This blog covers both. What each system does, where it stores data, how to configure it correctly, and how to verify it’s actually working. All configuration is from the official Wazuh documentation.

Wazuh handles context and automation (it notices the file and runs the procedure), while YARA performs deep inspection and decides whether the content is safe. This synergy enhances Wazuh’s core functionality with a powerful real-time malware detection tool.

Where Monitoring Either Works or Fails.
This is where monitoring transitions into operations – and where the design decisions you make have the most direct impact on your organisation’s ability to respond to real incidents.

Anyone who regularly administers and debugs Windows endpoints in a SIEM environment knows the problem: a simple ‘ tail -f ‘ with proper color highlighting is missing. This is an unnecessary point of friction, especially when analyzing local log files. To speed up this workflow, I developed the ‘ win-agent-logtailer ‘.

We’ve been using Wazuh for a while. We know the API well; we know how to search for an agent, list groups, and inspect permissions. But at one point, faced with an internal audit question— who actually has access to what in our deployment? —we realized that the API didn’t answer this type of question. Not because it lacks data, but because it doesn’t think in terms of relationships between that data.

This post presents Wazuh CLI, an open-source command-line tool that simplifies managing and automating Wazuh SIEM/XDR operations for cybersecurity monitoring and incident response.

OpenCTI can expose shared data through different native feeds, including Live streams, TAXII collections, and CSV feeds. For this integration, I chose a TAXII collection because it exposes STIX 2.1 bundles through a standard API and provides a pagination model that is straightforward to automate.