I am investigating more about the community support for Wazuh. I can't provide a definitive answer yet. An issue I noticed is with tag values in certain rules not functioning properly. It's unclear if this is a design flaw or intentional. These are areas I'm still exploring.
The latest version, 4.9, has improved the interface significantly. I am yet to explore more about the update to identify further areas for improvement. So far, the recent updates have addressed most challenges we previously faced.
Wazuh doesn't have native support for some enterprise solutions. It requires an agent installed on the server, whether Windows Server or Linux, to collect logs. While you can gather information via SNMP or Splunk logs, this isn't natively supported. Some decoders are available, but they are community-built rather than officially supported. It relies on its community to create these decoders as an open-source platform, so they may not be fully integrated.
Wazuh currently fails to provide its users with AI and ML. From an improvement perspective, Wazuh needs to offer AI and ML to its customers. I want Wazuh to integrate with AI capabilities since it can help users do proactive monitoring. I think scalability can be improved by using better indexer indices in Wazuh and by improving dashboarding. We can enhance Wazuh manager and Wazuh indexer.
Security Analyst at a tech services company with 501-1,000 employees
Real User
Top 20
2024-02-09T12:08:03Z
Feb 9, 2024
They could include flexibility and customization capabilities by modifying for customers based on partner agreements. They could enhance governance-related tools for audit reports. We conducted a cost-benefit evaluation and compared Wazuh with Sentinel and FortiCM. The decision to choose Wazuh was influenced by its compatibility with other systems and the strong open-source community. In comparison, Microsoft has a huge community, but it needs to be easy to use. Additionally, FortiCM needs better community support.
Security engineer at a tech services company with 51-200 employees
Real User
Top 5
2024-02-08T09:46:18Z
Feb 8, 2024
At the moment, we haven't tried the cloud version yet. My customers are mostly into the cloud. Wazuh should come up with more in-built rules and integrations for the cloud.
Cybersecurity specialist at a manufacturing company with 51-200 employees
Real User
Top 10
2024-02-07T09:21:42Z
Feb 7, 2024
The tool does not provide CTI to monitor darknet. In the future, I want the tool to provide CTI to monitor the darknet so that by creating a single query, I can monitor the darknet.
Cyber Digital Transformation Engineer at OneWorldInfoTech
Real User
Top 10
2024-01-31T07:52:00Z
Jan 31, 2024
I have built some rules that produce duplicate alerts two or three times. Therefore, these rules should be consolidated. Alerts should be specific rather than repeatedly triggered by integrating multiple factors. This issue needs improvement to create a more efficient alert system.
Senior Systems Engineer at a insurance company with 201-500 employees
Real User
Top 10
2023-10-20T04:55:32Z
Oct 20, 2023
I have yet to find the same capability in Wazuh to get logs from different sources into the system. I haven't been able to explore that. There are many functions I want to add. For example, I want to get feeds from different places through threat intelligence. If the feature is there, it needs to be matured. Threat intelligence is key to the use case I've deployed the solution for. It would be good if Wazuh correlated it with the internal and external feeds. Integrating Wazuh with other platforms is a key aspect.
The rules are hard coded. The tool doesn't detect anomalies or new environments. The product lacks AI features. We have to do a lot of manual searching.
Informatics Engineering Lecturer at Innovation Center STMIK AMIKOM
Real User
Top 20
2023-09-08T14:27:02Z
Sep 8, 2023
Improving the abilities related to security threat mapping, such as threat map landscape visualization, would be a great benefit. Adding the flexibility to integrate various plug-ins or modules into its core system would enhance functionality.
A lot of things could be improved with Wazuh. A company I worked with used this product with their customizations since Wazuh is missing many things that a typical SIEM should have. One thing that was missing was log source management. We didn't have any modules for that. Wazuh's parsing is very complex. You must write decoders to make it as easy as in other SIEMs, like in QRadar. The stability and scalability could be improved.
Since it's an open-source tool, scalability is the main issue. We haven't paid for it, so if we want to scale it, we would need to purchase the enterprise version, which can be quite expensive. So scalability and limited support are the main limitations of the free version.
Software Engineer at a computer software company with 1,001-5,000 employees
Real User
Top 10
2023-06-15T10:25:07Z
Jun 15, 2023
There is room for improvement in Wazuh, but it's possible they are already working on it. The only challenge we faced with Wazuh was the lack of direct support. They charge for support, whether it's five days a week or seven days a week. We don't expect it to be free because revenue is generated through the support they provide. In future releases, I would like to see a feature. There is one feature we observed in a premium tool in the industry called Dynatrace. It provides automatic relations between different devices and components. For instance, if you receive a web login request, Dynatrace can trace and show you the path it takes from the firewall to the switch, then to the Apache server, the actual job application, and finally back to the client. It intelligently correlates all the components involved in a single event. If Wazuh could include this feature, where all the components are integrated, it would automatically relate them for any activity in your environment.
I don't have any notes for new features. When it comes to interfacing with some other applications, it could be better. It could have better integration capabilities. They need to go towards integrating with more cloud applications and not just OS like Windows and Linux.
One area where Wazuh could be improved is scalability. While it is scalable, it can suffer from reduced latencies. In the next release, I would like to see a more seamless combination of a SIEM system. However, the current SIEM system can be noisy at times, resulting in false positives instead of true positives. In comparison, Splunk has been able to reduce the number of false positives in its system.
Head Information Security at Akhtar Fuiou Technologies
Real User
Top 10
2023-02-28T09:06:08Z
Feb 28, 2023
The rules are very difficult because there are some limitations such as the inability to correlate two events. It should be easy to edit or change, but it can't be done. They are technical issues and I'm assuming they will be fixed over time.
Project Lead at a tech services company with 51-200 employees
Real User
Top 10
2023-01-12T13:30:00Z
Jan 12, 2023
When the agents are not upgraded in comparison to the server they start behaving unknowingly. Some modules will be working, some modules will not be working. It would be great if there could be customization for the decoder portion.
The computing resources are consuming and do not make sense. It should be lighter in terms of memory, CPU, and computing. There is a direct need for improvisation for any user, and it should be lighter than the current version. In the next release, they should include secure mobile app integration.
Log data analysis could be improved. My IT team has been looking for an alternative because they want better log data for malware detection. We are also doing more container implementation also, so we need better container security, log data analysis, auditing and compliance, malware detection, etc. Overall, the implementation part of Azure is tricky. It can be simplified and automated more to shorten the deployment timeline, so we can immediately onboard the application. The entire implementation process should be user-friendly.
Wazuh needs more security features, particularly visualization features and a health monitor. In the next release, it should be easier to see the origin of events when connected to a firewall or switch. I would also like more integration with XDR and cloud-based formats like the GCO log testing system or Huawei.
Manager Cloud Security Operations at TraceLink, Inc.
Consultant
2022-08-01T13:01:54Z
Aug 1, 2022
Scalability is a constraint in the on-prem version of Wazuh in terms of the volume of logs we can manage. There are some minor glitches, but that's part of every tool, and they usually get addressed in subsequent updates. I would like to see more Kubernetes security and log integrations. That will be one of the good things. Wazuh supports AWS or GCP cloud-native service integration, but it would be great if they added support for Kubernetes security and AWS or Azure-managed Kubernetes solutions.
GISO - Global Information Security Officer at Beyon Connect
Real User
2022-07-10T15:39:18Z
Jul 10, 2022
It would be better if they had a vulnerability assessment plug-in like the one AlienVault has. In the next release, I would like to have an app with an alerting mechanism.
Wazuh has a drawback with regard to Unix systems. The solution does not allow us to do real-time monitoring for Unix systems. If usage increases, it would be a heavy fall on the other SIEM solutions or event monitoring solutions. We found a workaround by reducing the frequency, so it would give us some sort of real-time monitoring.
Vice President Information Technology and Security at a comms service provider with 201-500 employees
Real User
2022-04-08T20:34:00Z
Apr 8, 2022
There's not much I like about Wazuh. Other products I've used were a lot more functional and user friendly. They came with reports and use cases out of the box. We need to configure Wazuh's alerts and monitoring capabilities manually. It'd be nice if we could select from templates and presets for use cases already built and coded.
I think that the next release should be more suitable for large enterprises, because currently they are not because large companies do not rely on open source solutions.
