Mreeve elastalert 2 (#483)

* add wazuh documentation

* Update wazuh-configuration.md

* Update wazuh-configuration.md

* add agent management documentation

* update wazuh

* wazuh active reponse doc

* Update elastic-agent-mangement.md

* sysmon install and auditd install

* update

* Remove memory limitations in kibana/elasticsearch quadlets

* adding starting dashboards docs + scripting

* adding starting dashboards docs + scripting

* Fixing passwords in init-setup

* Uploading first setup of post-install.yml

* Removing old dashboard

* Uplloading updated documentation

* Remove optional passowrd setting and add in small changes

* Updating post_install to include wazuh reset and readonly_user creation

* Adding notes on manual passwords:
- leaving notes on this, but stating its unsupported

* starting to integrate notes

* Update install-auditd.md to include script

* update faq and troubleshooting

* formatting agent section

* Push documentation changes:

- remove old irrelevant TOC links to rest of docs
- setup agent/tool docs
- fix up missing pieces
- add docs for certificates.md,upgrading,faq,troubleshooting

* Adding elastalert2

* Adding elastalert container

* Adding elastalert2 config

* add health checks for fleet server

* add health checks to wazuh

* Updating diagram, and readme wtih some clarifying changes

* Move faq back to its original spot

* refactored dashboards, adding divines dashboards

* Adding in powershell script from grant + updated Readme

* ADd back fleet with healthcheck

* Add Wazuh with health check

* Add support for backups

* Remove todo under backups

* adjust dashboard names

---------

Co-authored-by: awarz <[email protected]>
Co-authored-by: Andrew Arz <[email protected]>
Co-authored-by: Connor Aubry <[email protected]>
Co-authored-by: Diabe <[email protected]>

ansible/post_install_local.yml

@@ -449,7 +449,6 @@
       when: debug_mode | bool
     #SETUP
 
-
     - name: Copy dashboards files /opt/lme/dashboards
       copy:
         src: "{{ clone_directory }}/dashboards/"
@@ -718,6 +717,7 @@
           - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}"
       when: debug_mode | bool
     #SETUP
+    #
     - name: expand path
       set_fact:
         clone_directory: "{{clone_directory | expanduser }}"

config/containers.txt

@@ -3,3 +3,4 @@ docker.elastic.co/elasticsearch/elasticsearch:8.12.2
 docker.elastic.co/beats/elastic-agent:8.12.2
 docker.elastic.co/kibana/kibana:8.12.2
 docker.io/wazuh/wazuh-manager:4.7.5
+docker.io/jertel/elastalert2:2.20.0

config/elastalert2/config.yaml

@@ -0,0 +1,18 @@
+run_every:
+  minutes: 1
+
+buffer_time:
+  minutes: 15
+
+writeback_index: elastalert_status
+
+alert_time_limit:
+  days: 2
+
+es_host: lme-elasticsearch
+es_port: 9200
+use_ssl: true
+verify_certs: false
+
+#exists in the container
+rules_folder: /opt/elastalert/rules

config/elastalert2/rules/windows_event_logs_cleared.yaml

@@ -0,0 +1,53 @@
+name: Windows Event Logs Cleared
+
+# Type of rule
+type: any
+
+# Index pattern to search
+index: logs-*
+
+# Elasticsearch query in DSL format
+filter:
+  - query:
+      bool:
+        must:
+          - terms:
+              event.action: ["audit-log-cleared", "Log clear"]
+          - term:
+              winlog.api: "wineventlog"
+        must_not:
+          - term:
+              winlog.provider_name: "AD FS Auditing"
+
+# Alert when conditions are met
+alert:
+  - "slack"
+
+# Slack alert details
+slack_webhook_url: "https://hooks.slack.com/services/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"
+slack_username_override: "Windows Security Alert"
+slack_msg_color: "danger"
+slack_emoji_override: ":rotating_light:"
+
+# Alert message format
+alert_text: |
+  Windows Event Logs Cleared Detected!
+  Host: {0}
+  Event Action: {1}
+  Winlog Provider Name: {2}
+  Timestamp: {3}
+alert_text_args:
+  - host.name
+  - event.action
+  - winlog.provider_name
+  - "@timestamp"
+
+# Alert text only, without additional metadata
+alert_text_type: alert_text_only
+
+# Frequency for querying Elasticsearch
+realert:
+  minutes: 5
+
+# Optional timestamp field to use for events
+timestamp_field: "@timestamp"

