IT Get in touch

Wazuh: open source XDR and SIEM platform

Wazuh (OSSEC fork started in 2015 by Santiago Bassett) combines open source XDR and SIEM: distributed agents, FIM, vulnerability detection, SCA, MITRE ATT&CK mapping, OpenSearch backend. Version 4.0 released September 2020.

Cyber SecurityOpen Source
Cyber SecurityOpen Source WazuhSIEMXDROSSECCyber SecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

From OSSEC’s branch

Wazuh was born in 2015 as an OSSEC fork led by Santiago Bassett, aimed at modernising a historic HIDS with visualisation, scalability and integration with analytics stacks. The company, today Wazuh Inc., is headquartered between San José (California) and Spain.

On 9 September 2020 Wazuh 4.0 was released, a turning point that consolidates the current architecture: separate agent, manager, indexer and dashboard, with native integration into the OpenSearch fork (previously Open Distro for Elasticsearch).

Architecture

Wazuh is organised in four main components:

  • Wazuh agent — endpoints on Linux, Windows, macOS, Solaris, AIX, HP-UX
  • Wazuh manager — event analysis, correlation, rule engine
  • Wazuh indexer — OpenSearch fork for storage and search
  • Wazuh dashboard — interface based on OpenSearch Dashboards

Agents communicate with the manager over an encrypted channel, sending log events, inventory, FIM and security telemetry.

Modules

  • File Integrity Monitoring (FIM) — integrity checks on files and registry
  • Vulnerability Detection — correlation of inventoried software with CVEs (NVD, vendor feeds)
  • Security Configuration Assessment (SCA) — hardening checks against CIS and custom policies
  • CIS-CAT integration — CIS benchmarks
  • Log data analysis — parsing and correlation with XML decoders/rules
  • Active response — automatic reaction (IP block, process kill)
  • Container security — Docker and Kubernetes monitoring

MITRE ATT&CK

Wazuh maps its rules to MITRE ATT&CK techniques: the dashboard shows events and alerts aggregated by tactic and technique, supporting detection engineering and reporting for frameworks like NIS2 and ISO 27001.

Licence

Wazuh components are distributed under GPLv2 for the OSSEC-derived core, with additional components (indexer, dashboard) under licences compatible with the OpenSearch fork (Apache 2.0). The distribution is entirely open source, with no paid “enterprise” edition on the software side.

Integrations

Wazuh integrates with:

  • VirusTotal, AbuseIPDB, MISP — threat intelligence
  • Slack, PagerDuty, Jira — alerting and ticketing
  • AWS, Azure, GCP, Office 365 — native cloud modules
  • Osquery — structured endpoint telemetry collection
  • Suricata, Zeek — enrichment with NSM events

Adoption

Wazuh is widespread in:

  • SOCs and MSSPs — SIEM/XDR platform for multi-tenant clients
  • Public administration — endpoint and perimeter server monitoring
  • Healthcare and finance — support for compliance requirements (PCI-DSS, HIPAA, GDPR)
  • Manufacturing — correlation of IT and OT events

In the Italian context

In Italy Wazuh is used by MSSPs, regional CERTs, universities and companies within the NIS2 scope as the technical base for in-house SIEMs. Combination with Suricata and Zeek on distributions like Security Onion is a recurring scenario in NSM+HIDS architectures.

References: Wazuh 4.0 (9 September 2020). OSSEC fork started in 2015 by Santiago Bassett. Wazuh Inc. HQ: San José (California) and Spain. GPLv2 licence for the core; OpenSearch components Apache 2.0. FIM, Vulnerability Detection, SCA, Active Response modules. MITRE ATT&CK integration. Website: https://wazuh.com

Need support? Under attack? Service Status
Need support? Under attack? Service Status