We are excited to announce the release of Wazuh 4.6.0, with new and enhanced capabilities, new use cases, and improved documentation. This marks a significant achievement for our project and greatly benefits our open source community.

New features in Wazuh 4.6.0

Wazuh boasts a range of SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities. These capabilities are continuously enhanced and optimized to suit your business needs and ensure better security monitoring of your IT infrastructure. 

This blog post highlights some additional features introduced with Wazuh 4.6.0 and enhancements we have made.

Wazuh 4.6.0

Deprecated plugin support for Splunk and ElasticSearch

Note: Wazuh has developed new integration methods for third-party platforms, Splunk, Elastic Stack, and OpenSearch. In contrast, we no longer support the Wazuh app for Splunk and the Wazuh Kibana app from Wazuh 4.6.0.

We offer an integration guide and new dashboards for these third-party platforms. The above documentation describes the new Wazuh server and indexer integration methods for your existing Splunk, Elastic Stack, and OpenSearch deployments.

Vulnerability detection improvements

  • The Wazuh Vulnerability Detector module has been expanded to include support for the AlmaLinux and Debian 12 operating systems.
Vulnerability detection improvements
  • The Vulnerability Detector module has been redesigned to pull National Vulnerability Database (NVD) CVEs directly from the Wazuh feed. The Wazuh feed pulls and compiles CVEs from external repositories, including the NVD, Microsoft Security Updates (MSU), and Amazon Linux Security Center (ALAS) feeds. This approach fixes compatibility issues, offers an optimized experience, and ensures you get the most recent and accurate vulnerability feeds for the workloads in your infrastructure.

Enhancements to existing features

Wazuh 4.6.0 introduces enhancements to existing features on the platform. These features give you extra insight and visibility into your workloads and reduce administrative difficulties in managing your Wazuh deployment. They include:

Improved interface and user experience

  • The dashboard for agent enrollment has been redesigned, and its functionality has expanded to include macOS endpoints with the Apple silicon architecture.
Wazuh 4.6.0 Deploy New Agent
  • We have expanded the search bar functionality to some tabs on the Wazuh dashboard to use the Wazuh Query Language (WQL). These tabs include the Integrity Monitoring Inventory tab, MITRE ATT&CK Intelligence tab, and the agent Inventory data module.  The WQL interacts directly with the Wazuh server API, giving you access to further security insights for threat hunting and intelligence gathering.
Wazuh server API

Enhanced feature set

  • We offer extended PCRE2 support, allowing for more complex matches when running system configuration checks.
  • Wazuh 4.6.0 supports wildcards * for Windows Registry file integrity monitoring. This implementation gives you expanded coverage by monitoring certain Windows registries with wildcard patterns.
  • A new -p/--prefix parameter has been added to the Azure module, allowing you to filter folders inside a bucket depending on a prefix.
  • The Wazuh indexer is based on OpenSearch 2.8, giving you access to more capabilities.
  • We introduce a new webhook for ingesting security events using the Wazuh API.
Wazuh API

Enhanced integrations with cloud services

We have also enhanced integrations with cloud service providers, giving you ease in retrieving and analyzing cloud logs. These enhancements include:

  • Expanded capability to retrieve native GuardDuty logs from S3 without needing CloudWatch, Kinesis, or Firehose.
  • We have expanded our capability to retrieve logs from the Microsoft Graph Security API. This enables users to easily monitor and analyze security data from multiple Microsoft services and products in a more centralized and streamlined manner. Please read our documentation for more details.
  • Expanded capability to retrieve data from Microsoft Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) endpoints.

Improved system performance

  • We have a new filter log option for the Wazuh agents. This feature helps to prevent the flooding of events by excluding regex matches of log lines before forwarding to the Wazuh server. 
  • Wazuh API logging now includes an option for log rotation based on file size.
  • We introduce new measures to prevent higher versions of Wazuh agents from connecting to lower versions of Wazuh managers. Please refer to our compatibility matrix for additional information.

Key takeaways

The Wazuh platform and capabilities are continuously improved to provide the features necessary for securing your workload. We also prioritize our community’s requests and suggestions in our releases to ensure you always get an improved security detection and response platform.

Kindly read our release notes for more information about the features, fixes, and performance improvements included in Wazuh 4.6.0. For specific details, you can also see our changelog.