Description

The following guide covers the procedures necessary to integrate ConcealBrowse and Wazuh, the widely used open source XDR/SIEM platform.

Applies to

• Windows 10+
• MacOS
• Google Chrome
• Microsoft Edge
• ConcealBrowse Version 0.10.0+
• Wazuh 4.4.5+

Procedure

We will be following the Wazuh documentation guide to setup syslog forwarding found here: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html 

This guide does not cover setting up TLS for syslog. Details for this can be found here: https://www.rsyslog.com/doc/master/tutorials/tls.html

1. In order to get data into Wazuh, ConcealBrowse requires a Syslog forwarder running the Wazuh agent. We also need a configure rsyslog to write ConcealBrowse messages to it’s own log file. This is done by editing /etc/rsyslog.conf and adding the following settings:
   

   
   # provides TCP syslog reception
   
   module(load="imtcp")
   
   input(type="imtcp" port="514")
   
   if $programname=='conceal.io' then /var/log/conceal.log
   
   & ~

    

2. Once complete, verify that ConcealBrowse events are being written to the “conceal.log” file.

3. Next, we need to tell the Wazuh agent to monitor the new “conceal.log” file. Do so by editing the /var/ossec/etc/ossec.conf file and add the following stanza (restart the agent after the change):

         <localfile>
   
         <log_format>syslog</log_format>
   
         <location>/var/log/conceal.log</location>
   
         </localfile>

4. Verify that things are working properly by going to “Log Collection” in your Wazuh instance settings:
   
   
5. Next, we need a rule to be triggered when new ConcealBrowse events occur. Go to the “rules” section and edit “local_rules.xml” :
   
   

6. Add the following rule:

   <group name="syslog,conceal-custom,">
   
     <rule id="100005" level="5">
   
       <description>application conceal logs</description>
   
       <match>Conceal API Post Process</match>
   
     </rule>
   
   </group>

7. Next, verify that Alerts are being surfaced:
   
   
8. View Alert content:
   
   

Video Reference:

*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.