Use cases

Monitoring the output of a command on an endpoint

In this example, we configure the agentless monitoring module to run some commands on a monitored VMware ESXI 8.0.0 endpoint and detect the output.

Configuration

ThreatLockDown server

Perform the following steps on the ThreatLockDown server.

  1. Add the following block to the /var/ossec/etc/ossec.conf configuration file. This configuration runs a command to print the content of the /tmp/newfile.txt file every 2 minutes. It also detects the difference between the outputs each time the command is run. Replace user@example.net with the username and the hostname or IP address of your VMware ESXI endpoint.

    <agentless>
      <type>ssh_generic_diff</type>
      <frequency>200</frequency>
      <host>user@example.net</host>
      <state>periodic_diff</state>
      <arguments>cat /tmp/newfile.txt</arguments>
    </agentless>
    
  2. Restart the ThreatLockDown manager with the following command to apply the changes:

    systemctl restart wazuh-manager
    

Test the configuration

Perform the following steps on the monitored VMware ESXI endpoint.

  1. Create a file /tmp/newfile.txt:

    $ touch /tmp/newfile.txt
    
  2. Add the text “new addition” and wait for 3 minutes:

    $ echo “new addition” > /tmp/newfile.txt
    

Visualize the alert

You can visualize the alert with any of these options

  • Navigate to the Discover section and open the visualization created in the Visualization section.

  • Navigate to Threat Hunting on the ThreatLockDown dashboard. Search for agentless.host:* to view the alert generated.

Navigate to Threat Hunting

Expand the alert with rule.id:555 to view more information about the event. In the image below, under the full log, you can see the output of the command and the difference between the commands when the file was modified.

Expand the alert with rule.id:555

Monitor files and directories on an endpoint

In the example, we monitor changes to a specified file and directory on a monitored Linux endpoint using the agentless monitoring capability.

Configuration

ThreatLockDown server

Perform the following steps on the ThreatLockDown server.

  1. Add the block below to the /var/ossec/etc/ossec.conf configuration file. This configuration monitors the /tmp/file.conf file for modification every 2 minutes. Replace user@example.net with the username and the hostname or IP address of your Linux endpoint.

    <agentless>
      <type>ssh_integrity_check_linux</type>
      <frequency>120</frequency>
      <host>user@example.net</host>
      <state>periodic</state>
      <arguments>/tmp/file.conf /special_dir</arguments>
    </agentless>
    
  2. Restart the ThreatLockDown manager with the following command to apply the changes:

    systemctl restart wazuh-manager
    

Test the configuration

Perform the following steps on the monitored endpoint.

  1. Create a file /tmp/file.conf:

    $ touch /tmp/file.conf
    
  2. Modify the /tmp/file.conf:

    $ echo demo > /tmp/file.conf
    
  3. Make a directory /special_dir:

    $ mkdir /special_dir
    
  4. Add a file to the monitored directory:

    $ cd /special_dir
    $ touch file1 file2
    
  5. Modify the files by adding the string demo and wait for 2 minutes:

    echo demo | tee /special_dir/file1 /special_dir/file2
    

Visualize the alert

You can visualize the alert with any of these options:

  • Navigate to the Discover section and open the visualization created in the Visualization section.

  • Navigate to Threat Hunting on the ThreatLockDown dashboard. Search for agentless.host:* to view the alert generated.

Search for agentless.host:*

Select the syscheck.path field to add a column that shows all the monitored files.

Select the syscheck.path

Expand one of the alerts with rule.id:550 to find information about the changes made to the file. You can see the file size and checksum have changed in the image below.

Expand one of the alerts with rule.id:550