Using Wazuh for security monitoring
This guide is part of the documentation available in SecBoard. It explains what Wazuh is, why it is used for security monitoring, and how the SecBoard FIM Dashboard receives and displays Wazuh alerts so you can centralise visibility and response in one place.
What is Wazuh?
Wazuh is an open-source security monitoring platform that helps organisations detect threats, monitor file and system changes, analyse logs, and meet compliance requirements. It uses lightweight agents on endpoints (servers, workstations) that report to a central manager. The manager analyses events, runs rules, and can forward alerts to external systems such as SIEMs or security portals.
Using Wazuh for security monitoring gives you visibility across many systems from a single stack: file integrity monitoring (FIM), log analysis, intrusion detection, vulnerability detection, and compliance checks. In SecBoard, the FIM Dashboard focuses on file integrity monitoring alerts from Wazuh — file added, modified, or deleted — so your team can review and triage them without leaving SecBoard.
Why use Wazuh for security monitoring?
Organisations use Wazuh to:
- Detect changes to critical files — Config files, binaries, or sensitive data that should not change without approval.
- Centralise security events — Agents send events to the manager so you can correlate activity across hosts.
- Meet compliance — Many frameworks (e.g. PCI DSS, HIPAA) require file integrity monitoring and log review; Wazuh supports both.
- Respond faster — Alerts can be sent to ticketing systems, SIEMs, or dashboards (such as the SecBoard FIM Dashboard) for triage and response.
When Wazuh is integrated with SecBoard, FIM alerts are delivered to the SecBoard FIM Dashboard via webhook. You can filter by agent, severity, status, and time, and update the processing status (e.g. confirmed incident, false positive, resolved) directly in SecBoard.
Main capabilities of Wazuh
Wazuh provides several capabilities; SecBoard’s integration focuses on FIM. A short overview of what Wazuh offers and how FIM fits in:
How Wazuh fits into your monitoring architecture
A typical flow when using Wazuh for security monitoring and feeding SecBoard:
| Component | Role |
|---|---|
| Wazuh agents | Run on endpoints (Windows, Linux, macOS). Monitor files, logs, and behaviour; send events to the Wazuh manager. |
| Wazuh manager | Receives events from agents, runs rules and decoders, generates alerts. Can forward alerts to external systems (e.g. SecBoard) via webhook or integration. |
| SecBoard webhook | Receives FIM alerts from Wazuh. SecBoard stores each alert (rule, file path, agent, severity, timestamp) and links it to a Wazuh agent record. |
| SecBoard FIM Dashboard | Shows FIM alerts in one place. You can filter by agent, date, severity, status; open alert details; set processing status (e.g. confirmed incident, false positive); and use analysis or automation if configured. |
Configuring Wazuh to send FIM alerts to SecBoard is done in the Wazuh manager (e.g. integration or webhook to the SecBoard endpoint). Webhook clients and authentication are configured in SecBoard so that only authorised Wazuh instances can push alerts.
What you see in the SecBoard FIM Dashboard
In SecBoard, the FIM Dashboard displays alerts that have been sent from Wazuh to SecBoard. For each alert you typically see:
- Alert ID and rule — Unique identifier and the Wazuh rule that fired (e.g. file modified, file added).
- File path and name — The monitored file or directory that changed.
- Alert type — Added, modified, deleted (or similar, depending on your Wazuh configuration).
- Severity — From Wazuh (e.g. critical, error, warning). SecBoard can use this for filtering and prioritisation.
- Agent — Which Wazuh agent (host) generated the alert; agent name and IP are stored in SecBoard.
- Timestamp — When the event occurred and when SecBoard received it.
- Processing status — Pending, under investigation, confirmed incident, false positive, resolved, escalated, or ignored. Your team updates this in SecBoard to track triage and response.
Using the FIM Dashboard in SecBoard you can quickly decide whether an alert is a real incident (and e.g. create or link an incident in the SecBoard Incident Register) or a false positive, and keep an audit trail of who processed the alert and when.
Best practices when using Wazuh for security monitoring
- Define what to monitor — Enable FIM on critical paths (configs, binaries, sensitive data). Avoid monitoring high-churn directories if they generate too much noise.
- Tune rules — Disable or adjust rules that produce too many false positives so analysts can focus on meaningful alerts.
- Secure the integration — Use authentication (e.g. API token or basic auth) on the SecBoard webhook so only your Wazuh manager can send alerts.
- Review regularly — Use the SecBoard FIM Dashboard to review unprocessed or high-severity alerts and update processing status so the team has a clear view of what is open.
- Link to incident response — When an alert is confirmed as an incident, document it in the SecBoard Incident Register and, if needed, escalate so that response follows your organisation’s incident process.
Wazuh and the SecBoard FIM Dashboard
This guide is part of the documentation available in SecBoard. The SecBoard FIM Dashboard receives Wazuh FIM alerts via webhook and displays them in one place. Use the "Guide" button on the FIM Dashboard page to open this text at any time. Webhook clients (including your Wazuh server) and alert retention are configured in SecBoard administration.
Using Wazuh for security monitoring together with SecBoard gives you a single pane of glass for FIM alerts, processing status, and integration with the SecBoard Incident Register when an alert becomes a confirmed incident.
Frequently asked questions
What is Wazuh? — Wazuh is an open-source security monitoring platform. It uses agents on endpoints and a central manager to perform file integrity monitoring (FIM), log analysis, intrusion detection, vulnerability detection, and compliance checks. Alerts can be sent to external systems such as SecBoard.
Why use Wazuh for security monitoring? — Wazuh provides centralised visibility, FIM for critical files, log analysis, and compliance support. When integrated with SecBoard, FIM alerts appear in the SecBoard FIM Dashboard for triage and response without switching between multiple tools.
How does SecBoard receive Wazuh alerts? — SecBoard exposes a webhook endpoint that the Wazuh manager calls when FIM (or other) alerts are generated. The webhook is configured in Wazuh; the client and authentication are configured in SecBoard. Alerts are stored and shown on the FIM Dashboard.
What is FIM? — File Integrity Monitoring (FIM) detects changes to files and directories (added, modified, deleted). Wazuh agents monitor configured paths and send events to the manager; the manager generates alerts that can be forwarded to SecBoard for the FIM Dashboard.
Can I link a Wazuh alert to an incident? — Yes. When you confirm a FIM alert as a real incident in SecBoard, you can create or link a record in the SecBoard Incident Register so that response is tracked in one place and the link between monitoring (Wazuh / FIM Dashboard) and incident management (Incident Register) is clear.