Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.
Very nice and comprehensive solution. Really an all in one for great security implementation. Did a test run at the homelab for a while, it is actually quite a lot heavier for a single box install than announced, I had to dismantle the installation for it was too heavy in low-power environment. Will def. Recommend in a more serious production environment
components
- The Wazuh indexer: is a highly scalable full-text search and analysis engine. It is responsible for indexing and storing alerts generated by the Wazuh server. .
- Wazuh server: manages the agents, configuring and updating them remotely when necessary. This component analyzes the data received from the agents, processing it through decoders and rules and using threat intelligence to look for indicators of compromise.
- Wazuh Dashboard: A flexible and intuitive web interface for data mining, analysis, and visualization. The dashboard is used to manage the Wazuh configuration and monitor its status.
- Endpoint security agent: a multi-platform component that runs on the endpoints to be monitored. It provides prevention, detection, and response capabilities.
flow
- prowler produces json data
- wazuh agent collects prowler data,
- wazuh client sends data to manager
- manager analyses JSON data
- alert is triggered in dashboard
Use cases
- Configuration Assessment
- Malware Detection
- File Integrity Monitoring
- Threat Hunting
- Log Data Analysis
- Vulnerability Detection
- Incident Response
- Regulatory Compliance
- IT Hygiene
- Containers Security
- Posture Management