Skip to content

Commit

Permalink
Security terms glossary (Fixes wazuh#7802)
Browse files Browse the repository at this point in the history
  • Loading branch information
arky committed Oct 4, 2024
1 parent a814959 commit 04e036c
Show file tree
Hide file tree
Showing 7 changed files with 176 additions and 11 deletions.
1 change: 1 addition & 0 deletions source/_static/js/redirects.js
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ removedUrls['x.y'] = [
newUrls['5.0'] = [
'/release-notes/release-5-0-0.html',
'/release-notes/index-5x.html',
'/getting-started/glossary.html',
];

/* Pages no longer available in 5.0 */
Expand Down
10 changes: 5 additions & 5 deletions source/getting-started/architecture.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
Architecture
============

The Wazuh architecture is based on :doc:`agents <components/wazuh-agent>`, running on the monitored endpoints, that forward security data to a central :doc:`server <components/wazuh-server>`. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via Syslog, SSH, or using their API. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage.
The Wazuh architecture is based on :doc:`agents <components/wazuh-agent>`, running on the monitored endpoints, that forward security data to a central :doc:`server <components/wazuh-server>`. Agentless devices such as firewalls, switches, routers, and access points are supported and can actively submit log data via ``Syslog``, ``SSH``, or using their API. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage.

The Wazuh indexer cluster is a collection of one or more nodes that communicate with each other to perform read and write operations on indices. Small Wazuh deployments, which do not require processing large amounts of data, can easily be handled by a single-node cluster. Multi-node clusters are recommended when there are many monitored endpoints, when a large volume of data is anticipated, or when high availability is required.
The Wazuh indexer ``cluster`` is a collection of one or more ``nodes`` that communicate with each other to perform read and write operations on indices. Small Wazuh deployments, which do not require processing large amounts of data, can easily be handled by a single-node cluster. Multi-node clusters are recommended when there are many monitored endpoints, when a large volume of data is anticipated, or when high availability is required.

For production environments, it is recommended to deploy the Wazuh server and Wazuh indexer to different hosts. In this scenario, Filebeat is used to securely forward Wazuh alerts and archived events to the Wazuh indexer cluster (single-node or multi-node) using TLS encryption.

Expand All @@ -28,7 +28,7 @@ The :doc:`Wazuh agent <components/wazuh-agent>` continuously sends events to the
- The file ``/var/ossec/logs/archives/archives.json`` contains all events whether they tripped a rule or not.
- The file ``/var/ossec/logs/alerts/alerts.json`` contains only events that tripped a rule with high enough priority (the threshold is configurable).

The Wazuh messages protocol uses AES encryption by default, with 128 bits per block and 256-bit keys. Blowfish encryption is optional.
The Wazuh messages protocol uses AES encryption by default, with 128 bits per block and 256-bit keys. ``Blowfish encryption`` is optional.

.. note::

Expand All @@ -41,7 +41,7 @@ The Wazuh server uses Filebeat to securely transmit alert and event data to the

The Vulnerability Detection module updates the vulnerability inventory. It also generates alerts, providing insights into system vulnerabilities.

The Wazuh dashboard queries the Wazuh RESTful API (by default listening on port 55000/TCP on the Wazuh server) to display configuration and status-related information of the :doc:`Wazuh server <components/wazuh-server>` and :doc:`agents <components/wazuh-agent>`. It can also modify agents or server configuration settings through API calls. This communication is encrypted with TLS and authenticated with a username and password.
The Wazuh dashboard queries the Wazuh ``RESTful`` ``API`` (by default listening on port 55000/TCP on the Wazuh server) to display configuration and status-related information of the :doc:`Wazuh server <components/wazuh-server>` and :doc:`agents <components/wazuh-agent>`. It can also modify agents or server configuration settings through API calls. This communication is encrypted with TLS and authenticated with a username and password.

.. _default_ports:

Expand Down Expand Up @@ -77,7 +77,7 @@ Several services are used for the communication of Wazuh components. Below is th
Archival data storage
---------------------

Both alerts and non-alert events are stored in files on the Wazuh server, in addition to being sent to the Wazuh indexer. These files can be written in JSON format (``.json``), or plain text format (``.log``). These files are daily compressed and signed using MD5, SHA1, and SHA256 checksums. The directory and filename structure is as follows:
Both alerts and non-alert events are stored in files on the Wazuh server, in addition to being sent to the Wazuh indexer. These files can be written in JSON format (``.json``), or plain text format (``.log``). These files are daily compressed and signed using ``MD5, SHA1, and SHA256`` checksums. The directory and filename structure is as follows:

.. code-block:: bash
Expand Down
6 changes: 3 additions & 3 deletions source/getting-started/components/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ Components

The Wazuh platform provides XDR and SIEM features to protect your cloud, container, and server workloads. These include log data analysis, intrusion and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, and support for regulatory compliance.

The Wazuh solution is based on the Wazuh agent, which is deployed on the monitored endpoints, and on three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard.
The Wazuh solution is based on the Wazuh ``agent``, which is deployed on the monitored ``endpoints``, and on three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard.

