The Complete Wazuh Integration Guide

Modern security environments rarely rely on a single platform. Organizations collect telemetry from endpoints, firewalls, cloud services, identity providers, vulnerability scanners, and threat intelligence feeds, making integration a critical requirement rather than an optional feature.

Wazuh integrations allow security teams to enrich alerts with external threat intelligence, collect logs from diverse systems, automate responses, and forward security events to other analytics platforms.

Instead of investigating isolated alerts, analysts gain broader context that helps them detect attacks faster and reduce investigation time.

According to the 2024 IBM Cost of a Data Breach Report, organizations that extensively use security AI and automation detect and contain breaches significantly faster while reducing the average cost of a breach by millions of dollars compared to organizations with limited automation. Integrations are one of the primary ways organizations build these automated security workflows.

Industry experts also emphasize the importance of integrating security tools instead of operating them independently.

“Organizations need integrated security operations that combine visibility, automation, and intelligence across the environment.”

— Gartner Security and Risk Research

Integrating Wazuh with external platforms improves security operations by:

  • Centralizing logs from multiple sources
  • Enriching alerts with external threat intelligence
  • Automating incident response actions
  • Improving detection accuracy
  • Reducing analyst workload
  • Simplifying compliance reporting
  • Creating end-to-end security workflows

This guide explains how Wazuh integrations work, the different categories of supported integrations, common deployment architectures, best practices, and troubleshooting techniques.

It also links to detailed implementation guides for individual integrations, including:


What Is Wazuh Integration?

Wazuh integration refers to connecting Wazuh with external security products, cloud services, networking equipment, APIs, and collaboration platforms so information can flow automatically between systems.

Instead of operating as an isolated security platform, Wazuh becomes part of a larger security ecosystem that continuously exchanges data with other tools.

These integrations can provide:

  • External threat intelligence
  • Centralized logging
  • Automated incident response
  • Cloud monitoring
  • Vulnerability data
  • Asset information
  • Security notifications
  • Compliance evidence

Because Wazuh supports REST APIs, Syslog, Filebeat/OpenSearch pipelines, active response scripts, and custom integrations, it can communicate with hundreds of enterprise security products.

How Wazuh Fits into a Security Stack

Wazuh performs several core security functions that allow it to integrate naturally into modern SOC environments.

SIEM Capabilities

Wazuh collects logs from multiple sources, parses events, correlates security activity, and generates alerts based on detection rules.

Unlike traditional SIEM platforms that primarily focus on log aggregation, Wazuh combines log management with endpoint security capabilities.

XDR Capabilities

Wazuh extends detection across endpoints, servers, cloud workloads, containers, and network devices by correlating telemetry from multiple sources.

Although it is not a commercial XDR platform, many organizations use Wazuh alongside EDR and threat intelligence platforms to build an open-source XDR-like architecture.

Endpoint Monitoring

The Wazuh agent continuously monitors:

  • File changes
  • Running processes
  • Installed software
  • Windows Event Logs
  • Linux system logs
  • macOS events
  • Registry modifications
  • Rootkit activity

Endpoint telemetry forms the foundation for many integrations.

Log Collection

One of Wazuh’s biggest strengths is centralized log collection.

It can ingest logs from:

  • Servers
  • Applications
  • Firewalls
  • IDS/IPS solutions
  • Cloud services
  • Containers
  • Authentication systems
  • Network appliances

These logs become searchable within the Wazuh platform.

Threat Detection

Wazuh detects suspicious activity using:

  • Signature-based detection
  • Behavioral rules
  • Threat intelligence feeds
  • File Integrity Monitoring (FIM)
  • Rootcheck
  • Syscollector
  • Vulnerability Detection

External integrations significantly improve detection accuracy by providing additional context.

Compliance Monitoring

Wazuh includes compliance modules for frameworks such as:

  • PCI DSS
  • HIPAA
  • GDPR
  • NIST
  • CIS Benchmarks

Integrating with cloud platforms and enterprise infrastructure allows compliance monitoring to cover a much broader attack surface.


How Wazuh Integrations Work

Wazuh supports multiple integration mechanisms depending on the external system.

Data Ingestion

Many integrations simply send data into Wazuh.

Examples include:

  • Firewall logs
  • Cloud logs
  • DNS logs
  • Authentication events
  • VPN logs

These events are decoded, classified, and matched against Wazuh detection rules.

API-Based Integrations

Many modern security products expose REST APIs that Wazuh can query.

Examples include:

  • Threat intelligence platforms
  • Microsoft Graph
  • Cloud providers
  • Asset inventories
  • Vulnerability scanners

API integrations allow Wazuh to enrich alerts with external information instead of relying solely on local events.

Syslog Forwarding

Syslog remains one of the most common enterprise integration methods.

Devices that commonly forward logs to Wazuh include:

  • Firewalls
  • Switches
  • Routers
  • VPN gateways
  • Unix servers
  • IDS appliances

Syslog simplifies centralized monitoring without requiring agents.

Webhooks

Some integrations push alerts to external systems through webhooks.

Common webhook destinations include:

  • Chat platforms
  • Ticketing systems
  • SOAR platforms
  • Automation pipelines

Webhooks enable real-time workflows without polling APIs.

Active Response

Active Response allows Wazuh to execute scripts automatically after detecting predefined events.

Common actions include:

  • Blocking IP addresses
  • Disabling user accounts
  • Killing malicious processes
  • Isolating compromised hosts
  • Updating firewall rules

Automation reduces the time between detection and containment.

External Enrichment

One of the most valuable integration features is external enrichment.

Instead of generating alerts with limited context, Wazuh can query external services for additional information such as:

  • File reputation
  • IP reputation
  • Domain reputation
  • Vulnerability details
  • Asset ownership
  • User identity
  • Cloud resource metadata

This reduces manual investigation time and helps analysts prioritize incidents.

For example, integrating VirusTotal allows Wazuh to determine whether a suspicious file hash has already been identified as malicious by dozens of antivirus engines.

Related Guide: How to Integrate Wazuh with VirusTotal for Threat Intelligence


Types of Wazuh Integrations

Wazuh supports integrations across nearly every layer of an organization’s infrastructure.

These integrations enhance visibility, automate security workflows, and improve incident response by allowing Wazuh to exchange information with complementary platforms.

Threat Intelligence Platforms

Threat intelligence integrations enrich Wazuh alerts with external information about malicious files, IP addresses, domains, and attack campaigns.

Rather than relying solely on local detection rules, Wazuh can compare indicators against global threat intelligence databases to improve detection confidence.

Common threat intelligence integrations include:

VirusTotal

VirusTotal enriches alerts by checking:

  • File hashes
  • URLs
  • IP addresses
  • Domains

This helps analysts quickly determine whether an indicator has been previously associated with malware.

Related Guide: How to Integrate Wazuh with VirusTotal for Threat Intelligence

AbuseIPDB

AbuseIPDB provides reputation information for IP addresses involved in malicious activities such as:

  • Brute-force attacks
  • Spam
  • Botnets
  • Port scanning

Enriching alerts with AbuseIPDB data helps prioritize hostile IP addresses.

MISP

The Malware Information Sharing Platform (MISP) enables organizations to share Indicators of Compromise (IOCs) and threat intelligence across security communities.

Organizations often integrate MISP with Wazuh to correlate internal events against shared threat intelligence.

AlienVault OTX

AlienVault OTX supplies community-driven threat intelligence including:

  • Malicious IPs
  • Domains
  • File hashes
  • Emerging malware campaigns

OTX enrichment improves visibility into known threats affecting multiple organizations.

Network Security Devices

Network devices provide valuable telemetry that complements endpoint monitoring.

Common integrations include:

Firewalls

Firewall logs reveal:

  • Blocked connections
  • Allowed traffic
  • VPN activity
  • NAT translations
  • Suspicious inbound connections

Integrating firewall events improves attack visibility.

IDS/IPS

Intrusion Detection and Prevention Systems generate alerts when suspicious network activity is detected.

A popular integration is:

  • Suricata

Combining Suricata network alerts with Wazuh endpoint events provides stronger detection through event correlation.

Related Guide: How to Integrate Wazuh with Suricata for Better Threat Detection

VPN Appliances

VPN gateways provide authentication logs that help identify:

  • Failed logins
  • Geographic anomalies
  • Concurrent sessions
  • Suspicious remote access

Routers

Routers contribute:

  • NetFlow data
  • Routing changes
  • Interface events
  • Administrative logins

These events help identify network infrastructure attacks.

Cloud Platforms

Cloud services generate a significant amount of security telemetry that Wazuh can ingest and analyze.

AWS

Typical AWS integrations include:

  • CloudTrail
  • CloudWatch
  • GuardDuty
  • VPC Flow Logs
  • S3 access logs

These provide visibility into cloud infrastructure activity.

Microsoft Azure

Azure integrations commonly include:

  • Azure Activity Logs
  • Azure AD sign-ins
  • Microsoft Defender
  • Azure Monitor

Administrators frequently use Microsoft Graph APIs during Azure integrations.

Related Guide: Fixing Microsoft Graph API Authentication Failures in Wazuh

Google Cloud Platform

Common GCP integrations include:

  • Cloud Audit Logs
  • Cloud Logging
  • Security Command Center
  • Compute Engine logs

Cloud integrations improve hybrid infrastructure monitoring.

Endpoint Security Tools

Endpoint security products provide additional context beyond native operating system logs.

Antivirus

Common antivirus integrations correlate:

  • Malware detections
  • Quarantine events
  • Signature updates
  • Scan results

EDR

Endpoint Detection and Response platforms contribute:

  • Behavioral detections
  • Process trees
  • Memory analysis
  • Attack timelines

Combining EDR telemetry with Wazuh provides broader visibility into endpoint attacks.

Asset Management

Asset inventories help enrich alerts with:

  • Device ownership
  • Operating system
  • Installed software
  • Business criticality

Vulnerability Scanners

Vulnerability management platforms provide:

  • CVE information
  • Risk scores
  • Patch status
  • Exposure data

This allows Wazuh to prioritize alerts affecting vulnerable systems.

Log Management Platforms

Many organizations forward Wazuh alerts to centralized analytics platforms.

Syslog Servers

Syslog forwarding supports long-term storage and centralized log aggregation.

SIEM Platforms

Organizations sometimes forward Wazuh alerts into enterprise SIEM solutions for additional correlation or enterprise reporting.

For example, administrators may integrate Wazuh with Splunk when standardized dashboards or enterprise workflows already exist.

Related Guide: How to Fix Splunk Forwarder Mapping in Wazuh

Log Forwarding

Logs can be forwarded using:

  • Syslog
  • Filebeat
  • APIs
  • Custom integrations

This allows multiple security platforms to consume the same events.

Data Lakes

Security teams often archive Wazuh data in data lakes for:

  • Threat hunting
  • Machine learning
  • Compliance retention
  • Historical investigations

Notification and Collaboration Platforms

Rapid notification is essential for effective incident response.

Slack

Slack integrations can send alerts directly to SOC channels, enabling analysts to review and triage incidents collaboratively.

Microsoft Teams

Microsoft Teams notifications help organizations that use the Microsoft ecosystem receive security alerts in real time.

Email

Email notifications remain useful for:

  • Critical alerts
  • Daily summaries
  • Compliance reports
  • Administrative notifications

PagerDuty

PagerDuty integrations automatically escalate high-severity incidents to on-call responders, reducing response times for critical security events.

According to the SANS Institute, integrating detection platforms with collaboration and incident management tools improves operational efficiency by shortening the time between detection, investigation, and response.


Wazuh Integration Architecture

A well-designed integration architecture ensures that Wazuh can ingest, process, enrich, and distribute security events efficiently across your environment.

Understanding how each component interacts with the others makes it easier to deploy new integrations, troubleshoot issues, and optimize performance.

At a high level, the workflow follows a predictable path:

  1. Security events are generated by endpoints, applications, or network devices.
  2. Wazuh agents or log collectors capture the events.
  3. The Wazuh Manager analyzes the data against decoders and detection rules.
  4. Alerts are indexed and stored.
  5. The Wazuh Dashboard displays the results.
  6. External integrations enrich alerts or trigger automated responses.

