Section 7 (optional) — Wazuh SIEM incident response (WIP)
When to use
Compare agent-side detection (Wazuh) vs central log analytics (Splunk). Requires Wazuh manager/agents + setup/configure-wazuh-eda.yml as deployed.
|
Same Zero Trust response, different sensor
Section 5 used centralized search over forwarded logs. Wazuh uses agents that evaluate events locally (rules 5712, etc.). The actuator is still EDA → AAP → Vault. Your containment philosophy (revoke creds, stop app dependence on DB) stays the same. Choosing Splunk vs Wazuh is usually an architecture and operations trade-off, not a different trust model. |
Exercise 7.1 — Job templates
| Template | Playbook |
|---|---|
Emergency: Revoke App Credentials |
|
Simulate Brute Force (Wazuh) |
|
Restore App Credentials |
|
|
Reuse containment playbooks
Revoke/restore stay in Section 5 playbooks on purpose. Incident response is standardized; only the triggering telemetry changes. This reduces duplicated security logic and audit surface. |
Exercise 7.2 — EDA rulebook
In the Event-Driven Ansible controller (AAP 2.6), add project content for extensions/eda/rulebooks/wazuh-credential-revoke.yml, a Decision Environment, and a Rulebook Activation (see section7/README.md). For CLI-only demos, use ansible-rulebook as documented there.
|
Normalize events at the edge
Wazuh’s JSON/webhook to EDA should map to the same decision Splunk would have made for “brute force detected.” Consistent event contracts between SIEM and automation are a ZTA integration best practice. |
Exercise 7.4 — Simulate brute force
ansible-playbook section7/playbooks/simulate-bruteforce-wazuh.yml
|
Host visibility
Agents see local auth logs immediately, which can reduce detection latency vs batch shipping to a central indexer. Useful when time-to-contain is measured in seconds. |
Exercise 7.5 — Observe response
Wazuh dashboard: rule 5712 and related; EDA event; automation controller revoke job; app unhealthy; DB role gone.
|
Correlate the full chain
Confirm rule fired → webhook delivered → EDA activation → automation controller job in order. Gaps in that chain are where attackers dwell. Observability of the automation path is as important as the initial IDS alert. |