-273-300x55.png 300w\" sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-enable-detection-for\">Enable detection for Ubuntu and Debian systems as well since those systems are on our networks.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"534\" height=\"329\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-274.png\" alt=\"\" class=\"wp-image-452\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-274.png 534w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-274-300x185.png 300w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-make-sure-the-window\">Make sure the Windows OS vulnerabilities are enabled as well.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"570\" height=\"102\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-275.png\" alt=\"\" class=\"wp-image-453\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-275.png 570w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-275-300x54.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-make-sure-aggregatin\">Make sure aggregating vulnerabilities is enabled.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"536\" height=\"122\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-276.png\" alt=\"\" class=\"wp-image-454\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-276.png 536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-276-300x68.png 300w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-after-that-is-done%2C-\">After that is done, click &#8220;Restart Manager.&#8221;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-create-groups\"><span class=\"ez-toc-section\" id=\"Create_Groups\"><\/span>Create Groups<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-open-the-wazuh-menu.\">Open the Wazuh menu. Click on &#8220;Managemen,&#8221; then &#8220;Groups.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"715\" height=\"410\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-277.png\" alt=\"\" class=\"wp-image-455\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-277.png 715w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-277-300x172.png 300w\" sizes=\"auto, (max-width: 715px) 100vw, 715px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-click-%22add-new-group\">Click &#8220;Add New Group&#8221; and save. I&#8217;m creating groups for the Active Directory network and the LAN where the Kali machine sits.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"432\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278.png\" alt=\"\" class=\"wp-image-456\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278.png 998w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278-300x130.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278-768x332.png 768w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-deploy-agent\"><span class=\"ez-toc-section\" id=\"Deploy_Agents\"><\/span>Deploy Agents<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-windows-system\"><span class=\"ez-toc-section\" id=\"Windows_System_Agent\"><\/span>Windows System Agent<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-in-order-to-monitor-\">In order to monitor a system, an agent needs to be installed on it. We&#8217;ll start with a Windows system.&nbsp; For Windows, we&#8217;re going to install the GUI agent.<\/p>\n\n\n\n<p id=\"bkmrk-log-on-to-one-of-the\">Log on to one of the Windows VMs. Open the web browser and go to&nbsp;<a href=\"https:\/\/www.documentation.wazuh.com\">https:\/\/www.documentation.wazuh.com<\/a>. Then, click on installation guide. Scroll down to &#8220;Installing the Wazuh Agent&#8221; then click on the Windows icon.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"432\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278.png\" alt=\"\" class=\"wp-image-457\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278.png 998w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278-300x130.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-278-768x332.png 768w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-download-the-install\">Download the installer.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"335\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-279.png\" alt=\"\" class=\"wp-image-458\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-279.png 981w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-279-300x102.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-279-768x262.png 768w\" sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-run-the-file.\">Run the file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"868\" height=\"65\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-280.png\" alt=\"\" class=\"wp-image-459\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-280.png 868w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-280-300x22.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-280-768x58.png 768w\" sizes=\"auto, (max-width: 868px) 100vw, 868px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-check-the-box-for-%22r\">Check the box for &#8220;Run Agent Configuration Interface.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"490\" height=\"376\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-281.png\" alt=\"\" class=\"wp-image-460\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-281.png 490w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-281-300x230.png 300w\" sizes=\"auto, (max-width: 490px) 100vw, 490px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-open-the-file-explor\">Open the file explorer. Go to C:\\Program Files (x86)\\ossec-agent and open the win32ui.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"792\" height=\"601\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-282.png\" alt=\"\" class=\"wp-image-461\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-282.png 792w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-282-300x228.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-282-768x583.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-enter-the-ip-address\">Enter the IP address of the Wazuh server and save. Then click &#8220;Manage&#8221; and &#8220;Start.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"316\" height=\"282\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-283.png\" alt=\"\" class=\"wp-image-462\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-283.png 316w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-283-300x268.png 300w\" sizes=\"auto, (max-width: 316px) 100vw, 316px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-you-can-view-the-log\">You can view the logs by clicking &#8220;View&#8221; then &#8220;View Logs.&#8221; Pin the agent to the taskbar for ease of access later.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"317\" height=\"286\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-284.png\" alt=\"\" class=\"wp-image-463\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-284.png 317w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-284-300x271.png 300w\" sizes=\"auto, (max-width: 317px) 100vw, 317px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"314\" height=\"151\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-285.png\" alt=\"\" class=\"wp-image-464\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-285.png 314w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-285-300x144.png 300w\" sizes=\"auto, (max-width: 314px) 100vw, 314px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-go-back-to-the-wazuh\">Go back to the Wazuh dashboard. You should see a 1 under total agents and active agents. Open the &#8220;Agents&#8221; menu and click &#8220;Agents.