Integrating Wazuh with ConcealBrowse Integrating Wazuh with ConcealBrowse

Integrating Wazuh with ConcealBrowse

Description

The following guide covers the procedures necessary to integrate ConcealBrowse and Wazuh, the widely used open source XDR/SIEM platform.

Applies to

  • Windows 10+
  • MacOS
  • Google Chrome
  • Microsoft Edge
  • ConcealBrowse Version 0.10.0+
  • Wazuh 4.4.5+

Procedure

We will be following the Wazuh documentation guide to setup syslog forwarding found here: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html 

This guide does not cover setting up TLS for syslog. Details for this can be found here: https://www.rsyslog.com/doc/master/tutorials/tls.html

  1. In order to get data into Wazuh, ConcealBrowse requires a Syslog forwarder running the Wazuh agent. We also need a configure rsyslog to write ConcealBrowse messages to it’s own log file. This is done by editing /etc/rsyslog.conf and adding the following settings:

    # provides TCP syslog reception

    module(load="imtcp")

    input(type="imtcp" port="514")

    if $programname=='conceal.io' then /var/log/conceal.log

    & ~

     

  2. Once complete, verify that ConcealBrowse events are being written to the “conceal.log” file. Wazuh.png
  3. Next, we need to tell the Wazuh agent to monitor the new “conceal.log” file. Do so by editing the /var/ossec/etc/ossec.conf file and add the following stanza (restart the agent after the change):

          <localfile>

          <log_format>syslog</log_format>

          <location>/var/log/conceal.log</location>

          </localfile>
  4. Verify that things are working properly by going to “Log Collection” in your Wazuh instance settings:
    Screenshot 2023-07-28 at 1.59.22 PM.png
  5. Next, we need a rule to be triggered when new ConcealBrowse events occur. Go to the “rules” section and edit “local_rules.xml:
    Screenshot 2023-07-28 at 2.07.27 PM.png
  6. Add the following rule:

    <group name="syslog,conceal-custom,">

      <rule id="100005" level="5">

        <description>application conceal logs</description>

        <match>Conceal API Post Process</match>

      </rule>

    </group>
  7. Next, verify that Alerts are being surfaced:
    Screenshot 2023-07-28 at 2.11.46 PM.png

  8. View Alert content:
    Screenshot 2023-07-28 at 2.03.08 PM.png

If you run into issues, your firewall could be blocking certain IP addresses needed to send the data. Whitelist the following IP addresses if necessary:

18.214.63.36, 44.214.127.25, 44.209.215.8, 3.233.223.50, 34.232.55.106, 52.86.27.48, 3.216.48.116

 

Video Reference:

*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.