Orchestrating Cybersecurity Resilience: Veeam & Wazuh Custom Integration

 

Orchestrating Cybersecurity Resilience: Veeam-Wazuh Custom Integration

In the ever-evolving landscape of cybersecurity, organizations face the ongoing challenge of bolstering their defenses against various threats. One crucial aspect of this defense strategy involves the integration of security tools that can work seamlessly to detect and respond to potential risks.

In this blog post, we will delve into the fusion of two powerful tools: Wazuh, an open-source security information and event management (SIEM) tool, and Veeam, specifically exploring the recent addition of the Incident API in the V12.1 release.

Background

In a previous blog post, I connected my lab environment to Wazuh SIEM/XDR and followed a simulated attack on a target server to evaluate its potential for preempting data destruction. The earlier post, Threat Hunting with Veeam, demonstrated an attack on a server using Remote File Inclusion (RFI), executing a remote Windows Shell payload, and showcasing the ability to remotely execute commands. This included copying more payloads, encrypting data, and leaving behind a note.

The primary goal of this custom integration is to trigger the Veeam Incident Response API before data destruction occurs. By identifying alarms on remote shell and script execution, the integration automatically activates the Veeam Incident Response API, initiating a quick backup to preserve the latest state of the data.

Here is the link to the Intergration code: https://github.com/mritsurgeon/Veeam-Wazuh

Understanding Wazuh

Wazuh is an open-source SIEM tool designed for log analysis, intrusion detection, vulnerability detection, and overall security monitoring. Operating as a Host-based Intrusion Detection System (HIDS), Wazuh installs agents on individual systems to forward log data to a central manager. Known for its scalability and seamless integration with various security tools, Wazuh is widely utilized in diverse environments to enhance threat detection and incident response capabilities.

Unveiling Veeam

Veeam, a prominent software company, specializes in data backup, disaster recovery, and intelligent data management solutions. Renowned for its user-friendly solutions, Veeam ensures the availability and security of data across virtualized and cloud environments. The recent addition of the Incident API in Veeam V12.1 opens up new possibilities for orchestrating rapid responses to potential security threats.

Leveraging Veeam Incident API

The Veeam Incident API serves as a pivotal component of the Malware Detection feature introduced in V12.1. This API allows organizations to integrate third-party antivirus software or security tools with the Veeam REST API. The result is the ability to create a malware event that triggers an immediate backup, mitigating the risk of data loss.

Incident Response Workflow

In practical terms, the testing involved to create the integration, I did the following steps:

1. Attack Simulation:

   Conduct a simulated attack on a target server, executing a remote shell and script to mimic potential data destruction.

2. Wazuh Detection:

   Utilize Wazuh's capabilities to detect alarms associated with remote shell and script execution.

3. Custom Integration Activation:

4. Activate the custom integration, linking Wazuh with Veeam, and triggering the Veeam Incident API.

5. 
   

6. Automatic Backup:

7. Initiate an automatic backup using the Veeam Incident API to preserve the latest state of the data, effectively preventing or minimizing data loss.

The Pieces of the Puzzle

To achieve this integration, you need to copy two files and make modifications to an existing Wazuh configuration file.

└───Wazuh Intergration
        custom-veeam
        custom-veeam.py
        ossec.conf

• custom-veeam: A wrapper script facilitating the execution of the Python script and passing system variables from Wazuh to Python.

• custom-veeam.py: A Python script initiating a login to Veeam Backup & Replication via REST API. It authenticates with a user and password, retrieves an access token, and fetches alarm details to pass them to the Veeam Malware Event API endpoint.

• ossec.conf: A sample configuration added to the Wazuh config file, passing information such as the Veeam Backup & Replication Server/Endpoint's FQDN or IP, user credentials, groups/rules triggering the API, and the severity level.

Installation Steps

1. Copy custom-veeam and custom-veeam.py to the /var/ossec/integrations directory on the Wazuh Server.

2. Adjust file permissions using the existing integrations as a reference:

   bash
   # Copy the Permissions of Existing Out of the Box integrations
   chmod --reference=slack custom-veeam
   chmod --reference=slack custom-veeam.py

   Sample Permissions:

   bash
   -rwxr-x---.  1 root wazuh  1045 Jan 12 18:16 custom-veeam
   -rwxr-x---.  1 root wazuh  2711 Jan 12 22:05 custom-veeam.py
   # ... (other integrations)

3. Edit the ossec.conf file:

   bash
   sudo vi /var/ossec/etc/ossec.conf

4. Add the following configuration:

   xml
   <integration>
       <name>custom-veeam</name>
       <hook_url>0.0.0.0</hook_url> <!-- VBR IP or FQDN only -->
       <!-- level>12</level --> <!-- Alarms equal to or higher will alert, currently commented out-->
       <!-- group></group --> <!-- Use groups rather than rule IDs, currently commented out  -->
       <rule_id>31100,92217,92052,92032,119999</rule_id> <!-- Use IDs of rules -->
       <api_key>administrator:password</api_key> <!-- Veeam User & Pass Separated by Colon: User:pass -->
       <alert_format>json</alert_format>
       <options>{"data": "Custom data"}</options> <!-- Replace with your custom JSON object -->
   </integration>

5. Restart Wazuh Services:

   bash
   /var/ossec/bin/wazuh-control restart

Aligning with Rules

The strength of this integration lies in aligning it with specific Rule IDs or groups of Rules. Additionally, considering different severity levels can help trigger the API only on critical events. For example, aligning with known Ransomware Indicators of Compromise Rules can enhance detection effectiveness:

• Rule ID 100201: Triggered when CrossLock ransomware drops a ransom note.
• Rule ID 100111: Triggered when Blackbit ransomware deletes shadow copies on Windows.
• Rule ID 100031: Triggered when Lockbit 3.0 ransomware deletes Windows defender service.
• Rule ID 100108: Triggered when BlackCat modifies the registry to change MaxMpxCt settings.

** Note IDs from 100000 too 120000 are reserved for

Custom rules.

More information on Custom rule creation and decoding here : https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

The above rule examples are custom rules from Wazuh blog:

https://wazuh.com/blog/crosslock-ransomware-detection/

https://wazuh.com/blog/blackbit-ransomware-detection-with-wazuh/

https://wazuh.com/blog/detecting-lockbit-3-0-ransomware-with-wazuh/

https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/

Debugging

Logging has been incorporated into custom-veeam.py, with log output directed to /var/ossec/logs/integration.log. To view Integrator Daemon logs:

bash
cat /var/ossec/logs/ossec.log | grep "integratord"

Enable Debugging for the Integrator Daemon with -d or -dd:

bash
//var/ossec/bin/wazuh-integratord -dd

Malware Event in Veeam

When the Alarm is Triggered, we can see The Event Created in Veeam. 

Wazuh Dashboard

On the Wazuh Dashboard You Can see Types of Attacks And filter down to the exact rules or groups of rules you would like to Trigger Veeam Incident Response API 

Rule Filter

Conclusion

The integration of Veeam with Wazuh opens up new possibilities for enhancing cybersecurity resilience. By combining the strengths of these two technologies, get ahead of the hack, preserve your data before its compromised.

Thank you for Reading this Far, Share , comment.