Documentation
Wazuh 4.14 Documentation - SIEM/XDR Platform Guide
Getting Started with Wazuh - SIEM/XDR Platform Overview
Wazuh Use Cases - 12 Security Operations Scenarios

Wazuh Use Cases - 12 Security Operations Scenarios

Wazuh addresses a wide range of information security tasks - from file integrity monitoring to cloud infrastructure protection. This page describes twelve primary use cases for the platform, specifying the modules and components involved in each. Every use case can be deployed independently or combined with others to build a comprehensive defense system.

Malware Detection

Wazuh detects malicious software through multiple mechanisms: FIM module integration with the YARA engine for file signature analysis, collection and analysis of antivirus logs (ClamAV, Windows Defender), file hash verification through the VirusTotal API, and rootkit detection via the Rootcheck module. The combination of these approaches delivers layered protection against both known and unknown threats.

Modules involved: File Integrity Monitoring, Rootcheck, Log Collector, Active Response

Application: detecting trojans, backdoors, rootkits, ransomware, and other malware on endpoints. Automated response capabilities allow the platform to isolate infected files or terminate malicious processes.

More details: Malware Detection

File Integrity Monitoring (FIM)

The File Integrity Monitoring module tracks file creation, modification, and deletion within specified directories. FIM records changes to file attributes (size, permissions, ownership, checksum) and generates alerts when unauthorized modifications are detected. On Windows, registry key monitoring is also supported.

Modules involved: File Integrity Monitoring, SCA (for permission verification)

Application: maintaining integrity of configuration files, system libraries, executables, and critical data. A mandatory component for PCI DSS compliance (Requirement 11.5) and other regulatory standards.

More details: File Integrity Monitoring

Threat Hunting

Wazuh provides tools for proactive threat hunting across the infrastructure. Alert mapping to the MITRE ATT&CK matrix reveals attacker tactics and techniques. CDB lists enable real-time verification of indicators of compromise (IoCs). The Wazuh Dashboard offers an interface for searching events with filtering by agent, rule, time range, and arbitrary fields.

Modules involved: Log Collector, detection rules, CDB lists, MITRE ATT&CK mapping

Application: incident investigation, searching for indicators of compromise, analyzing user and system behavior, identifying lateral movement and persistence techniques.

More details: Wazuh Architecture (analysis engine section)

Vulnerability Detection

The Vulnerability Detector module cross-references inventory data (installed packages, OS versions) against known vulnerability databases: NVD (National Vulnerability Database), Red Hat, Canonical, Debian, Microsoft, and others. Scan results appear in the dashboard with CVSS scores, affected packages, and available updates.

Modules involved: Syscollector, Vulnerability Detector

Application: continuous infrastructure scanning for vulnerabilities, patch prioritization by severity, report generation for management and auditors.

More details: Vulnerability Detection

Security Configuration Assessment (SCA)

The Security Configuration Assessment module evaluates system configurations against security policies. Wazuh ships with ready-made policies based on CIS Benchmarks for Linux, Windows, macOS, Docker, and other platforms. Administrators can author custom policies to verify organization-specific requirements.

Modules involved: SCA, Syscollector

Application: server and workstation hardening, verification against corporate standards, automated configuration auditing during new system deployments.

More details: Security Configuration Assessment

Incident Response

Wazuh supports automated response to detected threats through the Active Response module. When a rule with a specified severity level triggers, the server can send a command to the agent to execute a countermeasure: blocking the attacker’s IP address, terminating a suspicious process, disabling a user account, or running a custom script.

Modules involved: Active Response, detection rules, integrations (Slack, PagerDuty, TheHive)

Application: automated brute-force attack blocking, isolation of compromised hosts, SOC team notification through messaging platforms and ticketing systems.

More details: Active Response

Regulatory Compliance

Wazuh provides built-in dashboards and reports for demonstrating compliance with PCI DSS, GDPR, HIPAA, NIST 800-53, and TSC standards. Each detection rule can be mapped to specific standard requirements. The FIM, SCA, and Log Collector modules supply the evidence base required by auditors.

