Hi everyone,

We are very pleased to announce the release of Wazuh v3.0. We also would like to take this opportunity to appreciate the constant feedback received from our community, which is of great help for the development of the project.

Wazuh v3.0 comes with new features that, basically, improve all the components of Wazuh, including the core capabilities, the API and the Wazuh app for Kibana. Also, reported bugs have been fixed.

A brief summary of the new features can be found below. In addition, you can find more details in our release notes and changelog file.

The highlights of this new version, Wazuh v3.0, are:

New cluster for Wazuh managers

We can now have several managers working together in cluster mode. Basically, they contain a new protocol that allows them to share the information needed for managing agents connectivity. In other words, agents will be able to report to any manager in the cluster, which will be distributing the workload among the different nodes and provide HA capabilities.

As shown in the diagram below, the cluster architecture is master/client based. Master nodes will be in charge of centralizing all the configuration and management of Wazuh.

Classify agents by groups

As part of management centralization, you can now group agents in order to set a specific configuration, rootcheck policies and hardening checks to a particular group. For each group, the manager will push to the agents its corresponding files remotely, applying changes automatically.

Remote agent upgrades

We have implemented a new procedure to be able to upgrade agents remotely. Now future releases can be deployed across our agents using just one command or an API request, both on the manager side.

For this purpose, each new release after Wazuh 3.0 will include WPK (Wazuh Signed Packages) files containing all that is needed to upgrade the agents. In addition, users will be able to generate their own custom WPK files.

Below you can see an example:

# agent_upgrade -a 002

Sending WPK: [=========================] 100%

Upgrade procedure started... Please wait.

Agent upgraded: Wazuh v3.0.0 -> Wazuh v3.1.0

Native JSON decoder

Managers of Wazuh v3.0 can read any JSON event received from agents and extract its fields dynamically. In other words, fields does not need to be predefined. We will have just one JSON decoder to retrieve data from any source in JSON format.

Creation of custom rules will be easier than ever thanks to the JSON decoder and the ability to add labels to JSON events.

VirusTotal integration

Thread intelligence sources are enhancing our detection capabilities. In this case, the VirusTotal integration checks whether your monitored files are known to be malware.

This is how it works. It receives alerts from our FIM engine and extracts the hashes of the related files. These hashes are sent to the VirusTotal service, who reports back the scan results, generating alerts like the following one.

** Alert 1510684984.55826: mail  - virustotal,
2017 Nov 14 18:43:04 PC->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /media/user/software/suspicious-file.exe - 7 engines detected this file'
{"virustotal": {"permalink": "https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "malicious": 1, "source": {"alert_id": "1510684983.55139", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "file": "/media/user/software/suspicious-file.exe", "agent": {"id": "006", "name": "agent_centos"}, "md5": "9519135089d69ad7ae6b00a78480bb2b"}, "positives": 7, "found": 1, "total": 67, "scan_date": "2017-11-14 17:24:37"}, "integration": "virustotal"}
virustotal.permalink: https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/
virustotal.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.malicious: 1
virustotal.source.alert_id: 1510684983.55139
virustotal.source.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.source.file: /media/user/software/suspicious-file.exe
virustotal.source.agent.id: 006
virustotal.source.agent.name: agent_centos
virustotal.source.md5: 9519135089d69ad7ae6b00a78480bb2b
virustotal.positives: 7
virustotal.found: 1
virustotal.total: 67
virustotal.scan_date: 2017-11-14 17:24:37
integration: virustotal

Wazuh App

The Wazuh App has been rewritten to support Kibana v6.x and improve its performance.

It includes a new “Groups tab” where you can browse through the configuration of the different groups and see the list of agents that belongs to a particular group.

You can also change the initial index-pattern. In the package.json you can change the initialPattern variable to determine the initial pattern used in the visualizations and discovers. In addition, the “Pattern tab” allows users to change dynamically the index-pattern for the App selecting it among the ones created in Kibana.

Other relevant features

  • New MSI Windows installer for agents.
  • Enhancement of the Wazuh API to manage all the features included in this release.
  • New rules and decoders in the Wazuh Ruleset.

Finally, we encourage you to download Wazuh v3.0 and try it out. Please, let us know what you think in Twitter (@wazuh) or in our Wazuh mailing list.

More interesting links: