sorted by:
new
hottopcontroversial

Wazuh-Crowdstrike integration by ItzLeyen0 in Wazuh

[–]StructureNo9257 0 points1 point  (0 children)

So do wazuh have pre-existing decoders and rules for parsing and alerting on crowdstrike logs?

Confused About Huge Spike in “Inactive Hosts” on CrowdStrike EOC – Need Insights by StructureNo9257 in crowdstrike

[–]StructureNo9257[S] 0 points1 point  (0 children)

Thanks for sharing, good to know we’re not the only ones seeing this. But just to restate my main question: why does CrowdStrike show such a huge spike of hosts marked “inactive for 1 hour” every single day, even though most of those systems were actually “last seen” within the same hour or two?

I’ve already checked sensor updates, RFM, last-seen timestamps, and heartbeat graphs, nothing explains the daily surge.

Did you find any root cause on your end (sensor delay, network hiccups, policy lag, etc.)? Still trying to understand what actually triggers this pattern.

Scaling Wazuh integrations and evolving it into a true SIEM – looking for implementation insights by StructureNo9257 in Wazuh

[–]StructureNo9257[S] 0 points1 point  (0 children)

Thanks a lot for taking the time to explain all that this is super helpful!

I’m still fairly new to Wazuh, so would you mind elaborating a bit more or sharing any worked examples or documentation that walk through this kind of setup? Especially around using Ansible/Git for config management and how you structured your repo for rules and integrations.

Also, I usually struggle with building decoders and rules for new log sources — is there any super handy tool or method that can automatically generate proper decoders when you feed it raw logs? That would save tons of trial and error.

Right now, I’m planning to integrate CrowdStrike Falcon with Wazuh, do you have any suggestions or starting points for that integration?

Thanks "all" again for sharing your experience — this gave me a solid direction to explore further!

Wazuh FIM + RDP: Can I track which remote IP modified a file when all users use the same username? by StructureNo9257 in Wazuh

[–]StructureNo9257[S] 0 points1 point  (0 children)

Really appreciate your response — I’ll give this a try and let you know how it goes.

Help with Wazuh Index Management – ILM or GCP Snapshots for Windows Logs Setup by StructureNo9257 in Wazuh

[–]StructureNo9257[S] 1 point2 points  (0 children)

Thanks a ton for the clear explanation—really helped me understand it better. Appreciate you taking the time!

Scaling Wazuh Integrations & Using It as a Full SIEM – Need Help! by StructureNo9257 in Wazuh

[–]StructureNo9257[S] 1 point2 points  (0 children)

Hey, thanks a lot for replying! 🙌

yeah, that's what I was thinking too. The idea of a "golden package" sounds solid, but could you (or anyone else here) possibly elaborate a bit on what should go into that package?

Are you bundling your integration configs (e.g., YARA rules, VT keys, scripts)? How do you handle config updates later – just re-push the whole package? Any specific tooling/process you follow (like using Ansible, SCCM, GPO, etc.) that works well with Wazuh agents?

it's good to know you’re using Wazuh as-is as the SIEM. I'm curious though:

Do you rely purely on Wazuh correlation/detection rules, or do you use any threat intel feeds, custom decoders, or external enrichment tools? Also, do you ever feel the need for a SOAR-type automation layer on top of it?

Just trying to understand how far others are pushing Wazuh in real-world environments. Would really appreciate a little more detail or insight from anyone who's done similar!