Dear Max, Thank you for your reply !
Your scenario makes a lot of sense and is similar to what I intend to do (except the active response part). Can you please provide an example of the security events that are being triggered in PF? Are they configured through the SO API ? To explain myself in a better way, we intend of using the active response feature of wazuh (https://documentation.wazuh.com/3.12/user-manual/capabilities/active-response/index.html?highlight=response) that will allow us the trigger a script on one or several machines. The idea for example would be to change a certain policy whenever a critical alert is being triggered on the network. (example adding a WMI integrity check to the 802.1x authentication) Ideally if that process can be done through command line I should be able to write it in a script and trigger that through wazuh. I hope you could help me in any way, I look forward to hearing back from you Best Regards Jean Matar Cybersecurity Masters Student – USJ jean.ma...@net.usj.edu.lb Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Max McGrath<mailto:mmcgr...@carthage.edu> Sent: Monday, April 13, 2020 3:23 AM To: ML PF<mailto:packetfence-users@lists.sourceforge.net> Cc: Jean Matar<mailto:jean.ma...@net.usj.edu.lb> Subject: Re: [PacketFence-users] Packetfence integration with Wazuh Jean - I'm not sure if this fits your use case or not, but we run Security Onion (SO) and PacketFence (PF) on our network and have them work together. SO comes with the ELK stack built in. I am currently using Elastalert (part of Elasticsearch) to trigger security events in PF via its API. I currently have alerts based on IDS signatures and Palo Alto traffic data (mainly URL Filtering alerts). I do use Wazuh, but am not currently triggering any PF security events based on its data. SO has the Wazuh manager installed by default and you can easily add Wazuh agents to systems on your network. This may be worth a look (unless I'm completely missing what your goal is...). Max -- Max McGrath [https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_greytxt_80x15.png] <http://www.linkedin.com/in/max-mcgrath-a299124b> Infrastructure and Security Manager Carthage College 262-551-6666 mmcgr...@carthage.edu<mailto:mmcgr...@carthage.edu> On Sat, Apr 11, 2020 at 9:57 PM Jean Matar via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello all ! My name is jean and i am a cyber security master's student. as a project we were assigned the task of checking if we could integrate wazuh (https://wazuh.com/<https://urldefense.com/v3/__https:/wazuh.com/__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1vUXkqBVw$>), Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.) with packet fence as a way to check for anomalies on a device upon registration , and for corrective actions from the siem solution on to packet fence. Does anyone have any information regarding the matter and if it is possible ? Any help is much appreciated ! Thank you for your assistance Regards _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1v6RflQMA$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1v6RflQMA$>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
