Abraham Kollias

  Recently in my lab, i ran into an issue with the Host TPM Attestation Alarm being set. This was a little annoying that out of the box there are some configuration items that are not done by standard, and this guide will cover the specific BIOS / RBSU Configs that need to be made to clear this up.  First off, we need to boot into the BIOS / System Config / RBSU, so unfortunately you need to reboot your host - none of these changes can be made through the ILO "I reboot now - Good luck everybody else"  Next up, we need to navigate to Server Security and Secure Boot Settings  Next up, Select "Attempt Secure Boot" and accept the warning regarding the required reboot.  Navigate back to the main "Server Security" Menu and Select Trusted Platform Module Options  Ensure you have the below Config:  Current TPM Type: TPM 2.0  Current TPM 2.0 Active PCRs: SHA256 Only  TPM 2.0 Operation: No Action UNLESS your current TPM Type is not 2.0 - change to TPM ...

  Now that you have deployed your Wazuh server, we can get onto deploying agents to our endpoints (Windows servers, workstations, Linux boxes etc).  For housekeeping, we can create groups within the Wazuh management console, these will be used to logically group our devices.  Begin by navigating to the Wazuh drop down menu, Select Management and then Groups  Select "Add Group" and enter your desired group name(s) - i've created a number of groups for my infrastructure.  Cool! Now the groups are done, we can begin deploying our agent. I'm starting with my windows workstation that sits in the bottom of my rack.  Select the Wazuh Menu again and select "agents" as this is our first agent deployment, we are taken directly to the add agent screen.  Fill in the appropriate details.  Once we have filled in all the details, you'll be presented with a PS script to run, make sure you launch PS as an administrator to install the agent.  Copy the PS scrip...

  Wazuh is a powerful free and open source SIEM Solution, it has a massive community backing and can collate and analyse logs, vulnerabilities and has the ability to create monitors on files, folders and even the registry.  I havent seen much in the way of deployment online, so why not start now. This will be a multi-part series on the base deployment (all-in-one VM), monitoring windows and linux endpoints and host endpoints (ESXI).  Lets Dive in!  For this deployment, i will be deploying on my Synology NAS - this is because my NAS stays on 24/7 and doesn't consume anywhere near the amount of power that my lab hosts consume. Begin by going to the  Wazuh VM Installation Page  and download the OVA File.  Once downloaded, We'll navigate to the Syno and bring up Virtual Machine Manager, Select VMs > Create > OVA > Next  We'll then select Upload from PC, Find the OVA and select Next  Select a storage volume for the VM, i'm lazy and have a...