> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/iLotuus/Enterprise-SOC-Architecture/llms.txt
> Use this file to discover all available pages before exploring further.
# SIEM Platform (Wazuh)
> Unified security platform providing SIEM, XDR, and EDR capabilities with Wazuh
# SIEM Platform - Wazuh
Wazuh serves as the central security platform in the SOC architecture, providing comprehensive SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities with built-in EDR (Endpoint Detection and Response) functionality.
Wazuh is a free, open-source security platform that unifies XDR and SIEM capabilities, providing visibility across endpoints, cloud workloads, network devices, and containers.
## Platform Overview
Event correlation, log analysis, and security monitoring
Extended detection across endpoints, network, and cloud
Endpoint detection, response, and threat hunting
PCI DSS, GDPR, HIPAA, NIST 800-53 compliance monitoring
## Core Capabilities
### Security Event Visualization
Wazuh provides comprehensive dashboards and visualization capabilities:
* Security events summary
* Alert severity distribution
* Top triggered rules
* Geographic threat map
* Agent status overview
* Real-time threat alerts
* MITRE ATT\&CK framework mapping
* Threat intelligence integration
* Vulnerability detection
* File integrity monitoring alerts
* Regulatory compliance status
* Policy violation tracking
* Audit report generation
* Configuration assessment
Wazuh dashboards are built on OpenSearch Dashboards (formerly Kibana), providing powerful visualization and search capabilities across all security data.
### Event Correlation Engine
The correlation engine enables sophisticated threat detection:
Correlate events using flexible rule syntax:
* Multi-stage attack detection
* Frequency-based alerting
* Time-window correlation
* Cross-source event matching
Trigger automated responses to threats:
* Block malicious IPs at firewall
* Disable compromised accounts
* Isolate infected endpoints
* Execute custom scripts
Enrich events with threat intelligence:
* IP reputation lookups
* File hash verification
* Domain reputation checking
* CVE database integration
## EDR (Endpoint Detection and Response)
### Agent Capabilities
Wazuh agents provide comprehensive endpoint visibility:
```mermaid theme={null}
graph TD
A[Wazuh Agent] --> B[Log Collection]
A --> C[File Integrity Monitoring]
A --> D[System Inventory]
A --> E[Vulnerability Detection]
A --> F[Active Response]
B --> G[Wazuh Manager]
C --> G
D --> G
E --> G
F --> G
```
**Continuous Monitoring:**
* Log collection and forwarding
* Command execution monitoring
* Process creation tracking
* Network connection monitoring
* Registry changes (Windows)
* File system activity
**Threat Detection:**
* Malware detection
* Rootkit detection
* Anomalous behavior identification
* Privilege escalation attempts
* Suspicious process execution
* Lateral movement detection
**Active Response:**
* Firewall rule modification
* Process termination
* Account lockout
* Network isolation
* Custom script execution
### File Integrity Monitoring (FIM)
FIM generates significant events for high-change directories. Carefully select monitored paths to balance security visibility with system performance.
Monitor critical system files and directories:
```xml theme={null}
/etc
/usr/bin
/usr/sbin
C:\Windows\System32
C:\Program Files
\.log$|/tmp
```
## Architecture Components
### Wazuh Manager
The central management server that:
* **Receives** agent data and external log sources
* **Processes** events through the analysis engine
* **Correlates** events across multiple sources
* **Stores** alerts in Elasticsearch/OpenSearch
* **Manages** agent configurations and policies
Deploy Wazuh Manager in a cluster configuration for high availability and load distribution in enterprise environments.
