Wazuh and Its XDR Approach

Varul Arora
8 min readJun 9, 2022


Wazuh and Its XDR Approach

Today’s cyber security technological evolution milestones in the context of effective detection and response are the endpoint detection and response (EDR), Manage Detection and Response (MDR), and Network Detection and Response (NDR).

However, these all solutions are running independently and missing the correlated high level processed alert to which Extended Detection and Response (XDR) is a solution that emerged, rather than adding another tool, XDR aims to change this security landscape and enable a more compelling activity of the security stack.

Figure 1: Detection and Response Types.

What problem does XDR solve?

Attackers often target endpoints, but they also target other layers of the IT domain in the corporate network, such as email servers and cloud systems, and they may bounce between layers or hide in the interface between them to evade detection.

Modern security teams face two operational problems, according to Gartner:

  • Hiring and training security people.
  • Creating a secure toolset that enables effective security threat detection and response.

XDR solves both problems at once. It is a security solution that:

  • Collects data from endpoints, networks, email, cloud frameworks, and other aspects of the security environment.
  • Provides a single interface for security workers to understand and handle data from all layers of the security environment, including endpoints, networks, email, cloud frameworks, and much more.
  • Automates triage and investigation, saving time for security analysts.
  • Reduces the security stack’s overall cost of ownership.

What Distinguishes XDR from SIEM?

SIEM (Security Information and Event Management) is an essential part of the Security Operations Centre team(SOC). Log data is gathered from a variety of security systems and correlated to provide security analysts with actionable alerts.

The issue of SIEM is that it only provides a centralized view of security data. It gathers information from several sources but only provides basic information.

SIEM is unable to request further information from security tools in order to examine a specific incidence. SIEMs also have limited capabilities when it comes to handling new types of security data from devices like endpoint detection and response (EDR) and endpoint security platforms (EPP).

Most importantly, conventional SIEMs lack built-in reaction mechanisms. SIEM is a security incident detection tool that cannot respond to or eliminate threats.

SIEM Augmentation

XDR can supplement existing SIEMs and fill in some of the gaps, saving security analysts time in evaluating relevant alarms and logs and determining what needs attention and further investigation.

  • Use security technologies not only to retrieve information about an occurrence but also to initiate defensive responses.
  • Allow in-depth data from tools, such as cloud system entitlements or endpoint configuration data, to be queried and altered.
  • Put everything in a single data lake that includes both raw data from integrated security systems and aggregate data from the SIEM.
  • Everything must be stored in a central data store that includes both raw and aggregate data from the SIEM.
  • Improve alert quality and integrate data in innovative ways to construct comprehensive attack tales using powerful machine learning and AI capabilities.

Major Features of XDR

Now that we’ve established the distinction between XDR and SIEM, let’s look at some of the important features of XDR platforms:

Figure 2: Extended Detection and Response Components

Unified Analyst Interface: XDR offers a consolidated management interface for a company’s whole security infrastructure. This reduces training time and allows Tier 1 analysts to evaluate complex situations without bothering Tier 2 and 3 analysts.

Unified Visibility: Security visibility across networks, endpoints, cloud frameworks, mobile devices, or any other part of the IT system can be achieved with XDR.

Unified Management: Security teams may manage security configurations and rules throughout the whole IT environment from a single centralized location.

Integrated Platform: For various forms of security data, XDR delivers off-the-shelf, integrated, pre-tuned detection techniques.

Quick Detection and Response: XDR allows analysts to swiftly discover, investigate, and respond to threats from a single interface. This can help organizations significantly reduce response times.

A Focus on Response

Faster, more streamlined responses to security issues are a fundamental component that XDR offer. XDR can detect occurrences automatically using one of the below triggers:

AI-driven analytics: XDR collects data from throughout the security environment in real-time and can spot aberrant behavior or numerous events that, if combined, have security implications.

Human-led analysis: Security experts can use the data provided by XDR to discover other security incidents.

Threat Hunting with XDR

Threat hunting is a cybersecurity strategy that entails aggressively monitoring networks, assets, and infrastructures for emerging threats that have eluded traditional defenses.

On behalf of a threat hunter, XDR solutions can collect more detailed data and analyses it more thoroughly. Deep examination data event logs, access requests, application events, and endpoint-related events are all part of this.

All the following reactions can be found in one location using a graphically, attack-centric timeline view:

  • What was your initial point of contact?
  • Is there anyone else involved in the attack?
  • Where did the threat come from?
  • How did the danger spread?
  • How was the user infected?

The Wazuh 4.3 New Features

The Wazuh platform includes XDR and SIEM to safeguard your internet, container, and server workloads. Just a few examples include log analysis of data, malware and intrusion detection systems, file integrity monitoring, configuration assessment, vulnerability identification, and administrative compliance support. (https://wazuh.com/blog/introducing-wazuh-4-3-0/)

The Wazuh system comprises three primary components deployed on the monitored endpoints: the Wazuh servers, the Wazuh indexer, and the Wazuh dashboard.

