Wazuh
What is Wazuh?
WazuhAn open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
Wazuh is a GPLv2 security platform created in 2015 by Santiago Bassett and Daniel B. Cid as a fork of OSSEC, today positioned as an open-source XDR/SIEM. The Wazuh agent runs on Linux, Windows, macOS, AIX, and Solaris and collects logs, file-integrity events, vulnerability data, system inventory, MITRE ATT&CK-mapped detections, and cloud audit feeds (AWS, Azure, GCP, Office 365, GitHub). Data lands in the Wazuh Indexer (an OpenSearch fork) and is visualized in the Wazuh Dashboard. Wazuh ships thousands of pre-built rules and decoders, supports active response, FIM, SCA, CIS benchmarks, and is offered as a managed cloud service. It is one of the most deployed open-source SOC stacks.
● Examples
- 01
Detecting a Mimikatz execution on a Windows endpoint via Sysmon log ingestion and ATT&CK rule mapping.
- 02
Auto-blocking an SSH brute-force source on a Linux server with the Wazuh active-response module.
● Frequently asked questions
What is Wazuh?
An open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard. It belongs to the Defense & Operations category of cybersecurity.
What does Wazuh mean?
An open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
How does Wazuh work?
Wazuh is a GPLv2 security platform created in 2015 by Santiago Bassett and Daniel B. Cid as a fork of OSSEC, today positioned as an open-source XDR/SIEM. The Wazuh agent runs on Linux, Windows, macOS, AIX, and Solaris and collects logs, file-integrity events, vulnerability data, system inventory, MITRE ATT&CK-mapped detections, and cloud audit feeds (AWS, Azure, GCP, Office 365, GitHub). Data lands in the Wazuh Indexer (an OpenSearch fork) and is visualized in the Wazuh Dashboard. Wazuh ships thousands of pre-built rules and decoders, supports active response, FIM, SCA, CIS benchmarks, and is offered as a managed cloud service. It is one of the most deployed open-source SOC stacks.
How do you defend against Wazuh?
Defences for Wazuh typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Wazuh?
Common alternative names include: Wazuh XDR, Wazuh SIEM.
● Related terms
- defense-ops№ 769
OSSEC
A free, open-source host-based intrusion detection system that performs log analysis, file integrity monitoring, rootkit detection, and active response on Linux, Windows, macOS, and Solaris.
- defense-ops№ 1254
XDR (Extended Detection and Response)
A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 416
File Integrity Monitoring (FIM)
A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
● See also
- № 372Elastic Stack (ELK)
- № 997Security Onion