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"825\" height=\"164\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-286.png\" alt=\"\" class=\"wp-image-465\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-286.png 825w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-286-300x60.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-286-768x153.png 768w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1008\" height=\"490\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-287.png\" alt=\"\" class=\"wp-image-466\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-287.png 1008w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-287-300x146.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-287-768x373.png 768w\" sizes=\"auto, (max-width: 1008px) 100vw, 1008px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-we-can-see-our-domai\">We can see our Domain Controller is now connected.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"282\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291-1024x282.png\" alt=\"\" class=\"wp-image-470\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291-1024x282.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291-300x82.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291-768x211.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291-1536x422.png 1536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-291.png 1906w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h5 class=\"wp-block-heading\" id=\"bkmrk-%C2%A0-0\"><span class=\"ez-toc-section\" id=\"Testing_Alerts\"><\/span>Testing Alerts<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p id=\"bkmrk-let%27s-test-a-situati\">Let&#8217;s test a situation where someone is trying to log in to the admin account of the domain controller with random passwords. We want to see if Wazuh picks up the failed log in attempts.<\/p>\n\n\n\n<p id=\"bkmrk-go-back-to-the-windo\">Go back to the windows server. Log out and try to log in with an incorrect password a few times.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1017\" height=\"772\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-295.png\" alt=\"\" class=\"wp-image-474\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-295.png 1017w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-295-300x228.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-295-768x583.png 768w\" sizes=\"auto, (max-width: 1017px) 100vw, 1017px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-then%2C-go-back-to-the\">Then, go back to the Wazuh dashboard and click on the name of the Windows machine in the Agents list.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"313\" height=\"218\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-288.png\" alt=\"\" class=\"wp-image-467\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-288.png 313w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-288-300x209.png 300w\" sizes=\"auto, (max-width: 313px) 100vw, 313px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-from-the-menu%2C-selec\">From the menu, select &#8220;Security Events.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"226\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-289.png\" alt=\"\" class=\"wp-image-468\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-289.png 576w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-289-300x118.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-scroll-down-and-you-\">Scroll down and you should see the failed log&nbsp; in attempts. Of course, password policies can be put in place to prevent brute-forcing passwords but this is just for demonstration.&nbsp;<\/p>\n\n\n\n<p id=\"bkmrk-next%2C-we%27ll-deploy-a\">Next, we&#8217;ll deploy an agent on a Linux system.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"458\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-290-1024x458.png\" alt=\"\" class=\"wp-image-469\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-290-1024x458.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-290-300x134.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-290-768x343.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-290.png 1264w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-linux-agent\"><span class=\"ez-toc-section\" id=\"Linux_Agent\"><\/span>Linux Agent<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-on-the-home-screen%2C-\">Go back to the Agents menu.&nbsp; Click on &#8220;Deploy New Agent.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"217\" height=\"70\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-292.png\" alt=\"\" class=\"wp-image-471\"\/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-%C2%A0-1\">Choose the appropriate operating system. We&#8217;re going to deploy the agent to the Suricata server, so it&#8217;ll be Debian\/Ubuntu. The architecture will be x86_64 (64-bit). The server address will be the Wazuh server address.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"978\" height=\"713\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-293.png\" alt=\"\" class=\"wp-image-472\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-293.png 978w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-293-300x219.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-293-768x560.png 768w\" sizes=\"auto, (max-width: 978px) 100vw, 978px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-copy-the-commands-an\">Copy the commands and run them in the target machine.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"44\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-294-1024x44.png\" alt=\"\" class=\"wp-image-473\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-294-1024x44.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-294-300x13.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-294-768x33.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-294.png 1476w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"39\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296.png\" alt=\"\" class=\"wp-image-476\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296.png 970w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296-300x12.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296-768x31.png 768w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-back-in-the-wazuh-da\">Back in the Wazuh dashboard, refresh the agents list and you should see the machine added to the list.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"39\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296.png\" alt=\"\" class=\"wp-image-475\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296.png 970w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296-300x12.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-296-768x31.png 768w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-threat-detection-and\"><span class=\"ez-toc-section\" id=\"Threat_Detection_and_Active_Response\"><\/span>Threat Detection and Active Response<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-detection\"><span class=\"ez-toc-section\" id=\"Detection\"><\/span>Detection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-i%27m-going-to-attempt\">I&#8217;m going to attempt to ssh into the Suricata server with an incorrect username and password.