If you’ve ever wanted alerting rules that actually work in Wazuh without fighting OpenSearch’s detection engine, this post is for you.

This post documents the current version of my Wazuh-TI integration. The OpenCTI path is now handled by a small Django/Celery service that fetches indicators from OpenCTI, maintains the current export snapshot, exposes Wazuh-compatible artifacts, and runs retro-hunting queries against the Wazuh Indexer. The Wazuh manager consumes the results through a small unprivileged downloader and a few cron jobs.

This blog explains a practical workaround for a key Wazuh limitation: rolling byte aggregation. Since Wazuh rules are not designed to calculate SUM(sentbyte) over a time window, the workflow uses an external Python correlation service to aggregate FortiGate outbound traffic bytes, generate a synthetic JSON event, and let Wazuh create the final official data exfiltration alert. This keeps Wazuh as the trusted detection source while adding aggregation capability for large outbound transfer monitoring.

Anyone who’s worked with a SIEM system knows the feeling: 7:00 am, you’ve just arrived at work, and your screen is lit up with dozens of alerts. You try to quickly connect the dots: is this repeated failed login simply an employee forgetting their password, or the beginning of a brute-force attack? Wazuh is a platform that offers powerful threat detection capabilities, but even the best tool needs dedicated staff. Unfortunately, in companies (especially smaller ones), there’s often only one person responsible for security. Security monitoring is often a sideline for IT administrators, who are already swamped with maintenance infrastructure and don’t have time to properly verify alerts because other things constantly distract them.

This document is the step-by-step implementation companion to the six-part article series Monitoring Wazuh with Zabbix. Where the series explains the reasoning — why monitoring is designed the way it is, what failure scenarios each check addresses, how to think about alerting and operational ownership — this reference provides the instructions.

This document provides a complete technical walkthrough of setting up Docker container monitoring using Wazuh SIEM on an AWS EC2 instance. The lab demonstrates how Wazuh can detect and alert on Docker container lifecycle events, suspicious activity such as shell sessions, and container deletions in real time.

This article is Part 1 of a Wazuh + AlistoIR integration series. This first post focuses on the concept, the SOC workflow, and the investigative value of the integration. A follow-up article will provide the step-by-step technical setup and validation of the working Wazuh + AlistoIR integration.