8. Wazuh Integrations - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki

Open the Wazuh dashboard and navigate to "Management"->"Groups". Select the pencil icon to open the group configuration:

Add the following lines: Microsoft-Windows-Windows Defender/Operational <log_format>eventchannel</log_format>

So that the group config file appears like this:

If you go to the Menu and select Modules -> Virustotal you will find that there is no data present. If you wish to test the integration you can use EICAR which is a simple text string that, if saved as an .exe file, can be used to test AV software. EICAR test file - Wikipedia

Ensuring that your AV software is enabled, run the .exe file that you created and see that it's blocked. This should now populate data within the Wazuh Security Alerts for the appropriate agent.

In order to use the VirusTotal integration, you'll need to first get an API key. Go to www.virustotal.com and sign up for an account. After logging in, an API key will be available within your account settings.

The Virustotal integration allows us to check results in the file integrity monitor against hashes stored in the VirusTotal platform. Navigate to Management -> Configuration section in Wazuh and edit the config(ossec.conf).

Add this entry to the ossec.conf file: virustotal <api_key>API_KEY</api_key> syscheck <alert_format>json</alert_format>

After you've entered your API key in the appropriate section, save the configuration and restart the manager.

Back inside the Wazuh manager's menu, go to Settings -> Modules and ensure the VirusTotal integration is turned on: