CDB, constant database, lookups are done from within the rules and run by ossec-analysisd process. All fields can be inspected for different type of use cases, mostly related to white listing or reputation.
White lists help reduce the number of false positives, for example identifying users that are authorized to run “sudo” command. As well CDBs can be used to alert when certain field is detected on a log message. This can be useful, for example, to trigger alerts only when certain hosts are involved.
WAZUH checks existing CDBs, improving and amending detection rules where those are utilized. New databases can also be implemented to expand detection capabilities.