Wazuh 4.14 Capabilities - Security Modules Overview

Wazuh 4.14 Documentation - SIEM/XDR Platform Guide

Wazuh 4.14 ships with a set of security modules, each addressing a distinct class of problems - from tracking filesystem changes to identifying vulnerabilities in installed software. The modules operate at both the agent and server level, complementing each other to deliver comprehensive infrastructure protection.

Security Modules

The platform includes 11 core modules that can be enabled and configured independently based on organizational requirements.

Threat Detection

File Integrity Monitoring (FIM)

The syscheck module tracks changes to files, directories, and Windows Registry entries. It detects unauthorized modifications to system binaries, configuration files, and sensitive data. Supports real-time monitoring, extended audit (whodata), and scheduled scanning modes.

Malware Detection

A multi-layered approach to malware identification: the rootcheck module for rootkit detection, YARA integration for signature-based file analysis, VirusTotal hash lookups, and log monitoring for ClamAV and Windows Defender alerts.

Security Configuration Assessment (SCA)

The SCA module evaluates endpoint configurations against CIS Benchmark policies. It uses YAML-based policy files with checks targeting files, processes, registry entries, and command output. Organizations can extend the built-in policies with custom rules.

Vulnerability Detection

The vulnerability-detector module correlates software inventory data collected by syscollector against vulnerability databases (NVD, Canonical, Red Hat, Debian, ALAS, Microsoft). It identifies known CVEs and prioritizes remediation by severity.

Monitoring and Data Collection

Log Data Collection

Centralized collection and normalization of logs from diverse sources: syslog, Windows Event Log, macOS Unified Logging System, and application logs. Decoders parse raw log entries into structured events for rule-based analysis.

Command Monitoring

Periodic execution of commands on endpoints with output analysis. This enables system state tracking through arbitrary command output (for example, netstat, ps, last).

System Inventory (Syscollector)

Collection of system resource data: installed packages, open ports, network interfaces, hardware specifications, and running processes. This data feeds the vulnerability detection module.

Response and Compliance

Active Response

Automated actions triggered by rule matches: IP blocking via iptables or Windows Firewall, process termination, and execution of custom scripts. Configurable by rule level, group, or identifier.

Regulatory Compliance

Mapping of detection rules to regulatory framework requirements: PCI DSS, GDPR, HIPAA, NIST 800-53, and TSC (SOC 2). The dashboard generates compliance reports automatically.

Cloud Security Monitoring

Integration with cloud providers: AWS (CloudTrail, VPC Flow Logs, GuardDuty), Azure (Activity Logs, Blob Storage), and Google Cloud (Pub/Sub). Enables security event analysis across cloud infrastructure.

Container Security

Monitoring of Docker containers and Kubernetes environments: Docker daemon events, image changes, container network activity, and Kubernetes audit log analysis.

Related Sections

Wazuh Architecture - how modules interact within the platform
Wazuh Components - agent, server, and their roles in module operation
Wazuh Agent Installation - deploying agents with the required modules

Last updated on 8, April 2026