•7 min read•Security Tools & Labs
Wazuh Use Cases for Security Monitoring
#Wazuh#SIEM#FIM
Wazuh is an open-source security platform that provides unified XDR and SIEM protection.
File Integrity Monitoring (FIM)
One of Wazuh's strongest features is FIM. It monitors critical files for changes.
Configuration
In ossec.conf on the agent:
<syscheck>
<directories check_all="yes" realtime="yes">/etc/passwd</directories>
<directories check_all="yes" realtime="yes">/var/www/html</directories>
</syscheck>
Now, if an attacker modifies /etc/passwd (to add a user) or injects a webshell into /var/www/html, Wazuh will generate an alert immediately.
Log Analysis
Wazuh collects logs from the system (syslog, auth.log, IIS, Nginx). It uses decoders and rules to parse them.
Example: Detecting 5 failed SSH logins in 1 minute. Wazuh has built-in rules for this (Rule ID 5712 - SSHD brute force trying to get access to the system).
Active Response
Wazuh can automatically block an IP in the firewall if a specific rule triggers. This turns it from a monitoring tool into an active defense tool.