config/elasticsearch.yml

@@ -0,0 +1,7 @@
+cluster.name: "docker-cluster"
+network.host: 0.0.0.0
+path:
+  repo:
+    - /usr/share/elasticsearch
+    - /usr/share/elasticsearch/backups
+

docs/markdown/agents/elastic-agent-mangement.md

@@ -0,0 +1,95 @@
+# LME Agent Enrollment Guide
+
+This guide will walk you through the process of enrolling an agent in the LME system.
+
+## Steps to Enroll an Agent
+
+1. **Access the Fleet Menu**
+   - Open the LME dashboard
+   - Scroll down and select "Fleet" from the menu
+
+2. **Add a New Agent**
+   - Click on the "Add agent" button
+
+3. **Select the Policy**
+   - Ensure you select the appropriate policy for the agent
+   - For example, choose "Endpoint Policy" if you're adding an endpoint device
+
+4. **Enrollment Settings**
+   - Keep the "Enroll in Fleet" option selected
+
+5. **Choose the Agent Type**
+   - Select the appropriate option based on your endpoint:
+     - Linux Tar
+     - Mac
+     - Windows (ensure you run this in a powershell prompt with administrator privileges)
+
+6. **Installation Command**
+   - You will be presented with an installation command for the selected platform
+   - Note: If you haven't added the LME certificates to your trusted store, you'll need to modify the command
+
+7. **Modify the Command (If necessary. You will need to do this if you haven't add certificates to the trusted store)**
+   - Add `--insecure` at the end of the `./elastic-agent install` command
+   - This is similar to clicking "continue to website" in a browser when you get a certificate warning
+   - Example:
+     ```
+     ./elastic-agent install [-other-flags-youll-see] --insecure
+     ```
+     
+   - it should look like this screenshot:
+![example-screenshot](/docs/imgs/insecure-powershell.png)
+
+8. **Execute the Command**
+   - Recommend running each line individually so you can see a clear picture of the status of each command ran. The entire process will download an agent, unzip it, and install it.
+
+From Fleet you should see the agent enrolled now.
+
+# LME Elastic Agent Integration Example
+
+This guide will walk you through the process of adding a Windows integration to an agent policy in the LME system.
+
+## Steps to Add Windows Integration
+
+1. **Access Fleet and Agent Policies**
+   - Open the LME dashboard
+   - Select "Fleet" from the menu
+   - Click on "Agent policies"
+
+2. **Select the Target Policy**
+   - Choose the policy you want to add the integration to
+   - For example, select "Endpoint Policy"
+
+3. **Add Integration**
+   - Click the "Add integration" button
+
+4. **Choose Windows Integration**
+   - From the list of available integrations, select "Windows"
+
+5. **Configure Windows Integration**
+   - Scroll down to review the options available
+   - You'll see various Windows logs and metrics that can be collected
+
+6. **Customize Log Collection**
+   - Review the options set to on or off
+   - These options provide more choices for collecting Windows logs
+   - Important note: If you have Sysmon installed on your endpoints, ensure "Sysmon Operational" is selected to collect Sysmon logs
+
+7. **Configure Metrics Collection**
+   - You can choose to collect various metrics from your Windows endpoints
+   - Review and enable the metrics you're interested in monitoring
+
+8. **Save and Deploy**
+   - After configuring your desired options, save the integration
+   - Deploy the changes to apply them to the agents using this policy
+
+## Important Considerations
+
+- **Sysmon Integration**: If you're using Sysmon for enhanced logging, make sure to enable the Sysmon Operational log collection
+- **Performance Impact**: Be mindful that collecting more logs and metrics may impact endpoint performance. Balance your monitoring needs with system resources
+- **Regulatory Compliance**: Consider any regulatory requirements you may have when selecting which logs and metrics to collect
+- **Storage Considerations**: More data collection means more storage usage. Ensure your LME system has adequate storage capacity
+- **Review Regularly**: Periodically review your integration settings to ensure they still meet your needs and adjust as necessary
+
+By following these steps, you can effectively add and configure the Windows integration to your chosen agent policy in the LME system, allowing for comprehensive logging of your Windows endpoints.
+
+Apply these same steps to future integrations such as Auditd for Linux.

