installation scripts

• Install Wazuh
• Install agent on powershell (replace ip addresses)
• Install agent on rhel (replace ip addresses)
• Install agent on debian (replace ip address)

General Notes

/etc/wazuh-dashboard/opensearch_dashboard.yml

opensearch.hosts: https://0.0.0.0:9200 to allow remote access to the search (indexer)

combine queries using [AND]

exclude events with specific properties using [NOT]

Can use parentheses and [OR] for combining queries

Queries

• jump winrm64 just shows normal winrm traffic
• hashdump doesn’t show anything
• sekurlsa::logonpasswords isn’t showing anything
• Find failed logon events