SIEM Platform - Wazuh

Wazuh serves as the central security platform in the SOC architecture, providing comprehensive SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities with built-in EDR (Endpoint Detection and Response) functionality.

Wazuh is a free, open-source security platform that unifies XDR and SIEM capabilities, providing visibility across endpoints, cloud workloads, network devices, and containers.

Platform Overview

SIEM Capabilities

Event correlation, log analysis, and security monitoring

XDR Features

Extended detection across endpoints, network, and cloud

EDR Integration

Endpoint detection, response, and threat hunting

Compliance

PCI DSS, GDPR, HIPAA, NIST 800-53 compliance monitoring

Core Capabilities

Security Event Visualization

Wazuh provides comprehensive dashboards and visualization capabilities:

Overview Dashboard
Threat Detection
Compliance

Security events summary
Alert severity distribution
Top triggered rules
Geographic threat map
Agent status overview

Wazuh dashboards are built on OpenSearch Dashboards (formerly Kibana), providing powerful visualization and search capabilities across all security data.

Event Correlation Engine

The correlation engine enables sophisticated threat detection:

Rule-based Correlation

Correlate events using flexible rule syntax:

Multi-stage attack detection
Frequency-based alerting
Time-window correlation
Cross-source event matching

Automatic Response

Trigger automated responses to threats:

Block malicious IPs at firewall
Disable compromised accounts
Isolate infected endpoints
Execute custom scripts

Threat Intelligence

Enrich events with threat intelligence:

IP reputation lookups
File hash verification
Domain reputation checking
CVE database integration

EDR (Endpoint Detection and Response)

Agent Capabilities

Wazuh agents provide comprehensive endpoint visibility:

Monitoring Features
Detection Capabilities
Response Actions

Continuous Monitoring:

Log collection and forwarding
Command execution monitoring
Process creation tracking
Network connection monitoring
Registry changes (Windows)
File system activity

File Integrity Monitoring (FIM)

FIM generates significant events for high-change directories. Carefully select monitored paths to balance security visibility with system performance.

Monitor critical system files and directories:

<!-- Wazuh FIM configuration example -->
<syscheck>
  <directories check_all="yes" realtime="yes">/etc</directories>
  <directories check_all="yes" realtime="yes">/usr/bin</directories>
  <directories check_all="yes" realtime="yes">/usr/sbin</directories>
  
  <!-- Windows critical paths -->
  <directories check_all="yes" realtime="yes">C:\Windows\System32</directories>
  <directories check_all="yes" realtime="yes">C:\Program Files</directories>
  
  <ignore type="sregex">\.log$|/tmp</ignore>
</syscheck>

Architecture Components

Wazuh Manager

The central management server that:

Receives agent data and external log sources
Processes events through the analysis engine
Correlates events across multiple sources
Stores alerts in Elasticsearch/OpenSearch
Manages agent configurations and policies

Deploy Wazuh Manager in a cluster configuration for high availability and load distribution in enterprise environments.

Wazuh Indexer

Based on OpenSearch, provides:

Storage: Scalable alert and event storage
Search: Full-text search across all security data
Aggregation: Complex data aggregations for analytics
Retention: Configurable data retention policies

Wazuh Dashboard

Web-based interface offering:

Visualization: Pre-built and custom dashboards
Investigation: Advanced search and filtering
Reporting: Automated report generation
Management: Agent and configuration management
API Access: RESTful API for automation

Integration Points

Data Sources

Wazuh ingests data from multiple sources:

Network Detection

Snort/Suricata alerts via syslog
Firewall logs (OPNsense, pfSense)
Network device syslogs

Log Aggregation

Elasticsearch indices
Logstash pipelines
Fluentd forwarding

Infrastructure

Zabbix alerts
Prometheus metrics
System logs

Cloud Platforms

AWS CloudTrail
Azure Activity Logs
Google Cloud Audit Logs

Integration Configuration

Syslog Integration
API Integration
Webhook Alerts

Configure remote syslog reception:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>10.0.0.0/8</allowed-ips>
</remote>

Use Wazuh API for automation:

# Authenticate and get token
curl -u user:password -X POST \
  "https://wazuh-manager:55000/security/user/authenticate"

# Get agent list
curl -X GET "https://wazuh-manager:55000/agents" \
  -H "Authorization: Bearer $TOKEN"

Forward alerts to external systems:

<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url>
  <level>10</level>
  <alert_format>json</alert_format>
</integration>

Customizable Dashboards

Pre-built Dashboards

Wazuh includes dashboards for:

Security Events: Overview of all security alerts
Integrity Monitoring: FIM changes and anomalies
Vulnerability Detection: CVE findings across endpoints
Regulatory Compliance: PCI DSS, GDPR, HIPAA status
MITRE ATT&CK: Attacks mapped to framework
Threat Hunting: Advanced search interface

