Wazuh HIDS capabilities

[xxvs]

Are they the same as for standalone Wazuh? I was testing one of my Ubuntu agents and I deleted the bash history file (which is one of the examples on Wazuh's website) and I didn't get even a Low alert. I also never got an alert for things like editing the passwd file manually.
The same goes for Windows; I ran JAWS and mimikatz and got no alerts whatsoever.
I was just wondering if the capabilities of Wazuh that comes with SO are limited compared to the standalone installation.

[dougburks]

We include the full Wazuh server and the full Wazuh agent. Are you getting any Wazuh alerts at all?

[xxvs]

I do, I'm the same guy from here. I was surprised I didn't get any alerts when I deleted the bash history file.

[dougburks]

Where exactly on Wazuh's website do they mention bash history? Perhaps it requires additional configuration.

[xxvs]

It's just one example I noticed here for their file integrity monitoring module.

[dougburks]

I don't see any evidence that Wazuh does this by default out of the box. I think you need to configure Wazuh to do this.

[Mastadamus]

I was an Threat Detection engineer for a wazuh based SOC, and i gotta tell you after extensive atomic red team testing, Wazuh really starts to shine when you utilize it with sysmon and custom rules. If i remember right, even our dedicated Wazuh siem had trouble detecting invoke-mimikatz usage until we implemented sysmon and implemented some sigma rules.

[xxvs]

Thanks for the tip! Any chance you still have some of those rules handy? I understand that they almost certainly won't apply to our situation, I'm just curious.

[Mastadamus]

This is a good starting point

https://github.com/sametsazak/sysmon (this isn't me but I used many of these rules as a starting point back in the day)