### Wazuh Indexer
Based on OpenSearch, provides:
* **Storage**: Scalable alert and event storage
* **Search**: Full-text search across all security data
* **Aggregation**: Complex data aggregations for analytics
* **Retention**: Configurable data retention policies
### Wazuh Dashboard
Web-based interface offering:
* **Visualization**: Pre-built and custom dashboards
* **Investigation**: Advanced search and filtering
* **Reporting**: Automated report generation
* **Management**: Agent and configuration management
* **API Access**: RESTful API for automation
## Integration Points
### Data Sources
Wazuh ingests data from multiple sources:
* Snort/Suricata alerts via syslog
* Firewall logs (OPNsense, pfSense)
* Network device syslogs
* Elasticsearch indices
* Logstash pipelines
* Fluentd forwarding
* Zabbix alerts
* Prometheus metrics
* System logs
* AWS CloudTrail
* Azure Activity Logs
* Google Cloud Audit Logs
### Integration Configuration
Configure remote syslog reception:
```xml theme={null}
syslog
514
udp
10.0.0.0/8
```
Use Wazuh API for automation:
```bash theme={null}
# Authenticate and get token
curl -u user:password -X POST \
"https://wazuh-manager:55000/security/user/authenticate"
# Get agent list
curl -X GET "https://wazuh-manager:55000/agents" \
-H "Authorization: Bearer $TOKEN"
```
Forward alerts to external systems:
```xml theme={null}
slack
https://hooks.slack.com/services/...
10
json
```
## Customizable Dashboards
### Pre-built Dashboards
Wazuh includes dashboards for:
* **Security Events**: Overview of all security alerts
* **Integrity Monitoring**: FIM changes and anomalies
* **Vulnerability Detection**: CVE findings across endpoints
* **Regulatory Compliance**: PCI DSS, GDPR, HIPAA status
* **MITRE ATT\&CK**: Attacks mapped to framework
* **Threat Hunting**: Advanced search interface
### Custom Dashboard Creation
1. Navigate to Dashboard management
2. Select data source (wazuh-alerts-\*)
3. Choose visualization type (bar, pie, map, etc.)
4. Configure aggregations and filters
5. Save and add to dashboard
* Focus on actionable metrics
* Use appropriate time ranges
* Implement drill-down capabilities
* Set auto-refresh intervals
* Export dashboards for backup
## Threat Detection and Hunting
### Detection Rules
Wazuh includes 3000+ out-of-the-box rules:
* Authentication failures
* Web application attacks
* Malware detection
* System configuration changes
* Network anomalies
* Compliance violations
Create custom detection rules:
```xml theme={null}
authentication_failed
authentication failure
5
120
Multiple authentication failures
```
Test rules before deployment:
```bash theme={null}
# Test rule syntax
/var/ossec/bin/wazuh-logtest
# Input sample log
# View matched rules and alert level
```
### Threat Hunting
Use Wazuh's query language to hunt for specific indicators of compromise across your entire environment in real-time.
Advanced search capabilities:
```javascript theme={null}
// Hunt for PowerShell execution with encoded commands
data.win.eventdata.commandLine:*-enc* AND rule.id:61603
// Find lateral movement attempts
rule.mitre.tactic:"Lateral Movement" AND agent.ip:10.0.0.0/8
// Search for specific file hashes
data.virustotal.malicious:>0 AND data.sha256:"abc123..."
```
## Configuration Management
### Centralized Configuration
Manage agent configurations from the central server:
Organize agents into logical groups:
* **Linux Servers**: Linux-specific monitoring
* **Windows Workstations**: Windows policy enforcement
* **Web Servers**: Application-specific rules
* **Database Servers**: Database security monitoring
Push configurations to agent groups:
```xml theme={null}
apache
/var/log/apache2/access.log
86400
```
## Performance Tuning
In high-volume environments, proper tuning is essential to prevent event loss and ensure timely alert processing.
### Optimization Strategies
* **Indexer Tuning**: Adjust heap size, shards, and replicas
* **Manager Scaling**: Distribute load across cluster nodes
* **Agent Throttling**: Limit events per second per agent
* **Rule Optimization**: Disable unnecessary rules
* **Data Retention**: Implement lifecycle policies for old indices
## Compliance Monitoring
Automatic compliance checking for:
Payment card industry security standards
General data protection regulation
Healthcare information security
Federal security controls
## Official Documentation
Comprehensive official documentation covering installation, configuration, and use cases
## Next Steps
1. Configure [Incident Response](/components/incident-response) integration with TheHive
2. Set up [Automation](/components/automation-soar) with Cortex for response actions
3. Review [Threat Detection](/security/threat-detection) strategies and hunting techniques