Security Monitoring Policy
Owner: Anchor MSP Operations Lead Last reviewed: 2026-04-04
Purpose
Define how Anchor monitors managed systems for security threats.
Scope
All hosts and public-facing endpoints under Anchor managed production.
Policy
- Wazuh runs on all managed hosts. It provides:
- Host-level intrusion detection (rootkit checks, anomaly detection).
- File integrity monitoring (FIM) on critical system files and application configs.
- Log-based threat detection from system and application logs.
- CrowdSec protects all public-facing endpoints. It provides:
- Crowd-sourced threat intelligence — known malicious IPs are blocked automatically.
- Automated IP blocking at the edge via bouncers.
- Behavioral detection for brute force, scanning, and other attack patterns.
- Security alerts from both Wazuh and CrowdSec route through Alertmanager into the standard alert pipeline:
- Critical security events (active intrusion, confirmed compromise) →
#alerts-critical+ SMS. - High security events (suspicious activity, repeated blocked attempts) →
#alerts-high. - Medium/low events (informational, trend changes) →
#alerts-mediumor#alerts-low.
- Critical security events (active intrusion, confirmed compromise) →
- A weekly security review is conducted using the Grafana security dashboard. The review covers:
- Wazuh alerts and FIM changes from the past week.
- CrowdSec block statistics and new threat patterns.
- Any anomalies in Vault audit logs.
- CrowdSec ban lists and Wazuh detection rules are updated on Anchor's schedule. Updates are tested before deployment.
- Security incidents escalate per the incident response process.
Exceptions
None. Every managed host runs Wazuh. Every public endpoint is protected by CrowdSec.