  • The Wazuh indexer is a massively scalable search and analytical engine.
  • The Wazuh server examines the data sent by the agents. It goes through decoders and rules, looking for well-known indicators of compromise using threat intelligence (IOCs). A single server may assess data from multiple agents and scale up when configured as a cluster.

Figure 3: Wazuh 4.3 Agents Interface.

  • The Wazuh dashboard is a data visualization and analysis tool that runs on the web. Dashboards for security events, compliance (such as PCI DSS, GDPR, CIS, HIPAA, and NIST 800–53), found susceptible applications, file integrity monitoring, configuration assessment findings, cloud platform monitoring events, and more are included. It’s also used to keep track of Wazuh’s configuration and status.

Figure 4: Wazuh 4.3 OpenSearch Dashboard.

  • Users can install the Wazuh agent on all kinds of end devices such as laptops, workstations, servers, cloud instances, and virtual machines. They are capable of threat mitigation, detection, and reaction. They run on a variety of operating systems, including Windows, Linux, AIX, macOS, Solaris, and HP-UX.

Figure 5: Linux and Windows agents deployed on Wazuh Manager version 4.3.

  • Agentless devices such as routers, switches, firewalls, and network IDS can also be monitored using the Wazuh platform. For example, system log data can be gathered through Syslog, and its configurations can be monitored by probing its data on a regular basis via SSH or an API.

Figure 6: Diagram represents the Wazuh 4.3 components and data flow.

The Key XDR Features on Wazuh 4.3:

Even though different implementations of XDR systems have different feature sets, most XDR platforms share a few key qualities. They include:

Data Analytics and Detection

Figure 7: OpenSearch dashboard for Wazuh Manager version 4.3.

XDR systems provide a lot of threat detection systems in terms of data analyses. It’s typically feasible to discover unusual behavior or dangers by monitoring the logs and performances of large systems. XDR platforms usually analyze both internal and external traffic, evaluate and correlate logs with known threat profiles, and use machine learning techniques for detecting new threat patterns like zero-day attacks.

Threat Intelligence and Active Response

Businesses can use XDR platforms for more than just spotting possible dangers. They also give tools to help IT professionals investigate threats and execute various defenses to neutralize them through active reactions. Most XDR platforms have a centralized alert that can gather similar log alarms from many sources into a single UI to make this possible. Administrators can use that UI to respond to alarms by orchestrating responses across multiple endpoints.

Figure 8: Windows agent event logs visibility Wazuh Manager version 4.3.

Scalability Capability

Businesses may easily integrate the different systems, technologies, and endpoints into XDR platforms to maintain them secure. This means they’re intended for scalability and compatibility with a wide range of other vendor-specific technology. As a result, they’re a pretty future-proof solution that evolves with a company. Machine learning capabilities, on the other hand, help its defensive ability adapt to a specific technological environment and improve over time.

How Wazuh Provides XDR Functionality

The Wazuh approach to XDR is unique since it can integrate with a broad range of open-source security tools. That means firms can customize the system to meet specific needs without having to deal with complex and expensive license arrangements. For instance, PDQ Deploy is used to install the software and patch on a workstation, AlienVault, VirusTotal, and AbuseIPDB are used to detect the malicious IP addresses used in spamming, hacking attempts, and DDoS assaults, and URL is used to detect harmful URLs used in malware dissemination.

The multi-platform monitoring agent, however, is at the heart of the Wazuh XDR strategy. Its high-level OS support makes it compatible with most devices. As a result, companies can quickly begin collecting endpoint data using it. Those agents send system data back to the Wazuh server, which runs it through a series of anomalies and malware detection processes.

Administrators can receive active network intrusion detection and visualization functions by integrating with tools like Suricata and OwlH. This offers them the same situational awareness as other leading XDR platforms. The system can also run automated threat response plans based on data from the network and endpoints.

Wazuh is ideal for scaling and evolutionary potential because it is an open-source solution. It can already connect to the security-focused solutions of machine learning like Amazon’s Macie, allowing it to monitor stored data.

The Analytical Takeaways

An open-source system like Wazuh, on the other hand, has the potential to give effective XDR capability to businesses of all sizes. It’s also adaptable to shifting business requirements and the latest technological integrations. It’s no understatement to suggest it’s a game-changer in the current cybersecurity landscape.

Wazuh is a force to reckon with in the broader XDR business because few cybersecurity solutions can make such a claim.



Varul Arora

CTIA | Love cybersecurity, completed MSc in Applied Cyber Security from Queen’s University Belfast. Twitter : @AroraVarul