Introducing Wazuh 4.12.0

We are excited to announce the release of Wazuh 4.12.0. This release introduces support for ARM architecture in the central components, expanding compatibility across various hardware environments. It also enhances threat intelligence capabilities by incorporating Wazuh CTI reference into CVE data, providing better context for vulnerability assessment. Additionally, this release adds eBPF support to the File Integrity Monitoring (FIM) module, enabling more efficient monitoring on Linux endpoints.

Key highlights

Enriched vulnerability context

Wazuh 4.12.0 introduces the inclusion of CTI (Cyber Threat Intelligence) reference within vulnerability detection results on the Wazuh dashboard. The CTI reference is dynamically generated using the CVE ID and redirects to the Wazuh Vulnerability Explorer. This enhancement provides enriched context and external threat insights to aid in vulnerability assessment.

Our CTI platform aggregates vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository.

Improved File Integrity Monitoring with eBPF support

Wazuh File Integrity Monitoring (FIM) module now supports eBPF (Extended Berkeley Packet Filter) for real-time detection of file and folder changes on monitored Linux endpoints. eBPF runs directly in the kernel, allowing faster event collection without relying on external dependencies like the Linux Audit system. This update improves performance and enhances who-data capture by identifying the user and process responsible for modifications. 

When eBPF is unavailable, Wazuh automatically falls back to the Linux Audit system or inotify, ensuring continuous monitoring across a wide range of Linux environments. Users are allowed to explicitly choose the who-data provider by configuring the <provider> field inside the <whodata> block in the FIM configuration. If no provider is specified, auditd is used by default. For more information, refer to the eBPF mode documentation.

Extended platform support for ARM architecture

Wazuh now supports ARM architecture across the manager, indexer, and dashboard components. This update enables deployment on a wider range of hardware platforms, offering greater flexibility for users running Wazuh in diverse environments.

New SCA policy for Linux endpoints

A new Wazuh Security Configuration Assessment (SCA) policy is now available for monitored Linux endpoints, replacing the previous default UNIX SCA policy. This update aligns with the latest CIS benchmarks policies. It expands configuration assessment coverage and provides better compliance support across more Linux distributions. Refer to our documentation to see the available SCA policies.

Conclusion

Wazuh remains committed to improving its platform to deliver comprehensive security features that protect IT infrastructures from cybersecurity threats. To learn more about the new features, improvements, and fixes in Wazuh 4.12.0, please review our release notes. You can also refer to our changelog for specific updates.

Thank you for being a valued part of our community and contributing to the growth of a stronger, more user-friendly open source security solution.