Modules involved: all platform modules (FIM, SCA, Log Collector, Vulnerability Detector)

Application: preparing for PCI DSS and HIPAA audits, maintaining audit trails for GDPR, demonstrating compliance with NIST 800-53 controls, generating reports for regulators.

More details: PCI DSS , GDPR , HIPAA

Cloud Security

Wazuh monitors cloud environment security through integration with cloud provider APIs. For AWS, it supports CloudTrail, GuardDuty, VPC Flow Logs, and AWS Config analysis. For Azure - Activity Log, Microsoft Entra ID, and Azure Security Center. For GCP - Cloud Audit Logs and Security Command Center. Wazuh agents are installed on cloud virtual machines for OS-level monitoring.

Modules involved: Log Collector (cloud API integrations), all agent modules on cloud VMs

Application: monitoring unauthorized changes in cloud infrastructure, detecting suspicious activity in cloud accounts, meeting cloud-specific security standards.

More details: AWS , Azure , GCP

Container Security

Wazuh monitors containerized environments at two levels: the host OS level (via the agent) and the Docker Engine level (via the Docker Listener module). The agent tracks container creation, start, stop, and deletion events, as well as image and network configuration changes. For Kubernetes, Wazuh analyzes cluster audit logs and control plane events.

Modules involved: Docker Listener, Log Collector, FIM, SCA

Application: detecting privileged container launches, monitoring Docker image changes, analyzing Kubernetes audit logs, validating Docker configuration against the CIS Docker Benchmark.

More details: Container Security

Log Analysis

Wazuh collects and analyzes logs from numerous sources: system logs (syslog, Windows Event Log), application logs (Apache, Nginx, MySQL, PostgreSQL), security logs (authentication, authorization, sudo), and custom formats. Decoders extract structured fields from raw logs, while detection rules identify anomalies and threats.

Modules involved: Log Collector, decoders, detection rules

Application: centralized log collection across the entire infrastructure, detecting application errors and anomalies, correlating events from different sources, long-term storage for investigations.

More details: Log Analysis

Intrusion Detection

Wazuh functions as a host-based intrusion detection system (HIDS). Detection rules identify brute-force attacks, privilege escalation attempts, unauthorized access, and vulnerability exploitation. MITRE ATT&CK mapping provides context about attacker tactics and techniques. CDB list integration enables verification of IP addresses, domains, and file hashes against known threat intelligence feeds.

Modules involved: detection rules, CDB lists, Log Collector, Active Response

Application: detecting SSH/RDP brute-force attacks, identifying privilege escalation attempts, monitoring web shell activity, detecting lateral movement within the network.

More details: Wazuh Components (analysis engine section)

Security Analytics

The Wazuh Dashboard provides visual analytics tools for security data. Built-in dashboards display alert statistics by severity level, distribution across agents, MITRE ATT&CK heatmaps, and time-based trends. The Dev Tools console enables arbitrary queries against the indexer for deep analysis. Reports can be generated in PDF format on a scheduled basis.

Modules involved: Wazuh Dashboard, Wazuh Indexer, all platform modules (as data sources)

Application: building SOC dashboards for real-time monitoring, analyzing security trends over extended periods, generating reports for management and regulators.

More details: Wazuh Documentation (full section listing)

Recommended Adoption Sequence

When planning a Wazuh deployment, starting with foundational use cases and gradually expanding coverage is recommended:

  1. Phase one - log analysis, intrusion detection, FIM
  2. Phase two - vulnerability detection, SCA, incident response
  3. Phase three - cloud security, containers, compliance
  4. Phase four - threat hunting, analytics, external system integrations

To get started with the platform, refer to Wazuh Architecture and Wazuh Components .

Last updated on
Wazuh Components - Agent, Server, Indexer, Dashboard