Wazuh 4.14 Documentation - SIEM/XDR Platform Guide
Wazuh 4.14 Documentation - SIEM/XDR Platform Guide
Wazuh is an open-source security platform that combines SIEM and XDR capabilities into a unified solution. It delivers threat detection, integrity monitoring, vulnerability analysis, and regulatory compliance across infrastructure of any scale. This documentation covers Wazuh version 4.14 and is intended for security engineers and system administrators.
About Wazuh
Wazuh provides a single platform for protecting endpoints, servers, containerized environments, and cloud resources. The platform offers the following core capabilities:
- Threat detection - security event analysis through rules and correlation
- File integrity monitoring - tracking changes to critical files and registry entries
- Vulnerability detection - scanning systems for known CVEs
- Configuration assessment - verification against CIS benchmarks and security policies
- Incident response - automated actions triggered by detected threats
- Compliance support - PCI DSS, GDPR, HIPAA, NIST 800-53
Documentation Sections
Getting Started
- Wazuh Architecture - platform components, data flows, communication protocols, and deployment models
- Wazuh Components - agent, server, indexer, and dashboard in detail
- Use Cases - practical security tasks addressed by Wazuh
Installation
- Quickstart - minimal Wazuh installation for evaluation
- Wazuh Indexer Installation - single-node and cluster indexer deployment
- Wazuh Server Installation - management server setup
- Wazuh Dashboard Installation - web interface configuration
- Wazuh Agent Installation - agent deployment on endpoints
- Uninstalling Wazuh - proper component removal
Platform Capabilities
- File Integrity Monitoring - FIM with YARA integration
- Malware Detection - antivirus and VirusTotal integration
- Security Configuration Assessment - SCA against CIS benchmarks
- Vulnerability Detection - CVE scanning
- Active Response - automated threat remediation
- Log Analysis - log collection and processing
- Command Monitoring - command execution tracking
- Container Security - Docker and Kubernetes monitoring
- System Inventory - Syscollector for system data
- Syscall Monitoring - kernel-level auditing
- Agentless Monitoring - network device monitoring
Infrastructure
- Server Cluster - high-availability Wazuh Server cluster
- Server API - RESTful management API
- Indexer Cluster - OpenSearch clustering
- Indexer API - programmatic data access
- Dashboard - web interface configuration
- Agent Management - centralized agent administration
Cloud Security
- AWS - CloudTrail, GuardDuty, VPC Flow Logs monitoring
- Azure - Azure Activity Log and Microsoft Entra ID integration
- GCP - Cloud Audit Logs and Security Command Center
- Office 365 - Microsoft 365 event auditing
- GitHub - repository activity monitoring
Compliance
- PCI DSS - Payment Card Industry Data Security Standard
- GDPR - General Data Protection Regulation
- HIPAA - Health Insurance Portability and Accountability Act
- NIST 800-53 - federal information system security controls
- TSC - Trust Services Criteria
Deployment
- Docker - containerized deployment with Docker Compose
- Kubernetes - Kubernetes orchestration
- Ansible - Ansible automation
- Puppet - Puppet configuration management
- Offline Installation - air-gapped deployment
Operations
- Upgrade - component upgrade procedures
- Backup - configuration and data backup
- Troubleshooting - common issue diagnostics
Rules and Decoders
- Detection Rules - rule structure and logic
- Decoders - log data extraction
- Custom Rules - authoring custom detection rules
Integrations
- SIEM Integrations - connecting to external SIEMs
- External Integrations - Slack, PagerDuty, TheHive, MISP
Development
- API Reference - complete RESTful API reference
- Custom Integrations - building custom modules
PoC and Lab Scenarios
- Proof of Concept - scenarios for demonstrating platform capabilities
Last updated on