This modular architecture allows organizations to integrate Wazuh with hundreds of third-party products without significantly altering the core platform.

Core Components

Understanding the purpose of each Wazuh component is essential before implementing integrations.

Wazuh Manager

The Wazuh Manager is the central processing engine responsible for receiving telemetry from agents and external sources.

Its primary responsibilities include:

  • Processing incoming logs
  • Running decoders
  • Evaluating detection rules
  • Correlating events
  • Triggering Active Response
  • Managing agents
  • Executing integrations
  • Generating alerts

Nearly every integration communicates directly or indirectly with the Manager.

Examples include:

  • Threat intelligence lookups
  • Syslog ingestion
  • API requests
  • Active response scripts
  • Cloud log processing

Wazuh Agents

Agents collect telemetry from monitored endpoints and forward it securely to the Wazuh Manager.

They gather information such as:

  • Operating system logs
  • File Integrity Monitoring (FIM) events
  • Process activity
  • Registry changes
  • Installed software
  • Vulnerability information
  • Authentication events

Because agents operate locally, they provide detailed visibility that network-only monitoring cannot.

Indexer

The Wazuh Indexer stores processed security events and makes them searchable.

Its responsibilities include:

  • Indexing alerts
  • Storing historical events
  • Supporting fast searches
  • Retaining security data
  • Powering dashboards
  • Supporting threat hunting

As environments grow, proper Indexer sizing becomes increasingly important for maintaining query performance.

Dashboard

The Dashboard provides the graphical interface used by analysts and administrators.

Users can:

  • View alerts
  • Search events
  • Investigate incidents
  • Review compliance reports
  • Analyze trends
  • Monitor integrations
  • Manage configurations

Many external integrations ultimately enhance the information displayed within the Dashboard.

API

The Wazuh REST API enables automation and communication with external platforms.

Common API use cases include:

  • Querying alerts
  • Managing agents
  • Updating configurations
  • Retrieving inventory data
  • Automating workflows
  • Integrating SOAR platforms
  • Building custom dashboards

Most enterprise integrations rely on API communication to exchange data securely.

Data Flow

Understanding the data flow helps explain where integrations fit into the detection pipeline.

Event Generation

Security events originate from many sources, including:

  • Windows Event Logs
  • Linux syslogs
  • Firewall appliances
  • IDS/IPS sensors
  • Cloud services
  • Applications
  • Identity providers
  • Endpoint agents

Every integration begins with one or more event sources.

Log Collection

Logs are collected using methods such as:

  • Wazuh Agents
  • Syslog
  • API ingestion
  • File monitoring
  • Cloud connectors

The Manager normalizes incoming data before analysis.

Rule Evaluation

After logs are received, Wazuh evaluates them using:

  • Decoders
  • Detection rules
  • Correlation logic
  • Threat intelligence
  • Custom rules

This stage determines whether an event should generate an alert.

Alert Generation

When a rule matches, Wazuh creates an alert containing information such as:

  • Severity level
  • Source host
  • Event details
  • Detection rule
  • Timestamp
  • Relevant indicators

Additional integrations can enrich these alerts with contextual information.

External Integrations

Once alerts are generated, Wazuh can interact with external platforms to:

  • Check file reputations
  • Query IP intelligence
  • Send notifications
  • Forward logs
  • Open tickets
  • Trigger SOAR playbooks
  • Update asset inventories

These integrations transform basic alerts into actionable security intelligence.

Incident Response

Finally, Wazuh can initiate automated or semi-automated response actions.

Examples include:

  • Blocking malicious IP addresses
  • Disabling compromised accounts
  • Killing malicious processes
  • Updating firewall rules
  • Isolating endpoints
  • Sending alerts to collaboration platforms

Automation significantly reduces the time between detection and containment.

Common Integration Methods

Wazuh supports several mechanisms for integrating with external systems.

The appropriate method depends on the capabilities of the third-party platform.

REST APIs

REST APIs are the preferred integration method for modern cloud services and security platforms.