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"399\" height=\"98\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-297.png\" alt=\"\" class=\"wp-image-477\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-297.png 399w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-297-300x74.png 300w\" sizes=\"auto, (max-width: 399px) 100vw, 399px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-in-the-wazuh-dashboa\">In the Wazuh dashboard, under the security events for the Suricata server, the event is recorded.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"89\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-298-1024x89.png\" alt=\"\" class=\"wp-image-478\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-298-1024x89.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-298-300x26.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-298-768x67.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-298.png 1233w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-click-on-the-alert-t\">Click on the alert to expand the menu. Click on &#8220;JSON&#8221; to see more information such as the source IP and the username attempted.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"264\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-299.png\" alt=\"\" class=\"wp-image-479\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-299.png 621w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-299-300x128.png 300w\" sizes=\"auto, (max-width: 621px) 100vw, 621px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-active-response\"><span class=\"ez-toc-section\" id=\"Active_Response\"><\/span>Active Response<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-next%2C-we%27re-going-to\">Next, we&#8217;re going to have Wazuh respond to this sort of attack by dropping the packets.<\/p>\n\n\n\n<p id=\"bkmrk-make-note-of-the-rul\">Make note of the rule ID for this alert which is 5710 in this case.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"129\" height=\"102\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-300.png\" alt=\"\" class=\"wp-image-480\"\/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-from-the-menu-in-the\">From the menu in the top-left, go to &#8220;Management&#8221; then &#8220;Configuration. Then click &#8220;Edit Configuration.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"439\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-302.png\" alt=\"\" class=\"wp-image-482\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-302.png 688w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-302-300x191.png 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-scroll-down-to-the-%22\">Scroll down to the &#8220;Active-Response&#8221; section of the XML.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"866\" height=\"142\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-301.png\" alt=\"\" class=\"wp-image-481\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-301.png 866w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-301-300x49.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-301-768x126.png 768w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-scroll-to-the-bottom\">Scroll to the bottom of this section and add the following lines:<\/p>\n\n\n\n<pre id=\"bkmrk-%3Cactive-response%3E-%3Cc\" class=\"wp-block-code\"><code>  &lt;active-response&gt;\n    &lt;command&gt;firewall-drop&lt;\/command&gt;\n    &lt;location&gt;localhost&lt;\/location&gt;\n    &lt;rules_id&gt;5710&lt;\/rules_id&gt;\n    &lt;timeout&gt;1000&lt;\/timeout&gt;\n  &lt;\/active-response&gt;<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-when-done%2C-the-xml-s\">When done, the XML should look like this:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"303\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-303.png\" alt=\"\" class=\"wp-image-483\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-303.png 449w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-303-300x202.png 300w\" sizes=\"auto, (max-width: 449px) 100vw, 449px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-then-save-the-config\">Then save the configuration and restart the manager.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-confirming-threat-mi\"><span class=\"ez-toc-section\" id=\"Confirming_Threat_Mitigation\"><\/span>Confirming Threat Mitigation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-attempt-to-ssh-into-\">Attempt to ssh into the Suricata server again. After entering the password, the terminal should hang for a while. Then, the connection should time out. This indicates the packets were dropped altogether&nbsp; by Wazuh.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"781\" height=\"60\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-304.png\" alt=\"\" class=\"wp-image-484\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-304.png 781w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-304-300x23.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-304-768x59.png 768w\" sizes=\"auto, (max-width: 781px) 100vw, 781px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk--40\"><span class=\"ez-toc-section\" id=\"Index_Management\"><\/span>Index Management<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-the-final-step-for-c\">The final step for configuring Wazuh is index management. Without an index policy, Wazuh indices will continue to fill up disk space and eventually cause performance issues.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-create-new-policy\"><span class=\"ez-toc-section\" id=\"Create_New_Policy\"><\/span>Create New Policy<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"315\" height=\"885\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-306.png\" alt=\"\" class=\"wp-image-487\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-306.png 315w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-306-107x300.png 107w\" sizes=\"auto, (max-width: 315px) 100vw, 315px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"335\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305.png\" alt=\"\" class=\"wp-image-485\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305.png 602w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305-300x167.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"335\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305.png\" alt=\"\" class=\"wp-image-486\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305.png 602w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-305-300x167.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1003\" height=\"487\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-307.png\" alt=\"\" class=\"wp-image-488\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-307.png 1003w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-307-300x146.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-307-768x373.png 768w\" sizes=\"auto, (max-width: 1003px) 100vw, 1003px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-add-delete-state\"><span class=\"ez-toc-section\" id=\"Add_Delete_State\"><\/span>Add Delete State<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-scroll-to-the-bottom-0\">Scroll to the bottom of the screen and click &#8220;Add State.&#8221; Click &#8220;Add Action&#8221; and choose &#8220;Delete&#8221; from the drop down menu. Then click &#8220;Add Action.&#8221; Then &#8220;Save State.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"460\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308-1024x460.png\" alt=\"\" class=\"wp-image-489\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308-1024x460.