# Threat Monitoring with Security Information & Event Management (SIEM)

### Wazuh

* Free and Opensource platform used for threat detection, prevention and response.
* Typically used to protect networks, virualized environments, containers and cloud environments
* It is a SIEM used to
  * Collect, analyze, aggregate, index and analyze security related data
  * Allowing you to detect intrusions, attacks, vulnerabilities and malicious activity

***

### Wazuh Features

* Security Analysis
* Intrusion Detection
* Log Data Analysis
* File Integrity Monitoring
* Vulnerability Detection
* Incidence Response
* Cloud Security
* Container Security
* Regulatory Compliance

***

### Wazuh Components

#### 1. Wazuh Agent

Cross platform endpoint security agent installed on system/host you would like to monitor NOTE: Wazuh can also work on network devices where agent can't be installed. This works by getting these devices to send their logs.

#### 2. Wazuh Server

Analyzes and processes the data and matches against rule sets to identify indicators of compromise (IOC)

#### 3. Elastic Stack

Display and indexes the alerts generated by wazuh server and provides user with robust data visualization and analytics functionality

**ELK Stack**

It is combination of 3 open source projects

1. Elastic Search : search and analytics engine
2. Log Stash : server side data processing pipeline
3. Kibana : Lets user visualize data with charts and graphs

***

### Wazuh Working

<figure><img src="https://1920086362-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDfv51K0WXLZdwTryHQZc%2Fuploads%2Fsr83G9fsmOOBj5gl3wYu%2Fimage.png?alt=media&#x26;token=8cb371ec-638e-4073-9b4a-44d11ad26eaa" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.nomanaziz.me/cybersecurity/blue-teaming/intrusion-detection/threat-monitoring-with-security-information-and-event-management-siem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.