Incident Response and its Best Practices Using Wazuh

Varul Arora
8 min readAug 4, 2022


Digital security for the business sector and enterprises is crucial. Keeping this in view, 2021 was marked by cyberattacks and major data breaches. Not just that, also ransomware has emerged as a major role in the cyber community.

Wazuh is an open-source security solution that integrates XDR and SIEM features, allowing enterprises to not only detect complex threats but also prevent data breaches and leaks.

Wazuh can be integrated with a large number of services and tools like VirusTotal, YARA, AlienVault, Amazon Macie, PagerDuty, Slack, OwlH, Fortigate Firewall, etc. As a result, businesses may strengthen their defenses against hackers infiltrating their networks.

Figure 1: Active Response Cycle.

Wazuh Capabilities

Active response, IDS, log analysis of the data, FIM, vulnerability scanning, configuration evaluation, compliance, cloud security, and container security are some of the features offered by Wazuh. This article highlights the response features in particular:

Analyzing log data

Wazuh agents scan and transfer operating system or application logs to the wazuh manager for analysis and storage. The Wazuh agent’s only responsibility is to pass events to the manager, hence its memory and CPU needs are minimal. On the Wazuh manager, meanwhile, processor and memory use can quickly rise based on the number of events per second (EPS) that the management must examine.

Monitoring the integrity of files

The Wazuh keeps an eye on the file system, detecting modification, access rights, ownership, and file properties that you should be aware of. When certain files are edited, the Wazuh File Integrity Monitoring (FIM) system observes them and sends out notifications. Syscheck is the component in charge of this task. This module keeps track of the properties of files or Windows registry keys, including the cryptographic checksum, and periodically verifies them against the files currently in use by the system to look for modifications.

Detection of vulnerabilities

Wazuh agents collect and transfer logs to a server, it correlates the logs to CVE databases to detect known vulnerabilities.

Evaluation of the configuration

The Wazuh keeps track of data and application configurations to ensure they meet your security rules, standards, and/or hardening guidelines.

Regulations and Compliance

Wazuh offers some of the security measures that are required to meet industry requirements and laws.

Containers’ safety

Wazuh monitors and detects threats, vulnerabilities, and anomalies in your Docker containers and containers, providing security visibility.

Active Response

It is critical to respond quickly to cyber threats in order to minimize their damage. When certain criteria are met, Wazuh’s Incident Response provides active reactions to perform various remedies to combat active threats, such as limiting permissions to access the systems from the threat source.

In response to certain alerts being triggered depending on the alert level or rule group, active responses run a script. Any number of scripts may be launched in response to a trigger, but these actions must be carefully planned. The vulnerability of the system may be increased by improper rule and response implementation.

Intrusion Detection

Wazuh is an open-source XDR intrusion prevention solution. This feature is critical for recognizing potential system attacks. Wazuh agents do the malware analysis and scan for rootkits and suspected anomalies on the monitored systems. Wazuh provides dependable and efficient intrusion detection capabilities, from discovering hidden files to registering network listeners.

Data about security incidents and alarms may be mined, analyzed, and visualized using the customizable and user-friendly Wazuh dashboard. The Wazuh platform is managed and kept under observation using it as well. Role-based access control (RBAC) and single sign-on functionalities are also included (SSO).

Data is kept in the Wazuh indexer as JSON documents. A collection of keys, field names, or attributes are associated with their corresponding values in each document. These values can be characters, integers, booleans, dates, arrays of values, geolocations, or other sorts of data. A collection of documents with a common theme makes up an index. The Wazuh indexer divides the documents it stores into a variety of shards, or containers. The Wazuh indexer can achieve redundancy by splitting the documents into several shards and spreading those shards across numerous nodes. As more nodes are added to a cluster, this boosts query capacity and safeguards your system against hardware problems.

When any suspicious activity or abnormalities are found, the Wazuh server component analyzes the information collected from the agents and sends out notifications. It is also used to remotely manage the setup of the agents and keep tabs on their performance. The Wazuh server enhances its detection capabilities by utilizing threat intelligence sources. In order to provide helpful context for security analytics, it additionally supplements alert data by utilizing the MITRE ATT&CK framework and regulatory compliance standards.

Endpoint Security Agent

Wazuh’s agent is a cross-platform component that operates on the monitored endpoints. It has preventative, detection, and reaction features.

Figure 2: Incident Response of Wazuh

Wazuh Active Response

Wazuh has an active response component that handles automatic responses to specific warnings set up in the Wazuh-manager. Every event that the Wazuh agent collects is sent to the Wazuh Manager. Depending on whether the rules from the ruleset of the event match, the Manager will assign it a severity rating. Only alerts with a severity level of 3 or above will by default be logged. When a certain alert is triggered, an Active Response is executed.