Typical API integrations include:

  • Threat intelligence platforms
  • Cloud providers
  • Identity providers
  • Asset management systems
  • Vulnerability scanners
  • SOAR platforms

API-based integrations enable real-time data exchange and richer contextual information.

Syslog

Syslog remains one of the most widely supported integration protocols.

Common devices forwarding logs via Syslog include:

  • Firewalls
  • Routers
  • Switches
  • VPN gateways
  • IDS/IPS appliances
  • Unix servers

Syslog provides a simple and reliable way to centralize security logs.

File Monitoring

Some applications generate logs locally rather than exposing APIs or Syslog.

Wazuh can monitor these files directly to ingest:

  • Application logs
  • Audit logs
  • Database logs
  • Web server logs
  • Security appliance exports

File monitoring is particularly useful for legacy systems.

Active Response Scripts

Active Response scripts allow Wazuh to perform automated remediation after detecting predefined threats.

Common automated actions include:

  • Blocking IP addresses
  • Removing malicious files
  • Restarting compromised services
  • Updating firewall policies
  • Disabling user accounts

These scripts can also invoke external APIs to orchestrate broader response workflows.

Webhooks

Webhooks allow Wazuh to send alerts instantly to external platforms whenever specified conditions are met.

Popular webhook destinations include:

  • Slack
  • Microsoft Teams
  • PagerDuty
  • Ticketing systems
  • SOAR platforms
  • Custom automation services

Because webhooks push data immediately, they are well suited for real-time notification and workflow automation.


Preparing Your Environment

Proper preparation minimizes deployment issues and helps ensure integrations operate securely and reliably.

Before connecting Wazuh to third-party platforms, verify that your infrastructure, authentication methods, and network configuration are ready.

Verify Version Compatibility

Not every integration supports every version of Wazuh or the connected platform.

Before deployment, verify:

  • Wazuh version compatibility
  • Supported operating systems
  • API version requirements
  • Plugin compatibility
  • Indexer compatibility
  • Dashboard compatibility

Review release notes whenever upgrading either Wazuh or an integrated product, as API changes and deprecated features can affect existing integrations.

Wazuh Documentation – Release Notes: https://documentation.wazuh.com/current/release-notes/

Configure Network Connectivity

Most integrations depend on reliable communication between systems.

Confirm that:

  • Required ports are open
  • Firewalls allow traffic
  • DNS resolution functions correctly
  • Routing is configured properly
  • Proxy settings are correct
  • TLS communication succeeds

Network connectivity should be validated before troubleshooting application-level issues.

Secure API Access

API integrations often require elevated permissions, making them an attractive target for attackers.

Follow these security practices:

  • Use HTTPS exclusively
  • Rotate API keys regularly
  • Limit API permissions using the principle of least privilege
  • Restrict API access by IP address where possible
  • Enable audit logging
  • Monitor failed authentication attempts

Avoid embedding credentials directly into scripts whenever secure alternatives such as environment variables or secret management solutions are available.

Configure Authentication

Different integrations support different authentication methods.

Common options include:

  • API keys
  • OAuth tokens
  • JWT tokens
  • Client certificates
  • Basic authentication
  • Service accounts

Choose the strongest authentication mechanism supported by both Wazuh and the integrated platform.

Backup Existing Configuration

Before modifying production integrations, create backups of relevant configuration files.

Common files to back up include:

  • ossec.conf
  • Local rules
  • Custom decoders
  • Active Response scripts
  • Integration configuration files
  • SSL certificates

Maintaining version-controlled backups simplifies rollback if an integration introduces unexpected behavior.

Test Basic Connectivity

Before enabling production workflows, verify connectivity between Wazuh and the external platform.

Typical validation steps include:

  • Ping or reachability tests
  • DNS resolution checks
  • TLS certificate validation
  • API authentication tests
  • Sample log transmission
  • Test alert generation
  • Response verification

Incremental testing helps isolate configuration problems before they impact production monitoring.


Integrating Threat Intelligence

Threat intelligence transforms security alerts into actionable intelligence by providing additional context about suspicious indicators.

Rather than investigating every alert manually, analysts can quickly determine whether an IP address, domain, URL, or file hash has already been associated with known malicious activity.

