In this post, we’re going to demonstrate how attackers commonly establish persistence on Windows, and how that behavior can be detected end-to-end using Wazuh, backed by Sysmon telemetry, and validated using Atomic Red Team.
Short guide introducing threat hunting as a proactive security process, focused on investigating archived logs using Discover and query-based searching rather than relying on alerts.
This article explores Wazuh’s core capabilities for regulatory compliance, demonstrates built-in support for key standards, and provides a practical example of extending these features to the Kenya Data Protection Act of 2019 (KDPA) — a GDPR-inspired law increasingly relevant for organizations operating in or processing data from Kenya.
This article shows how to extend your auditd decoders in Wazuh to ensure PROCTITLEreliable extraction, based on best practices and official sources.
In this article, we will delve into the importance of detecting duplicate rule IDs, methods to identify them, and steps for effective resolution to maintain a streamlined and accurate security monitoring system.
The document explains how Wazuh’s built-in JSON decoder works and why it often takes precedence over custom JSON decoders due to its default configuration. It shows that the generic decoder’s broad matching can override user-defined decoders unless the built-in one is excluded or ordered properly
This guide teaches creating custom Wazuh decoders and rules so SOC teams can turn ModSecurity logs into meaningful security alerts.
In this article, I will show you step by step how to properly configure the FIM module in Wazuh and how to use it properly. I will also present you with a few examples where you will see how the FIM module is used in “action.”