docs/markdown/agents/wazuh-active-response.md

@@ -0,0 +1,67 @@
+# Example Setup for Wazuh Active Response
+
+This guide summarizes how to configure Wazuh's active response to defend against SSH brute-force attacks.
+
+## Overview
+
+Wazuh can automatically block IP addresses attempting SSH brute-force attacks using its active response module. This feature executes scripts on monitored endpoints when specific triggers occur.
+
+## Configuration Steps
+
+1. **Verify Default Script**:
+   - Check for `firewall-drop` script in `/var/ossec/active-response/bin/` on Linux/Unix systems.
+
+2. **Configure Command in wazuh_manager.conf**: Note this command (firewall-drop) already exists. But you can create custom scripts located in the active response/bin path and add new commands into the .conf file located at wazuh_manger.conf located at /opt/lme/config/wazuh_cluster/wazuh_manager.conf
+
+
+
+   ```xml
+   <command>
+     <name>firewall-drop</name>
+     <executable>firewall-drop</executable>
+     <timeout_allowed>yes</timeout_allowed>
+   </command>
+   ```
+
+3. **Set Up Active Response**: Looks for the section that says "active-reponse options here" in the .conf file. Copy and paste the entire configuration below that commented out line. You can continue to add more active reponse configs below that line.
+   ```xml
+   <active-response>
+     <command>firewall-drop</command>
+     <location>local</location>
+     <rules_id>5763</rules_id>
+     <timeout>180</timeout>
+   </active-response>
+   ```
+   - This configures a local response, triggering on rule 5763 (SSH brute-force detection), with a 180-second block.
+
+4. **Restart Wazuh Manager**:
+   ```bash
+   podman restart lme-wazuh-manager
+   ```
+
+## How It Works
+
+- When rule 5763 triggers (detecting SSH brute-force attempts), the `firewall-drop` script executes.
+- The script uses iptables to block the attacker's IP address for the specified timeout period.
+- Wazuh logs the action in `/var/ossec/logs/active-responses.log`.
+
+## Monitoring
+
+- Wazuh dashboard displays alerts when rule 5763 triggers and when an active response occurs.
+- The active response alert is typically associated with rule ID 651. These alerts will be displayed in Kibana in the wazuh alerts dashboard.
+
+## Testing
+
+1. Use a tool like Hydra to simulate a brute-force attack, or you can just attemp to SSH into the machine multiple times until it triggers. You will need 8 failed SSH attemps in order to trigger Brute Force. (This can be adjusted in the ruleset manually)
+2. Verify that the attacker's IP is blocked by attempting to ping the target machine.
+
+## Custom Responses
+
+- You can create custom scripts for different actions.
+- For custom scripts, ensure you create corresponding rules to analyze the generated logs.
+
+This setup provides an automated defense against SSH brute-force attacks, enhancing the security of your Linux/Unix systems monitored by Wazuh.
+
+See a list of Wazuh Rules that trigger here: [Wazuh Ruleset](https://github.com/wazuh/wazuh/tree/master/ruleset/rules)
+
+Consult Wazuh Documentation for more on active response configuration.