horizontal lines
Gigasheet Primary logo
  • Luciana Obregon

How To Use Wazuh For Incident Response

In this short overview help you learn how to use Wazuh, and how to analyze the JSON alerts to track down incidents. If you're looking for an easier way to analyze incidents and alerts in Wazuh data, create a free Gigasheet account here to try it out.


Wazuh is an open-source security monitoring tool based on the OSSEC project offering a host of security solutions, from security events monitoring to integrity checking, compliance, endpoint detection and response, and incident response. While open-source does not always equal free (in terms of project support and time requirements), Wazuh comes with loads of documentation and use cases to facilitate its deployment, maintenance, and operation. The Wazuh architecture is relatively straightforward, including three main components:

  • Wazuh manager analyzes security data received from Wazuh agents.

  • Wazuh agents run on monitored endpoints and collect and forward security information to the Wazuh manager server.

  • Elastic Stack includes Elasticsearch for reading and writing data to search indexes, Kibana as a web user interface, and FileBeat to securely forward Wazuh alerts to Elasticsearch.

Wazuh for Incident Response

By default, the Wazuh stores 3-months' worth of indexed events (received from the Wazuh agents) in hot storage, searchable from the Kibana web UI. Additionally, Wazuh saves all events to disk as JSON files (and .log files), which you can retrieve and analyze at any time. While Wazuh's index lifecycle policies are fully configurable, increasing the hot storage limits sometimes requires increasing CPU and memory. Using Gigasheet for long-term storage of security event logs does not only eliminate potentially excessive storage, CPU, and memory requirements, but it will also make those files readily available for searching at any point in time. In addition, Gigasheet continuously scans your logs for known IOCs (indicators of compromise) and will alert you to any new threats it's detected, even in older files.


View other incident response articles:


In this blog, we demonstrate how to analyze Wazuh alerts in JSON files with Gigasheet for rapid incident response.

You can upload Wazuh alert files to Gigasheet from your local hard drive or import them from any object storage repository, such as GitHub, AWS S3, or Google Cloud Storage bucket, by providing the link to the file. Gigasheet will ingest the JSON file and convert it to CSV format. In this example, I imported the Wazuh alerts file from a public GitHub repository. Gigasheet uploaded the file and converted it to CSV within seconds.

Wazuh for Incident Response - Alerts JSON
Import Wazuh Alerts JSON

We start by analyzing the file's composition using the group column function. By grouping the /WAZUH/MANAGER column, we can reveal the number of Wazuh manager servers in the architecture. In this example, the architecture includes a single server running both the Wazuh manager and Elastic Stack and fifteen Wazuh agents running on Linux servers. Furthermore, we can also see that this file contains over 51,000 alerts, as indicated by the number displayed within brackets to the right of the grouped value.

Wazuh Incident Alerts by Manager

Similarly, we can sequentially group the /AGENT/NAME and /AGENT/ID columns to identify the Wazuh agents, including their names and IDs.

View Wazuh Agents
View Wazuh agents

Wazuh comes with a pre-built ruleset designed to analyze incoming security data and trigger alerts on potential incidents as needed. You can also create custom rules to address your unique needs. Rules are organized into rule groups and assigned a severity level ranging from three (lowest) to fifteen (highest). This example includes alerts in seven rule groups, as revealed by grouping the /RULE/GROUPS/0 column below.

We can also observe six alert severity levels by grouping the /RULE/LEVEL column.

Wazuh alert levels
Wazuh alert levels

A quick way to get a general feel for the types of alerts in the file is to sequentially group the /RULE/LEVEL, /RULE/GROUP/0, and /RULE/DESCRIPTION columns, expanding each group individually to learn the description, assigned group, and severity level for each alert.

Wazuh Rules For Incident Response
Wazuh rules and groups view

We can also omit lower severity alerts by applying filters. For instance, we can filter the /RULE/LEVEL column for severity levels equal to or greater than ten to display the highest severity alerts, which helps remove noisy or irrelevant alerts.

Filter Incidents in Wazuh
Use filters to remove low severity Wazuh alerts

Another helpful feature in Wazuh is the MITRE ATT&CK framework rule mapping. Wazuh maps each rule to one or more MITRE ATT&CK tactics to facilitate incident response and help prioritize and triage alerts. By grouping the /RULE/MITRE/TACTIC/0, /RULE/LEVEL, and /RULE/DESCRIPTION columns in sequence, we can ascertain the alert’s potential impact if it is determined to be a true positive.

MITRE ATT&CK in Wazuh
MITRE ATT&CK in Wazuh

Gigasheet integrates with many open sources of threat intelligence (OSINT) to help identify indicators of compromise with just one click. This can be a great way to quickly identify incidents and shorten response time. In this example, we used the Gigasheet pre-built OSINT feeds to enrich the /DATA/SRCIP column to look for known bad IP addresses. The result included two additional columns indicating:

  • The number of OSINT feeds in which the IP address was found

  • The name of the said feed(s)

OSINT Feeds in Wazuh
OSINT feeds correlation with Wazuh

Grouping the '/DATA/SRCIP - OSINT SOURCES' column reveals the OSINT feeds in which IP addresses were found, along with the number of matches.


We can further group by the /DATA/SRCIP column and expand the OSINT feeds to display all unique IP addresses within each feed.


Gigasheet's enrichment functions also support geolocation. With geolocation, you can enrich a column containing public IP addresses to identify the geographical location in which an IP address is registered. After applying the geolocation function, Gigasheet adds several new columns to the sheet, including:

  • Country

  • Country two-letter code

  • City

  • State or province

  • Region

  • Latitude

  • Longitude

  • GEOHash value

Enrich Wazuh With GEOIP OSINT
Enrich Wazuh With GEOIP OSINT

Grouping by the '/DATA/SRCIP - GEO COUNTRY' quickly reveals that most alerts originate from IP addresses registered in the United States, China following.


Quick Analysis of Wazuh Alerts
Quick Analysis of Wazuh Alerts

The last feature we will demonstrate in this blog is the card format. At times, files with many columns can be challenging to navigate; you may need to move back and forth to locate the information you need. To overcome this, Gigasheet uses a card format to display all the information in an easy-to-read pop-up window. Simply select any row on the sheet, and a card will open containing all the column fields and their respective values.


Wazuh Incident Alert Detail
Wazuh Incident Alert Detail

With these simple tips and tricks you can quickly analyze Wazuh alerts for incident response. Anyone can create a free Gigasheet account here.