Thiago Teixeira
EN | PT

Wazuh

Wazuh Inc.

Open-source security platform combining SIEM, XDR, and host-based intrusion detection (HIDS).

Logging & SIEM Free & Open Source Platform / Suite Learning Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Preparation
9 Detection & Analysis
10 Containment, Eradication & Recovery
11 Post-Incident Activity

Description

Wazuh is a free, open-source security platform that bundles a lightweight host agent, a centralised manager/indexer, and a Kibana-based dashboard. It started as a fork of OSSEC and now delivers file integrity monitoring, log analysis, rootkit detection, vulnerability scanning, and MITRE ATT&CK mapping out of the box.

For CySA+ candidates, Wazuh is the canonical open-source SIEM/XDR hybrid: agents collect from endpoints, the manager correlates across the fleet, and rules trigger alerts that map directly to ATT&CK techniques. It's often the first lab SIEM a beginner deploys.

Use cases

  • Building a homelab SIEM/XDR without licensing costs
  • File integrity monitoring on critical servers
  • Detecting suspicious processes / persistence via host agents
  • Correlating endpoint events with cloud logs (AWS/Azure/GCP modules)
  • Generating MITRE ATT&CK coverage reports

Example

# Enroll a new Linux agent against the manager
sudo WAZUH_MANAGER='10.0.0.5' apt-get install wazuh-agent
sudo systemctl enable --now wazuh-agent