This blog covers both. What each system does, where it stores data, how to configure it correctly, and how to verify it’s actually working. All configuration is from the official Wazuh documentation.

Wazuh handles context and automation (it notices the file and runs the procedure), while YARA performs deep inspection and decides whether the content is safe. This synergy enhances Wazuh’s core functionality with a powerful real-time malware detection tool.

Where Monitoring Either Works or Fails.
This is where monitoring transitions into operations – and where the design decisions you make have the most direct impact on your organisation’s ability to respond to real incidents.

We’ve been using Wazuh for a while. We know the API well; we know how to search for an agent, list groups, and inspect permissions. But at one point, faced with an internal audit question— who actually has access to what in our deployment? —we realized that the API didn’t answer this type of question. Not because it lacks data, but because it doesn’t think in terms of relationships between that data.

This post presents Wazuh CLI, an open-source command-line tool that simplifies managing and automating Wazuh SIEM/XDR operations for cybersecurity monitoring and incident response.

OpenCTI can expose shared data through different native feeds, including Live streams, TAXII collections, and CSV feeds. For this integration, I chose a TAXII collection because it exposes STIX 2.1 bundles through a standard API and provides a pagination model that is straightforward to automate.

By connecting Wazuh to Claude Desktop using MCP (Model Context Protocol), you can talk to your SIEM like you’d talk to a colleague. No complex queries. No dashboard hopping. Just ask, and get answers.