- The :doc:`Wazuh indexer <wazuh-indexer>` is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
- The :doc:`Wazuh server <wazuh-server>` analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
- The :doc:`Wazuh dashboard <wazuh-dashboard>` is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
- The :doc:`Wazuh server <wazuh-server>` analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known ``indicators of compromise (IOCs)``. A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
- The :doc:`Wazuh dashboard <wazuh-dashboard>` is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., ``PCI DSS``, ``GDPR``, ``CIS``, ``HIPAA``, ``NIST 800-53``), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
- :doc:`Wazuh agents <wazuh-agent>` are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and HP-UX.

In addition to agent-based monitoring capabilities, the Wazuh platform can monitor agent-less devices such as firewalls, switches, routers, or network IDS, among others. For example, a system log data can be collected via Syslog, and its configuration can be monitored through periodic probing of its data, via SSH or through an API.
Expand Down
2 changes: 1 addition & 1 deletion source/getting-started/components/wazuh-dashboard.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
Wazuh dashboard
===============

The Wazuh dashboard is a flexible and intuitive web user interface for mining, analyzing, and visualizing security events and alerts data. It is also used for the management and monitoring of the Wazuh platform. Additionally, it provides features for role-based access control (RBAC) and single sign-on (SSO).
The Wazuh dashboard is a flexible and intuitive web user interface for mining, analyzing, and visualizing security events and alerts data. It is also used for the management and monitoring of the Wazuh platform. Additionally, it provides features for role-based access control (``RBAC``) and single sign-on (``SSO``).

Data visualization and analysis
-------------------------------
Expand Down
2 changes: 1 addition & 1 deletion source/getting-started/components/wazuh-server.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Additionally, the Wazuh server can be integrated with external software, includi
Server architecture
-------------------

The Wazuh server runs the analysis engine, the Wazuh RESTful API, the agent enrollment service, the agent connection service, the Wazuh cluster daemon, and Filebeat. The server is installed on a Linux operating system and usually runs on a stand-alone physical machine, virtual machine, docker container, or cloud instance.
The Wazuh server runs the analysis engine, the Wazuh RESTful API, the agent ``enrollment`` service, the agent connection service, the Wazuh cluster daemon, and Filebeat. The server is installed on a Linux operating system and usually runs on a stand-alone physical machine, virtual machine, docker container, or cloud instance.

The diagram below represents the server architecture and components:

Expand Down
163 changes: 163 additions & 0 deletions source/getting-started/glossary.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
.. meta::
:description: Let's explore some common security terms. Learn more about it in this section.


.. _getting_started_glossary:

Glossary
========

Here are some common security terms:

- `XDR`_

- `SIEM`_

- `Indicators of Compromise (IOCs)`_

- `PCI DSS`_

- `GDPR`_

- `CIS`_

- `HIPAA`_

- `NIST 800-53`_

- `Nodes`_

- `Cluster`_

- `Agent`_

- `Enrollment`_

- `RBAC`_

- `SSO`_

- `Endpoints`_

- `Syslog`_

- `SSH`_

- `RESTful`_

- `API`_

- `Blowfish Encryption`_

- `MD5, SHA1, and SHA256`_


XDR
----

XDR (Extended Detection and Response) is a comprehensive approach to cybersecurity that analyzes data from various sources to detect, investigate, and respond to threats.

SIEM
----

SIEM (Security Information and Event Management) is a platform for collecting, analyzing, and correlating security data to identify potential threats.


Indicators of Compromise (IOCs)
-------------------------------

Patterns or artifacts indicating a security breach, such as IP addresses, file hashes, or network traffic patterns.

PCI DSS
-------

PCI DSS (Payment Card Industry Data Security Standard): A set of security requirements for organizations handling cardholder data.

GDPR
----

GDPR (General Data Protection Regulation): EU regulation endpointsetting standards for personal data protection.

CIS
---

CIS (Center for Internet Security): A nonprofit organization promoting cybersecurity best practices.


HIPAA
-----

HIPAA (Health Insurance Portability and Accountability Act): US law protecting patient health information (PHI).

NIST 800-53
-----------

NIST publication providing security controls for information systems.


Nodes
-----

An individual computer or server in a distributed system.

Cluster
-------

A group of interconnected computers or servers working together.

Agent
-----

Software program running on a node in a distributed system.


Enrollment
----------

Adding a new device or user to a managed system.

RBAC
----

RBAC (Role-Based Access Control) is method of assigning permissions based on a user's role.


SSO
----

SSO (Single Sign-On) is method of authenticating once to access multiple applications.

Endpoints
---------

A device or system connecting to a network.


Syslog
-------

A standard protocol for logging system messages.

SSH
---

SSH (Secure Shell) is a network protocol providing secure remote access.

RESTful
-------

REST (Representational State Transfer): Architectural style for designing web services.

API
---
API (Application Programming Interface) are rules and protocols for software communication.


Blowfish Encryption
-------------------

A symmetric encryption algorithm known for its speed and security.

MD5, SHA1, and SHA256
---------------------
Hashing algorithms used for password storage, file integrity verification, and digital signatures.
3 changes: 2 additions & 1 deletion source/getting-started/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
Getting started with Wazuh
==========================

Wazuh is a free and open source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.
Wazuh is a free and open source security platform that unifies ``XDR`` and ``SIEM`` capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

Wazuh helps organizations and individuals to protect their data assets against security threats. It is widely used by thousands of organizations worldwide, from small businesses to large enterprises.

Expand Down Expand Up @@ -74,3 +74,4 @@ Screenshots
components/index
architecture
use-cases/index
glossary

0 comments on commit 04e036c

Please sign in to comment.