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308-300x135.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308-768x345.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308-1536x690.png 1536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-308.png 1894w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"873\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-309.png\" alt=\"\" class=\"wp-image-490\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-309.png 609w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-309-209x300.png 209w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-edit-hot-state\"><span class=\"ez-toc-section\" id=\"Edit_Hot_State\"><\/span>Edit Hot State<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-expand-the-hot-state\">Expand the hot state menu, then click &#8220;Edit.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310-1024x326.png\" alt=\"\" class=\"wp-image-491\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310-1024x326.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310-300x96.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310-768x245.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310-1536x489.png 1536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-310.png 1799w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-click-the-pencil-und\">Click the pencil under &#8220;Actions&#8221; to edit the number of replicas. Change it to 1. Then click &#8220;Edit Action.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"863\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-311.png\" alt=\"\" class=\"wp-image-492\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-311.png 605w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-311-210x300.png 210w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-then-under-transitio\">Then under transitions, edit the minimum index age to how long you want to keep the files before they are sent to the cold state. I went with 14 days. Click &#8220;Edit Action&#8221; then &#8220;Update State.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"603\" height=\"871\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-312.png\" alt=\"\" class=\"wp-image-493\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-312.png 603w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-312-208x300.png 208w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"574\" height=\"850\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-314.png\" alt=\"\" class=\"wp-image-495\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-314.png 574w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-314-203x300.png 203w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-edit-cold-state\"><span class=\"ez-toc-section\" id=\"Edit_Cold_State\"><\/span>Edit Cold State<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-finally%2C-edit-the-co\">Finally, edit the cold state by first deleting the replicas action. Then, add the &#8220;Read-Only&#8221; action and click &#8220;Edit Action.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"862\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-313.png\" alt=\"\" class=\"wp-image-494\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-313.png 609w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-313-212x300.png 212w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"868\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-315.png\" alt=\"\" class=\"wp-image-496\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-315.png 606w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-315-209x300.png 209w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-click-%22add-transitio\">Click &#8220;Add Transition&#8221; and change the minimum index age to a lower number of days if desired. Click &#8220;Update State.&#8221; Afterwards, click &#8220;Create&#8221; in the bottom right-hand corner.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"611\" height=\"873\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-316.png\" alt=\"\" class=\"wp-image-497\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-316.png 611w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-316-210x300.png 210w\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-apply-policy-to-indi\"><span class=\"ez-toc-section\" id=\"Apply_Policy_to_Indices\"><\/span>Apply Policy to Indices<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-before-the-policy-ca\">Before the policy can take affect, it first has to be applied to the indices. Go back to the &#8220;Index Management&#8221; menu and click &#8220;Indices.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"165\" height=\"243\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-317.png\" alt=\"\" class=\"wp-image-498\"\/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-check-the-boxes-of-t\">Check the boxes of the indices you want the policy management to apply to, then click &#8220;Apply Policy.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"418\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318-1024x418.png\" alt=\"\" class=\"wp-image-499\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318-1024x418.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318-300x122.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318-768x313.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318-1536x627.png 1536w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-318.png 1716w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-that-it-for-this-set\">That it for this setup. You now have a SIEM to monitor your network. In a future post, we&#8217;ll set up the Suricata server to forward its logs to Wazuh so those alerts can be viewed in Wazuh as well.<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pps-series-post-details pps-series-post-details-variant-classic pps-series-post-details-865 pps-series-meta-excerpt\" data-series-id=\"14\"><div class=\"pps-series-meta-content\"><div class=\"pps-series-meta-text\">This entry is part 6 of 6 in the series <a href=\"https:\/\/wroberts.me\/?series=cyber-defense-monitoring-homelab\">Cyber Defense Monitoring Homelab<\/a><\/div><\/div><\/div><p>Wazuh is a SIEM (Security Information and Event Management) system that can be used to centralize logs and other security related information from systems on our networks. Using this information, analysts can detect and respond to intrusions, attacks and other malicious activity.&nbsp; For this homelab, Wazuh will be used in conjunction with Suricata to monitor &#8230; <a href=\"https:\/\/wroberts.me\/?p=443\" class=\"more-link\">Read More<span class=\"screen-reader-text\"> &#8220;Wazuh SIEM Setup in Proxmox&#8221;<\/span> &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":505,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,13],"tags":[],"series":[14],"class_list":["post-443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-home-lab","category-security","series-cyber-defense-monitoring-homelab"],"_links":{"self":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=443"}],"version-history":[{"count":8,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions"}],"predecessor-version":[{"id":840,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions\/840"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/media\/505"}],"wp:attachment":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=443"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fseries&post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}