Wazuh

Wazuh is an open-source, freely available, and extensive EDR solution, which Security Engineers can deploy in all scales of environments.

Wazuh operates on a management and agent model where a dedicated manager device is responsible for managing agents installed on the devices you'd like to monitor.

As mentioned, Wazuh is an EDR; let's briefly run through what an EDR is. Endpoint detection and response (EDR) are tools and applications that monitor devices for an activity that could indicate a threat or security breach. These tools and applications have features that include:

• Auditing a device for common vulnerabilities
• Proactively monitoring a device for suspicious activity such as unauthorized logins, brute-force attacks, or privilege escalations.
• Visualizing complex data and events into neat and trendy graphs
• Recording a device's normal operating behaviour to help with detecting anomalies

Real-world scenario: As a security engineer, I had to work with vendors to troubleshoot why an agent wasn't responding on an endpoint—the tools used were ProcExp, ProcMon, and ProcDump.

• ProcExp = to inspect the agent process, its properties, and associated threads and handles.
• ProcMon = to investigate if there were any indicators on why the agent was not operating as it should.
• ProcDump = to create a dump of the agent process to send to the vendor for further analysis.