Wazuh doesn't cover sources of events as well as Splunk. You can integrate Splunk with many sources of events, but it's a painful process to take care of some sources of events with Wazuh. It's hard to really go into what Wazuh should add. If we call for Wazuh to improve one thing, then many things have to be improved. So if Wazuh's primary purpose is to cover the logs, then we can't really keep asking them to cover endpoints as well. And Wazuh doesn't have threat intelligence, to my knowledge. It can integrate with other sources of threat intel, but I haven't seen a native threat intel platform. Many people subscribe to Splunk for this platform. You can integrate threat intelligence from other solutions, but I haven't seen this feature in Wazuh.
Wazuh is an enterprise-ready platform used for security monitoring. It is a free and open-source platform that is used for threat detection, incident response and compliance, and integrity monitoring. Wazuh is capable of protecting workloads across virtualized, on-premises, containerized, and cloud-based environments.
It consists of an endpoint security agent and a management server. Additionally, Wazuh is fully integrated with the Elastic Stack, allowing users the ability to navigate...
I am investigating more about the community support for Wazuh. I can't provide a definitive answer yet. An issue I noticed is with tag values in certain rules not functioning properly. It's unclear if this is a design flaw or intentional. These are areas I'm still exploring.
The latest version, 4.9, has improved the interface significantly. I am yet to explore more about the update to identify further areas for improvement. So far, the recent updates have addressed most challenges we previously faced.
Wazuh doesn't have native support for some enterprise solutions. It requires an agent installed on the server, whether Windows Server or Linux, to collect logs. While you can gather information via SNMP or Splunk logs, this isn't natively supported. Some decoders are available, but they are community-built rather than officially supported. It relies on its community to create these decoders as an open-source platform, so they may not be fully integrated.
Wazuh currently fails to provide its users with AI and ML. From an improvement perspective, Wazuh needs to offer AI and ML to its customers. I want Wazuh to integrate with AI capabilities since it can help users do proactive monitoring. I think scalability can be improved by using better indexer indices in Wazuh and by improving dashboarding. We can enhance Wazuh manager and Wazuh indexer.
They could include flexibility and customization capabilities by modifying for customers based on partner agreements. They could enhance governance-related tools for audit reports. We conducted a cost-benefit evaluation and compared Wazuh with Sentinel and FortiCM. The decision to choose Wazuh was influenced by its compatibility with other systems and the strong open-source community. In comparison, Microsoft has a huge community, but it needs to be easy to use. Additionally, FortiCM needs better community support.
At the moment, we haven't tried the cloud version yet. My customers are mostly into the cloud. Wazuh should come up with more in-built rules and integrations for the cloud.
The tool does not provide CTI to monitor darknet. In the future, I want the tool to provide CTI to monitor the darknet so that by creating a single query, I can monitor the darknet.
I have built some rules that produce duplicate alerts two or three times. Therefore, these rules should be consolidated. Alerts should be specific rather than repeatedly triggered by integrating multiple factors. This issue needs improvement to create a more efficient alert system.
I have yet to find the same capability in Wazuh to get logs from different sources into the system. I haven't been able to explore that. There are many functions I want to add. For example, I want to get feeds from different places through threat intelligence. If the feature is there, it needs to be matured. Threat intelligence is key to the use case I've deployed the solution for. It would be good if Wazuh correlated it with the internal and external feeds. Integrating Wazuh with other platforms is a key aspect.
The rules are hard coded. The tool doesn't detect anomalies or new environments. The product lacks AI features. We have to do a lot of manual searching.
Improving the abilities related to security threat mapping, such as threat map landscape visualization, would be a great benefit. Adding the flexibility to integrate various plug-ins or modules into its core system would enhance functionality.
A lot of things could be improved with Wazuh. A company I worked with used this product with their customizations since Wazuh is missing many things that a typical SIEM should have. One thing that was missing was log source management. We didn't have any modules for that. Wazuh's parsing is very complex. You must write decoders to make it as easy as in other SIEMs, like in QRadar. The stability and scalability could be improved.
The implementation is very complex.
Since it's an open-source tool, scalability is the main issue. We haven't paid for it, so if we want to scale it, we would need to purchase the enterprise version, which can be quite expensive. So scalability and limited support are the main limitations of the free version.