Active responses are categorized as stateful or stateless. Stateful responses are set up to reverse the action after a certain amount of time, whereas stateless responses are set up to be one-time actions.

For example, suppose we would like to automatically block particular IPs based on logs from any endpoint indicating that they are attempting a Bruteforce attack via RDP or SSH, depending on the host’s OS.

When the attackers meet the ruleset maintained on Wazuh, we can develop a response which will block the attacker’s IP.

Detect and respond to malicious files using CDB lists and active response

On endpoints where malicious files are found, they can act as indicators of compromise (IOC). Through various attack channels, these documents may end up placed on endpoints. When files are generated, updated, or deleted, Wazuh’s file integrity monitoring (FIM) element identifies and notifies. The files MD5, SHA1, and SHA256 hashes are included in the metadata of the alerts issued by the FIM component.

We describe how to use VirusTotal and Yara to identify and respond to dangerous files in Wazuh’s guide. In this post, we’ll look at using MD5 hashes and a (CDB) list of previously known malicious MD5 hashes to detect malicious files. If a file hash is found in the CDB list, the Wazuh active response function uses a file delete action on it.

Figure 3: Malicious file detection and response through VirusTotal.

Configuring Active Response

Wazuh can use the active response to execute instructions on endpoints in response to specific triggers. If a rule is triggered and an alert is issued. In this case, we may like to execute a Python script on a Windows agent to remove the malicious file downloaded.

When is an Active Response Triggered?

Wazuh can use the active response to execute instructions on endpoints in response to specified triggers. The active response is classified as stateful or stateless.

Where are active response actions executed?

Each active response indicates where the related command will be executed: on the alerting agent, the manager, another specified agent, or all agents, including the manager (s). The following are the possible locations:

  • Local: It executes the alert’s script on the agent that created it.
  • Server: The script is run on the Wazuh manager.
  • Defined agent: This defines the IDs of the agents that execute the script, regardless of where the event occurred.
  • All: The script will be run by every agent in the environment. Use at your own risk.

Custom Active Response

A tailored script specified to run when a given alert, its level, or rule set is triggered is known as a custom active response. These custom replies can be programs written and need a defined command to start the scripts in response to a trigger, as well as an active response config to control where and when the command is run. Active responses can be stateless or stateful.

Increasing blocking time for repeated offenders

If you need to raise the block time for repeat offenders, add the following config parameter to each agent’s ossec.conf. The ossec.conf file is in XML format and all of its configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>. There can be more than one <ossec_config> tag.

The active reaction allows you to respond to a variety of events while also limiting unwanted activity and blocking attacks. Be aware that any automatic reaction carries an inherent danger, so carefully specify your responses.

Blocking Attacks with Active Response

Wazuh can use the active response to run commands on clients in response to specific triggers. To identify an attack, we must first determine when the response should be executed. One of the below possibilities is available to us:

  • Rule ID: Any event with a given ID will trigger the response.
  • Rule group: Any incident in the defined group set will trigger the reaction.
  • Level: Any event with a certain level or higher will trigger the response.

Figure 4: The active response is triggered upon alert.

White list

We can also define IP addresses in an active response configuration list that shouldn’t ever block. We can use the field allowlist in the global segment of ossec.conf in Wazuh Manager. It accepts IP addresses as well as netblocks.


It’s more critical nowadays for businesses to help boost their cybersecurity defenses. Wazuh is a free and open source security monitoring platform that combines XDR and SIEM functionality, from security events and logs monitoring to integrity verification, compliance, EDR, and incident response, allowing businesses to not only detect sophisticated threats but also prevent data breaches and leaks. Wazuh provides dependable and efficient intrusion detection capabilities, from discovering hidden files to registering network listeners.

Since Wazuh can be integrated with a large number of services and tools like VirusTotal, YARA, etc equips organisations with more efficient tools for more proactive measures and Incident Response. As a result, businesses may strengthen their defenses against hackers infiltrating their networks. With the help of Wazuh’s different functions, an organisation can keep a tab on their different areas on a real-time basis and be more aware of any security incidents.

The Wazuh offers a security solution that can keep an eye on your network infrastructure and look for threats, intrusion attempts, system abnormalities, and unauthorized user activity. On a single platform, we get a framework for incident response and compliance.

The Wazuh lightweight agent is made to carry out a variety of duties with the goal of seeing dangers and, when required, launching automated reactions. The Wazuh server is in charge of processing events using decoders and rules, evaluating data from the agents, and employing threat intelligence to search for well-known IOCs (Indicators Of Compromise).



Varul Arora

CTIA | Love cybersecurity, completed MSc in Applied Cyber Security from Queen’s University Belfast. Twitter : @AroraVarul