Wazuh SIEM Integration

• Wazuh server (latest version recommended)
• ChallengeWord Business account with administrative access

Step 1: Create a Rules File in Wazuh

• Navigate to your Wazuh manager’s rules directory.

• Create a new rules file

• Use the following template and customize if needed.
• Take note of the "integration" field value. We'll need that later.

Step 2: Establish API Access in Wazuh

• Create a new API user specifically for ChallengeWord integration, ensuring proper permissions are set for event submission.

 

Step 3: Configure ChallengeWord

• Log into your ChallengeWord portal.
• Navigate to:
  • Settings
  • Incident Management
  • SIEM Integrations
• Click the "Add SIEM Integration" and select "Wazuh"
• Enter your Host (IP or FQDN) and update your Username & Password

 

• The first field of Event Data, "integration = ChallengeWord" must match the field from "challengeword.xml" created in Wazuh:

<field name="integration">ChallengeWord</field>

• Wazuh receives event information as a Json object containing an "events" array of Json string data. ChallengeWord's Wazuh template is pre-configured and no changes to the section should be necessary.

Step 4: Test and Validate

• After setting up the integration, perform a test to ensure that the events from ChallengeWord are correctly being sent to and processed by Wazuh.
• ChallengeWord provides a "Test Pre-Auth" button and a "Test Event Submission" button for testing purposes.
• Verify that the events appear in the Wazuh dashboard and that alerts are generated according to the configured rules.

Troubleshooting

• Ensure that the Wazuh's API port is accessible from the internet.
• Verify API credentials and permissions if ChallengeWord is unable to connect to the Wazuh server.
• Check the rules file for syntax errors if events are not triggering alerts as expected.

By following these steps, you can effectively integrate ChallengeWord with Wazuh, enhancing your ability to detect and respond to social engineering threats.