Wazuh
๐ง Threat Intelligence ยท C/Python
Wazuh is a free, open-source security platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. It consists of an agent deployed on endpoints and a central server that collects, analyzes, and correlates security data. Wazuh performs real-time log analysis, file integrity monitoring, rootkit detection, vulnerability assessment, configuration compliance checking (CIS, PCI DSS, HIPAA, NIST), and active response. It detects threats using rules that correlate events from multiple sources, including endpoint logs, cloud services (AWS, Azure, GCP), containers, and network devices. Wazuh integrates with Elasticsearch and OpenSearch for log storage and visualization, and includes a custom dashboard for security operations. Its open-source nature and comprehensive feature set make it a popular alternative to commercial SIEM solutions.
Installation
Quick start
$ curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -aDocker
$ git clone https://github.com/wazuh/wazuh-docker.git && cd wazuh-docker && docker compose -f generate-indexer-certs.yml run --rm generator && docker compose up -dUse Cases
- Deploying an open-source SIEM with endpoint agents and centralized log analysis
- Monitoring file integrity and detecting rootkits across endpoint fleets
- Running continuous compliance checks against CIS, PCI DSS, and NIST frameworks
- Correlating security events across endpoints, cloud services, and network devices
- Active response to threats by automatically blocking IPs or isolating endpoints
Tags
Details
- Category
- ๐ง Threat Intelligence
- Language
- C/Python
- Repository
- wazuh/wazuh
- Platforms
- ๐งlinux๐macos๐ชwindows
Links
Alternatives & Comparisons
Velociraptor
GoEndpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.
Compare Wazuh vs VelociraptorMISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare Wazuh vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare Wazuh vs OpenCTITheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare Wazuh vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare Wazuh vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare Wazuh vs KAPECortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare Wazuh vs CortexMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.