Related Guide: How to Integrate Wazuh with VirusTotal for Threat Intelligence

Why Threat Intelligence Matters

Threat intelligence helps security teams prioritize alerts based on real-world risk.

Benefits include:

  • Faster incident triage
  • Reduced false positives
  • Improved detection accuracy
  • Better prioritization of high-risk alerts
  • Enhanced malware identification
  • Greater visibility into emerging threats

According to the Verizon Data Breach Investigations Report (DBIR), organizations increasingly rely on threat intelligence and contextual analysis to improve detection and accelerate incident response in complex attack environments.

Security expert Troy Hunt, creator of Have I Been Pwned, has consistently emphasized that context is critical when evaluating indicators of compromise, noting that raw indicators become significantly more valuable when enriched with reliable intelligence sources. This principle underpins modern security operations and explains why threat intelligence integrations are now a standard component of mature SOCs.


Threat Enrichment Workflow

A typical Wazuh threat enrichment workflow follows these steps:

  1. A security event is detected.
  2. Wazuh extracts indicators such as IP addresses, file hashes, or domains.
  3. The integration queries one or more threat intelligence providers.
  4. Reputation data is returned.
  5. Wazuh enriches the alert with contextual information.
  6. Detection rules may increase the alert severity based on the enrichment.
  7. Analysts investigate or automated response actions are triggered.

This automated workflow enables analysts to focus on genuine threats instead of manually researching every indicator.

Common Threat Intelligence Sources

Organizations commonly integrate Wazuh with multiple intelligence providers to improve coverage.

Popular sources include:

  • VirusTotal
  • AbuseIPDB
  • MISP
  • AlienVault OTX
  • OpenPhish
  • Spamhaus
  • Emerging Threats
  • Commercial intelligence feeds

Using multiple sources helps validate indicators and reduces reliance on any single provider.

Best Practices

To maximize the value of threat intelligence integrations:

  • Integrate multiple reputable intelligence sources.
  • Cache lookups when appropriate to reduce API usage.
  • Respect API rate limits and quotas.
  • Prioritize high-confidence indicators over low-confidence feeds.
  • Regularly rotate API credentials.
  • Continuously review enrichment rules to reduce false positives.
  • Combine threat intelligence with endpoint and network telemetry rather than relying on reputation data alone.
  • Monitor enrichment performance and API failures to ensure consistent alert quality.

When implemented thoughtfully, threat intelligence integrations significantly enhance Wazuh’s detection capabilities while reducing investigation time and improving overall security operations.


Integrating Network Security Tools

Network security devices provide critical visibility into traffic flowing across your infrastructure.

While Wazuh agents monitor activity on individual endpoints, network security tools detect attacks occurring between systems, making them an excellent complement to endpoint monitoring.

By integrating firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS), organizations can correlate network events with endpoint telemetry to improve detection accuracy and reduce investigation time.

IDS/IPS Platforms

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for malicious behavior such as exploits, malware communications, command-and-control (C2) traffic, reconnaissance, and policy violations.

One of the most widely used integrations is Suricata, an open-source IDS/IPS capable of inspecting network traffic in real time and generating detailed alerts for suspicious activity.

Related Guide: How to Integrate Wazuh with Suricata for Better Threat Detection

Integrating Suricata with Wazuh enables security teams to combine endpoint events with network detections, providing a more complete picture of an attack.

Benefits

Connecting Wazuh with IDS/IPS platforms offers several advantages:

  • Improved detection accuracy
  • Greater network visibility
  • Earlier identification of attacks
  • Reduced false positives
  • Faster incident investigation
  • Better attack attribution
  • Enhanced threat hunting capabilities

Rather than relying on endpoint activity alone, analysts can determine whether malicious network traffic accompanied suspicious system behavior.

Event Correlation

One of the biggest advantages of integrating IDS/IPS solutions with Wazuh is event correlation.

For example:

  • Suricata detects an exploit attempt against a web server.
  • Wazuh simultaneously records unexpected process creation on the same host.
  • File Integrity Monitoring detects changes to application files.
  • Active Response blocks the attacker’s IP address.

Individually, these events may appear unrelated. Correlated together, they provide strong evidence of a successful compromise.

