Approximately 80% of threats can be mitigated with the assistance of tier 1 and 2 security operations center (SOC) analysts and automated security tools; the remaining 20% requires your attention. Threat hunting is an important proactive security method for finding threats and holes in security that are hard to spot with regular security measures. Threat hunting uses advanced analytics, threat intelligence, and human expertise to go beyond automated detection and actively seek, find, and fix any security holes or threats that might be hiding in an organization’s network. By being proactive, security teams can spot and stop complex threats before they happen. This reduces the time that attackers can stay on the network and stops possible breaches. In this chapter, we will learn how Wazuh can help security teams to proactively detect advanced threats. Wazuh offers an extensive overview of an organization’s security features by analyzing large amounts...

Organizations can use Wazuh for proactive threat hunting, a security practice that helps them find and report possible security threats before they become significant threats. This can take the form, for example, of analyzing network traffic patterns to detect anomalous behavior that may indicate a potential cyber threat. By contrast, the main goal of reactive cybersecurity defenses is to react to threats once they are identified or after an incident has taken place. As an example, antivirus software detects and eradicates known malware, and firewalls prevent malicious traffic from entering the network based on predefined rules by the security team.

When you do proactive threat hunting, you look for possible risks or weaknesses in a network before any damage can be caused. Instead of waiting for alerts or known signatures, we can use Wazuh to conduct threat hunting by performing real-time log analysis across multiple platforms, correlating events...

Log data analysis is a critical component of threat hunting. It involves inspecting and retrieving useful information from log files generated by various systems, applications, and devices. Traditional security methods may miss suspicious patterns or events, but threat hunters can detect them through constant monitoring and analysis of logs. Threat hunters examine log data in search of certain Indicators of Compromise (IOCs). These IOCs could be domain names, IP addresses, file hashes, or other identifiers linked to known security risks. The problem is that not all logs are the same. Depending on the source of the logs you want to gather, you may need to create a tailored Wazuh decoder. In this section, we will review the following:

• Wazuh decoders
• Building decoders
• Log collection
• Log data analysis

Wazuh decoders

A Wazuh decoder is a component that interprets and extracts useful information from raw log data. It collects...

We cannot begin threat hunting by assuming everyone in the world is after us. We need a targeted threat actor or threat campaign-based approach. This is where both Wazuh and MITRE ATT&CK become helpful. Wazuh can collect and trigger any alerts, but for threat hunting, we need to focus on relevant and high-priority threats to our business and need to map this to our Wazuh rules. The MITRE ATT&CK framework helps threat hunters to focus on these kinds of threats and Wazuh allows us to map each of the techniques of those threat actors to Wazuh rules. As a result, threat hunters can hone their focus and save tremendous amounts of time. In this section, we will cover the following topics:

• What is MITRE ATT&CK?
• The ATT&CK framework
• Prioritizing the adversary’s techniques
• MITRE ATT&CK mapping

What is MITRE ATT&CK?

The MITRE ATT&CK framework was developed by the MITRE Corporation to provide a uniform taxonomy...

When it comes to threat hunting, we need in-depth visibility of endpoint activities and the ability to run queries to allow the threat hunter to retrieve IOCs, suspicious activities, and vulnerabilities in a given endpoint. Osquery is the ideal tool for this purpose. It helps threat hunters treat their entire IT infrastructure, including endpoints, as a structured database that can be queried using SQL-like commands. You can get real-time, detailed information about your systems with Osquery and keep an eye on them for signs of compromise. In this section, we will cover the following topics:

• What is Osquery?
• Installing Osquery
• Integrating Osquery with Wazuh
• Threat hunting with Osquery and Wazuh

What is Osquery?

Osquery is an open-source tool built by Facebook in 2014. It converts the target operating system into a relational database and allows us to ask questions from the table using SQL queries containing things such as...

The most effective way to collect information about an endpoint is to run specific commands on the given endpoint, such as netstat (for network connections on Windows), ps (to collect process information from Linux machines), and so on. This information plays a vital role in collecting IOCs and running a successful threat-hunting program. The good news is that Wazuh has a built-in feature to monitor the output of specific Windows/Linux commands and show that output as log content. In this section, we will learn the following:

• How does command monitoring work?
• Monitoring Linux commands
• List of Linux commands for threat hunting and security Investigations

How does command monitoring work?

Wazuh runs commands on the endpoints using the Command and Logcollector modules, and then sends the results to the Wazuh server for examination. The following steps describe the process of command monitoring.

Step 1 – configuration

The process...

This chapter covered important aspects of modern intelligence and threat-hunting tactics. It started with Wazuh’s contribution to proactive threat hunting, then moved on to the importance of analyzing log data, and finally looked at how MITRE ATT&CK mapping improves our understanding of threats. We learned how to use Osquery in Wazuh to effectively perform threat hunting and also learned how to use command monitoring in Wazuh to discover suspicious activities.

In the next chapter, we will learn about the Vulnerability detection and SCA modules of the Wazuh platform. We will learn how to leverage these modules to meet regulatory compliance including PCI DSS, NIST 800-53, and HIPPA.