Wazuh

Wazuh × Tines SOAR Integration: Lab Setup Phase 1 As a Wazuh Ambassador, I'm excited to share my latest lab project: integrating Wazuh (SIEM) with Tines (SOAR) to deliver human-in-the-loop automation threat detection and response. Tines Integration perfect for: - Learners building homelabs with limited VM resources (Need Saas SOAR) - Teams wanting to test SOAR capabilities without infrastructure investment - Organizations seeking SOAR Saas solution Phase 1 : Wazuh → Tines (Detection & Enrichment) - Wazuh Server Detects a security alert (e.g., brute-force attempt) - Tines SOAR - Receives alert JSON from wazuh through a secure webhook   - Enrich & Log - Performs AbuseIPDB lookup - Generates AI-based context summary - Sends an email report to the analyst - Logs every alert to Google Sheets for tracking - Decision Point - If Abuse Confidence ≥ 80%, Tines automatically triggers an Active Response (IP block). - If Abuse Confidence < 80%, the analyst must reply to the email to confirm whether to take action. 💬 (Around 80% of alerts engage security analysts for informed decision-making, combining automated enrichment with human intelligence for optimal outcomes.) - Send Active Response When confirmed, Tines triggers an IP block back in Wazuh, fully logged and auditable. ⚙️ Phase 2 : Tines → Wazuh (Response & Action) Coming soon... Phase 2 detailing on the response automation layer: how Tines sends blocking commands to Wazuh through a webhook receiver with complete action logging viewable in the Wazuh dashboard. 📚 Documentation now available on Medium https://lnkd.in/g8DjXJJG

🔍 What I Love Most About Wazuh? It’s All About the MITRE ATT&CK Framework. 🔍 As a security professional, raw log data is just noise. The real magic happens when you can translate those signals into a clear story of an attacker's playbook. That’s exactly what Wazuh’s MITRE ATT&CK mapping does, and it’s a game-changer. Looking at our dashboard, we don't just see "alerts"; we see a strategic narrative: ➡️ The Story Unfolds in Real-Time: The attack lifecycle is visualized right in front of us. We can see adversaries moving from Reconnaissance (T1595.002 - Vulnerability Scanning) straight into attempts at Initial Access (T1189 - Exploit Public-Facing Application). This isn't just data—it's the kill chain in action. 🎯 From Generic to Specific in Seconds: Instead of sifting through thousands of generic "HTTP Error" logs, the dashboard immediately highlights the specific techniques in use. We can instantly see top threats like: T1059.007 - JavaScript (malicious scripts in web attacks) T1055 - Process Injection (advanced evasion attempts) T1078 - Valid Accounts (abuse of legitimate credentials) This context is priceless for prioritizing our response. 📊 Strategic Visibility for Proactive Defense: By categorizing alerts into tactical buckets like Execution, Defense Evasion, and Persistence, Wazuh answers the most critical question: "What is the attacker trying to do now?" This allows us to shift from a reactive posture to a proactive, intelligence-driven defense. For any security team aiming to mature their threat detection and response capabilities, the deep integration of MITRE ATT&CK in Wazuh isn't just a feature—it's a force multiplier. #Wazuh #MITREATTACK #Cybersecurity #SOC #ThreatDetection #SIEM #InfoSec #CyberDefense

I am very pleased to announce that, as one of the Wazuh #Ambassadors, I have created my fourth publication. ✅ This time, I have discussed step by step how to update Wazuh to a newer version. ⚙️ I hope you will find this publication useful. Of course, I welcome any comments and feedback. I would like to remind you that the latest version of Wazuh, 4.14.0, was released a few days ago! 💪 In my guide, I have presented an example of updating Wazuh from version 4.12 to version 4.14. Link to the publication on Medium: https://lnkd.in/dsvpyhKW #Wazuh #WazuhSiem #SIEM #BlueTeam #WazuhAmbassadorProgram #wazuhambassador

🚨Sortie récemment, voici la nouvelle version du célèbre HIDS | SIEM Open Source apportant son lot de nouveautés et de correctifs 📶Wazuh 4.14.0 - The Open Source Security Platform 💡Quelques highlights 🚀La version 4.14.0 améliore la fonctionnalité d’hygiène informatique avec un inventaire étendu qui comprend désormais des extensions de navigateur, des services de terminaux, des utilisateurs et des groupes. 🖥Il introduit également un nouveau tableau de bord de l’API Microsoft Graph pour la surveillance de l’activité et les événements d’audit des services cloud Microsoft, et ajoute la prise en charge du rechargement à chaud de la configuration de l’agent Wazuh. ✅En outre, cette version introduit de multiples améliorations en matière de stabilité, de performances et de sécurité sur l’ensemble de la plateforme. 👉https://lnkd.in/exkpsmJk (page des release notes autour de la nouvelle version) ⚠Pensez aux labs !!! #security #cybersecurity #hids #siem #soc

I’ve been running a few exposed machines for Ryvora labs recently, and one thing has made a huge difference when tracing malicious activity — Visibility. Ingesting PowerShell command logs into Wazuh and using built in detection's to identify malicious commands has been a huge help in identifying endpoint level activity. Check out the full write up to get this setup in your environment! #Cybersecurity #BlueTeam #Wazuh #ThreatDetection