Custom Dashboard Creation

Creating Custom Visualizations

Navigate to Dashboard management
Select data source (wazuh-alerts-*)
Choose visualization type (bar, pie, map, etc.)
Configure aggregations and filters
Save and add to dashboard

Dashboard Best Practices

Focus on actionable metrics
Use appropriate time ranges
Implement drill-down capabilities
Set auto-refresh intervals
Export dashboards for backup

Threat Detection and Hunting

Detection Rules

Wazuh includes 3000+ out-of-the-box rules:

Rule Categories
Custom Rules
Rule Testing

Authentication failures
Web application attacks
Malware detection
System configuration changes
Network anomalies
Compliance violations

Create custom detection rules:

<rule id="100001" level="10">
  <if_group>authentication_failed</if_group>
  <match>authentication failure</match>
  <same_source_ip />
  <frequency>5</frequency>
  <timeframe>120</timeframe>
  <description>Multiple authentication failures</description>
</rule>

Test rules before deployment:

# Test rule syntax
/var/ossec/bin/wazuh-logtest

# Input sample log
# View matched rules and alert level

Threat Hunting

Use Wazuh’s query language to hunt for specific indicators of compromise across your entire environment in real-time.

Advanced search capabilities:

// Hunt for PowerShell execution with encoded commands
data.win.eventdata.commandLine:*-enc* AND rule.id:61603

// Find lateral movement attempts
rule.mitre.tactic:"Lateral Movement" AND agent.ip:10.0.0.0/8

// Search for specific file hashes
data.virustotal.malicious:>0 AND data.sha256:"abc123..."

Configuration Management

Centralized Configuration

Manage agent configurations from the central server:

Agent Groups

Organize agents into logical groups:

Linux Servers: Linux-specific monitoring
Windows Workstations: Windows policy enforcement
Web Servers: Application-specific rules
Database Servers: Database security monitoring

Policy Distribution

Push configurations to agent groups:

<!-- agent.conf for web servers group -->
<agent_config name="web_servers">
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>
  <rootcheck>
    <frequency>86400</frequency>
  </rootcheck>
</agent_config>

Performance Tuning

In high-volume environments, proper tuning is essential to prevent event loss and ensure timely alert processing.

Optimization Strategies

Indexer Tuning: Adjust heap size, shards, and replicas
Manager Scaling: Distribute load across cluster nodes
Agent Throttling: Limit events per second per agent
Rule Optimization: Disable unnecessary rules
Data Retention: Implement lifecycle policies for old indices

Compliance Monitoring

Automatic compliance checking for:

PCI DSS

Payment card industry security standards

GDPR

General data protection regulation

HIPAA

Healthcare information security

NIST 800-53

Federal security controls

Official Documentation

Wazuh Documentation

Comprehensive official documentation covering installation, configuration, and use cases

Next Steps

Configure Incident Response integration with TheHive
Set up Automation with Cortex for response actions
Review Threat Detection strategies and hunting techniques

Overview

Architecture Components

Deployment

Operations

Security

​SIEM Platform - Wazuh

​Platform Overview

SIEM Capabilities

XDR Features

EDR Integration

Compliance

​Core Capabilities

​Security Event Visualization

​Event Correlation Engine

​EDR (Endpoint Detection and Response)

​Agent Capabilities

​File Integrity Monitoring (FIM)

​Architecture Components

​Wazuh Manager

​Wazuh Indexer

​Wazuh Dashboard

​Integration Points

​Data Sources

Network Detection

Log Aggregation

Infrastructure

Cloud Platforms

​Integration Configuration

​Customizable Dashboards

​Pre-built Dashboards

​Custom Dashboard Creation

​Threat Detection and Hunting

​Detection Rules

​Threat Hunting

​Configuration Management

​Centralized Configuration

​Performance Tuning

​Optimization Strategies

​Compliance Monitoring

PCI DSS

GDPR

HIPAA

NIST 800-53

​Official Documentation

Wazuh Documentation

​Next Steps

Build docs developers (and LLMs) love

SIEM Platform - Wazuh

Platform Overview

Core Capabilities

Security Event Visualization

Event Correlation Engine

EDR (Endpoint Detection and Response)

Agent Capabilities

File Integrity Monitoring (FIM)

Architecture Components

Wazuh Manager

Wazuh Indexer

Wazuh Dashboard

Integration Points

Data Sources

Integration Configuration

Customizable Dashboards

Pre-built Dashboards

Custom Dashboard Creation

Threat Detection and Hunting

Detection Rules

Threat Hunting

Configuration Management

Centralized Configuration

Performance Tuning

Optimization Strategies

Compliance Monitoring

Official Documentation

Next Steps