// Wazuh

Wazuh SIEM Deployment: Complete Open-Source XDR Setup for 500+ Endpoints

📅 June 2025🕐 20 min readWazuh SIEM

Why Wazuh for Enterprise Security Monitoring

Wazuh is the most capable open-source SIEM and XDR platform available today. Combining host-based intrusion detection, file integrity monitoring, vulnerability detection, compliance monitoring, and cloud security into a single agent-based platform, Wazuh provides enterprise-grade security visibility at a fraction of the cost of commercial alternatives.

At PostEx, we deployed Wazuh as the primary SIEM covering 500+ endpoints across fintech infrastructure, before layering Splunk Enterprise on top for enhanced network telemetry. The Wazuh deployment formed the foundation of our detection engineering and SOC operations.

Wazuh Manager Installation

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH |   gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main"   | tee -a /etc/apt/sources.list.d/wazuh.list

apt-get update
apt-get install wazuh-manager -y
systemctl enable wazuh-manager
systemctl start wazuh-manager

Agent Deployment at Scale

# Windows PowerShell silent install
$MGR = "wazuh-manager.internal"
msiexec.exe /i wazuh-agent-4.7.0-1.msi /q WAZUH_MANAGER=$MGR WAZUH_AGENT_GROUP="windows-endpoints"
Start-Service -Name WazuhSvc

Custom Detection Rules (XML)

<!-- Rule: Multiple failed logins (T1110) -->
<rule id="100001" level="12">
  <if_sid>18152</if_sid>
  <match>Authentication failure</match>
  <same_source_ip />
  <occurrence>5</occurrence>
  <timeframe>120</timeframe>
  <description>Brute force detected - multiple auth failures from same IP</description>
  <group>authentication_failure,T1110</group>
</rule>

<!-- Rule: Suspicious binary in temp dir (T1059) -->
<rule id="100010" level="13">
  <if_group>windows_agent</if_group>
  <field name="win.eventdata.image">AppData|Temp</field>
  <description>Suspicious execution from temp directory (T1059)</description>
  <group>suspicious_execution,T1059</group>
</rule>

Active Response Configuration

<!-- ossec.conf: Auto-block brute force IPs -->
<command>
  <name>firewall-drop</name>
  <executable>firewall-drop</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>100001,5763</rules_id>
  <timeout>3600</timeout>
</active-response>

File Integrity Monitoring

<syscheck>
  <frequency>3600</frequency>
  <alert_new_files>yes</alert_new_files>
  <directories realtime="yes" report_changes="yes">C:\Windows\System32</directories>
  <directories realtime="yes" report_changes="yes">/etc,/usr/bin,/bin</directories>
</syscheck>

Production Results

  • 500+ endpoints monitored continuously with under 5% CPU overhead
  • 40+ custom MITRE ATT&CK-mapped detection rules engineered
  • False positive rate below 15% after 6 months of tuning
  • Mean time to notify below 2 minutes via automated Telegram alerting
WazuhSIEMXDRFIM