There is room for improvement in Wazuh, but it's possible they are already working on it. The only challenge we faced with Wazuh was the lack of direct support. They charge for support, whether it's five days a week or seven days a week. We don't expect it to be free because revenue is generated through the support they provide. In future releases, I would like to see a feature. There is one feature we observed in a premium tool in the industry called Dynatrace. It provides automatic relations between different devices and components. For instance, if you receive a web login request, Dynatrace can trace and show you the path it takes from the firewall to the switch, then to the Apache server, the actual job application, and finally back to the client. It intelligently correlates all the components involved in a single event. If Wazuh could include this feature, where all the components are integrated, it would automatically relate them for any activity in your environment.
The solution's configuration could be faster.
I don't have any notes for new features. When it comes to interfacing with some other applications, it could be better. It could have better integration capabilities. They need to go towards integrating with more cloud applications and not just OS like Windows and Linux.
One area where Wazuh could be improved is scalability. While it is scalable, it can suffer from reduced latencies. In the next release, I would like to see a more seamless combination of a SIEM system. However, the current SIEM system can be noisy at times, resulting in false positives instead of true positives. In comparison, Splunk has been able to reduce the number of false positives in its system.
The rules are very difficult because there are some limitations such as the inability to correlate two events. It should be easy to edit or change, but it can't be done. They are technical issues and I'm assuming they will be fixed over time.
When the agents are not upgraded in comparison to the server they start behaving unknowingly. Some modules will be working, some modules will not be working. It would be great if there could be customization for the decoder portion.
The scalability of this solution could be improved.
The computing resources are consuming and do not make sense. It should be lighter in terms of memory, CPU, and computing. There is a direct need for improvisation for any user, and it should be lighter than the current version. In the next release, they should include secure mobile app integration.
Log data analysis could be improved. My IT team has been looking for an alternative because they want better log data for malware detection. We are also doing more container implementation also, so we need better container security, log data analysis, auditing and compliance, malware detection, etc. Overall, the implementation part of Azure is tricky. It can be simplified and automated more to shorten the deployment timeline, so we can immediately onboard the application. The entire implementation process should be user-friendly.
Wazuh needs more security features, particularly visualization features and a health monitor. In the next release, it should be easier to see the origin of events when connected to a firewall or switch. I would also like more integration with XDR and cloud-based formats like the GCO log testing system or Huawei.
Scalability is a constraint in the on-prem version of Wazuh in terms of the volume of logs we can manage. There are some minor glitches, but that's part of every tool, and they usually get addressed in subsequent updates. I would like to see more Kubernetes security and log integrations. That will be one of the good things. Wazuh supports AWS or GCP cloud-native service integration, but it would be great if they added support for Kubernetes security and AWS or Azure-managed Kubernetes solutions.
It would be better if they had a vulnerability assessment plug-in like the one AlienVault has. In the next release, I would like to have an app with an alerting mechanism.
Wazuh has a drawback with regard to Unix systems. The solution does not allow us to do real-time monitoring for Unix systems. If usage increases, it would be a heavy fall on the other SIEM solutions or event monitoring solutions. We found a workaround by reducing the frequency, so it would give us some sort of real-time monitoring.
There's not much I like about Wazuh. Other products I've used were a lot more functional and user friendly. They came with reports and use cases out of the box. We need to configure Wazuh's alerts and monitoring capabilities manually. It'd be nice if we could select from templates and presets for use cases already built and coded.
Wazuh could improve the detection, it is not detecting all of the attacks. Additionally, it is lacking features compared to other solutions.
I think that the next release should be more suitable for large enterprises, because currently they are not because large companies do not rely on open source solutions.
Wazuh doesn't cover sources of events as well as Splunk. You can integrate Splunk with many sources of events, but it's a painful process to take care of some sources of events with Wazuh. It's hard to really go into what Wazuh should add. If we call for Wazuh to improve one thing, then many things have to be improved. So if Wazuh's primary purpose is to cover the logs, then we can't really keep asking them to cover endpoints as well. And Wazuh doesn't have threat intelligence, to my knowledge. It can integrate with other sources of threat intel, but I haven't seen a native threat intel platform. Many people subscribe to Splunk for this platform. You can integrate threat intelligence from other solutions, but I haven't seen this feature in Wazuh.
Its user interface for sure can be improved. It is not so comfortable to use if you're looking for specific logs.