Correlation also helps reduce alert fatigue by grouping related events into a single security incident.

Alert Enrichment

Network alerts become significantly more useful when enriched with endpoint and threat intelligence data.

A typical enriched alert may include:

  • Source and destination IP addresses
  • File hashes
  • Process information
  • User accounts
  • Host inventory
  • Threat intelligence reputation
  • Vulnerability information
  • MITRE ATT&CK mappings

This additional context enables analysts to prioritize investigations more effectively.

Firewall Platforms

Firewalls remain one of the primary sources of security telemetry within enterprise environments.

They record connection attempts, policy decisions, VPN activity, and administrative actions that are often essential during incident investigations.

One commonly deployed integration is OPNsense, which can forward firewall logs directly to Wazuh for centralized monitoring and correlation.

Related Guide: How to Integrate Wazuh with OPNsense

Other enterprise firewall platforms can typically integrate using Syslog, APIs, or log forwarding mechanisms.

Log Collection

Firewall integrations enable Wazuh to collect events such as:

  • Allowed connections
  • Blocked connections
  • VPN sessions
  • NAT translations
  • Administrative logins
  • Policy changes
  • Intrusion prevention events
  • DNS requests

These logs provide valuable insight into network activity that endpoint agents cannot observe.

Firewall Event Monitoring

Once firewall logs are ingested, Wazuh can detect suspicious activities including:

  • Port scanning
  • Brute-force attacks
  • Geographic anomalies
  • Excessive denied connections
  • Unexpected outbound traffic
  • VPN authentication failures
  • Unauthorized configuration changes

Combining firewall telemetry with endpoint monitoring significantly improves detection confidence.

Network Visibility

Integrating network security tools gives security teams a broader understanding of how attackers move throughout an environment.

Benefits include:

  • Visibility into east-west traffic
  • Monitoring internet-facing services
  • Detecting lateral movement
  • Tracking command-and-control communications
  • Identifying unauthorized outbound connections
  • Correlating endpoint and network events

According to the MITRE ATT&CK framework, adversaries frequently combine network-based techniques with endpoint compromise throughout the attack lifecycle.

Correlating both data sources allows defenders to detect attacks that may otherwise go unnoticed.


Integrating Log Management Platforms

Many organizations already operate centralized log management or SIEM platforms.

Rather than replacing these systems, Wazuh can integrate with them by forwarding alerts, sharing telemetry, and enriching existing security workflows.

This approach allows organizations to leverage Wazuh’s endpoint detection capabilities while continuing to use familiar dashboards, reporting tools, and long-term storage solutions.

Splunk Integration

Splunk is one of the most commonly integrated enterprise SIEM platforms.

Organizations frequently forward Wazuh alerts into Splunk for advanced analytics, executive dashboards, enterprise reporting, and cross-platform event correlation.

Related Guide: How to Fix Splunk Forwarder Mapping in Wazuh

A properly configured integration enables analysts to investigate endpoint events alongside logs from network devices, cloud platforms, identity providers, and business applications.

Log Forwarding

Wazuh can forward alerts to Splunk using several methods, including:

  • Universal Forwarder
  • Syslog
  • File-based forwarding
  • APIs
  • Custom integrations

Selecting the appropriate forwarding method depends on your organization’s architecture, scalability requirements, and existing Splunk deployment.

Data Mapping

Successful integrations depend on consistent field mapping between Wazuh and the receiving platform.

Important fields typically include:

  • Timestamp
  • Hostname
  • Agent ID
  • Rule ID
  • Severity
  • Event category
  • Source IP
  • Destination IP
  • Username
  • Process name

Proper normalization ensures that searches, dashboards, alerts, and correlation rules function as expected across both platforms.

Common Configuration Issues

Administrators frequently encounter issues such as:

  • Incorrect field mappings
  • Timestamp mismatches
  • Missing indexes
  • Parsing errors
  • Duplicate events
  • Authentication failures
  • Broken forwarder configurations
  • Incomplete log ingestion

Most of these problems can be identified by validating forwarding pipelines, reviewing parser configurations, and testing sample events before moving integrations into production.

