Wazuh SIEM Cluster

Wazuh SIEM Cluster provides centralized security monitoring for the Yandex Cloud infrastructure and connected hosts. The use cases include:

• Detect security threats in real time: unauthorized access, deletion of critical resources, bulk permission updates, and/or suspicious activity in your managed databases.
• Collect and analyze Yandex Cloud audit events via integration with the Cloud Logging API.
• Monitor file integrity, detect malware, and assess vulnerabilities on connected agents.
• Monitor cluster health: indexer states, manager synchronization, and TLS certificate expiration.

Core features

High-availability cluster architecture. The cluster consists of three indexers (OpenSearch), one master manager, one dashboard, and N worker managers. Indexers are distributed across three availability zones: ru-central1-a, ru-central1-b, and ru-central1-d. The number of workers is set at deployment and can be adjusted via Instance Groups.

1274 detection rules across 63 Yandex Cloud services Full coverage of control plane and data plane events: IAM, Compute Cloud, VPC, Object Storage, managed databases (Managed Service for ClickHouse^®, Managed Service for PostgreSQL, Managed Service for MySQL^®, Yandex StoreDoc, Yandex Managed Service for Valkey^™, Yandex MPP Analytics for PostgreSQL, Managed Service for OpenSearch, Managed Service for Apache Kafka^®, and YDB), Managed Service for Kubernetes, Cloud Functions, DataSphere, Certificate Manager, KMS, Yandex Lockbox, Smart Web Security, and more. Severity levels are assigned under the Wazuh classification standard (0 to 15).

Integration with Cloud Logging and Audit Trails. A built-in module, wodle, fetches audit events from a Cloud Logging log group every minute. Events are deduplicated using a local database and forwarded to the Wazuh analytics engine for rule matching.

Correlation rules. Three rules detect complex attack patterns, such as bulk modification of access bindings, multiple deletion operations within a short time window, or repeated unauthorized access attempts (brute-force attacks).

TLS certificate monitoring. The wodle module checks TLS certificate expiration on managers and workers daily. Alerts are triggered at 30, 14, and 7 days before expiration.

Benefits

• Ready-to-use cluster in 8 to 9 minutes, with all components autoconfigured.
• Detection rules cover all major Yandex Cloud services, including managed databases, serverless platforms, and AI/ML services.
• Scalable architecture: you can adjust the worker manager count via Instance Groups without cluster re-creation.

1. Create a cloud network and three subnets, one in each availability zone: ru-central1-a, ru-central1-b, and ru-central1-d.

2. Create a Yandex Lockbox secret with an admin password.

   Password requirements:

   • The password may contain uppercase and lowercase Latin letters, digits, and special characters.
   • The password must not consist of digits alone.
   • The minimum length is nine characters.

3. Create a Yandex Cloud Logging log group for audit events.

4. Get an SSH key pair for connection to the VM.

5. Create an application:

   1. In the Marketplace, find Wazuh SIEM Cluster and click Create application.

   2. Specify the parameters:

      • Name of your Wazuh SIEM Cluster instance.

      • Service account you are going to use to install the app. The service account must have the admin role for the folder.
        To create a service account with the required permissions during app installation, select Auto.

      • Prefix for naming resources. The default value is wazuh.

      • Subnets in the ru-central1-a, ru-central1-b, and ru-central1-d availability zones.

      • Yandex Lockbox secret with your Wazuh admin password.

      • Public SSH key.

      • Number of the manager’s worker nodes: At least 1.

      • Log group ID for the audit.

      • Environment type, Development or Production.

   3. Click Install.

   4. In the window that opens, confirm resource creation

      Wait until all created VM instances switch their status to RUNNING.

6. Get access to the dashboard:

   1. In the management console, navigate to Compute Cloud.
   2. Locate the VM named wazuh-d7fr1881dsfq********-dashboard and copy its public IP address.
   3. Open https://<dashboard_VM_IP_address> in your browser and accept the self-signed certificate warning.
   4. On the page that opens, enter admin as the username along with the password you previously saved to a Yandex Lockbox secret.

• Analyzing the security of cloud resources, including containers.
• Detecting intrusions.
• Identifying vulnerabilities.
• Analyzing logs.
• Monitoring files.
• Evaluating the system configuration.
• Responding to security incidents.
• Performing security compliance checks.
• Analyzing security events in Yandex Cloud.

OpenNix
OpenNix provides technical support to Wazuh users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.

Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the vendor’s information resources.