Other SIEM Platforms

Although Splunk is a popular choice, Wazuh can integrate with many other log management and analytics platforms.

Elasticsearch

Organizations using Elasticsearch can forward Wazuh alerts for:

  • Long-term storage
  • Advanced search
  • Custom analytics
  • Machine learning
  • Security reporting

Careful index lifecycle management helps maintain query performance as data volumes grow.

OpenSearch

Modern Wazuh deployments commonly use OpenSearch as the underlying indexing and search engine.

Benefits include:

  • Fast querying
  • Scalable storage
  • Rich visualizations
  • Security dashboards
  • Role-based access control
  • Distributed architecture

Because Wazuh is tightly integrated with OpenSearch, many organizations use it as their primary analytics platform without requiring an additional SIEM.

Graylog

Graylog can also ingest Wazuh-generated events for centralized log analysis.

Common use cases include:

  • Unified log management
  • Enterprise search
  • Alert routing
  • Custom dashboards
  • Long-term archival
  • Cross-platform investigations

The flexibility of Syslog and API-based forwarding makes Graylog a practical option for organizations with heterogeneous logging environments.

According to the NIST Cybersecurity Framework (CSF) 2.0, centralized collection and analysis of security events improve an organization’s ability to detect, investigate, and respond to cybersecurity incidents.


Integrating Microsoft Services

Many organizations rely heavily on Microsoft services for identity management, cloud infrastructure, productivity, and endpoint security. Integrating these services with Wazuh enhances visibility into authentication events, cloud activity, and administrative operations.

Among these integrations, Microsoft Graph API plays a central role by providing secure access to Microsoft 365 and Azure resources.

Microsoft Graph API

Microsoft Graph API enables Wazuh to retrieve information from Microsoft cloud services, including:

  • Microsoft Entra ID (formerly Azure Active Directory)
  • Microsoft 365
  • Exchange Online
  • SharePoint
  • OneDrive
  • Microsoft Teams
  • Security alerts
  • User and group information

Many Microsoft integrations rely on Graph API authentication before data can be collected.

Related Guide: Fixing Microsoft Graph API Authentication Failures in Wazuh

Authentication Flow

A typical Microsoft Graph API integration follows these steps:

  1. Register an application in Microsoft Entra ID.
  2. Assign the required API permissions.
  3. Generate client credentials or configure certificate-based authentication.
  4. Request an OAuth access token.
  5. Authenticate API requests using the access token.
  6. Retrieve logs, alerts, or resource information.
  7. Process the data within Wazuh.

Following Microsoft’s recommended OAuth 2.0 flow ensures secure communication between Wazuh and Microsoft services.

Common Authentication Errors

Authentication problems are among the most common causes of Microsoft integration failures.

Typical issues include:

  • Expired access tokens
  • Invalid client secrets
  • Incorrect tenant IDs
  • Missing API permissions
  • Misconfigured redirect URIs
  • Clock synchronization issues
  • Conditional Access restrictions
  • Disabled service principals

Reviewing Microsoft Entra ID sign-in logs can often help identify the root cause of authentication failures.

Token Management

Proper token management improves both security and reliability.

Best practices include:

  • Automatically refresh access tokens before expiration.
  • Rotate client secrets regularly.
  • Prefer certificate-based authentication where supported.
  • Store credentials securely using a secrets management solution.
  • Monitor authentication failures and token expiration events.
  • Remove unused application credentials promptly.

Effective token lifecycle management reduces service interruptions and limits the risk of credential compromise.

Security Best Practices

When integrating Microsoft services with Wazuh:

  • Apply the principle of least privilege to API permissions.
  • Enable multifactor authentication (MFA) for administrative accounts.
  • Use managed identities or certificate-based authentication when available.
  • Protect client secrets in a secure vault rather than configuration files.
  • Audit API usage regularly.
  • Enable logging for authentication events.
  • Rotate credentials according to organizational security policies.
  • Continuously review application permissions and remove unnecessary access.

Microsoft’s security guidance recommends minimizing privileged access, monitoring application permissions, and using modern authentication methods to reduce the attack surface of cloud integrations.


Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *