Wazuh, Suricata integration #9143
-
|
Hi, If i run wazuh agent on windows and receive the logs on SO. Does it mean the data received will also be AUTOMATICALLY used by other modules like suricata, zeek etc to also scan those including wazuh agent eventlogs ? My question is mainly if i receive input from a given agent will that input be reused also by other modules too? or each agent works with its own module and there is no kind of sharing of such input? Trying to understand how the internals of SO work Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Wazuh, Suricata, and Zeek are totally independent of each other. Wazuh is for host logs collected from workstations and servers. Suricata and Zeek are for network traffic usually collected from a tap or span port. For more information about Wazuh, please see: For more information about Suricata and Zeek, please see: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your reply. Yes i understand that each has a different mechanism but i am checking if there is a way SO corrolates those independant events to try to make sense of the data more accurately. For example, if something in Wazuh logs shows some wierd dns resolution AND suricataa has some suspicious activity to that resolved IP, SO would corrolate those 2 events into 1 SO event that can be better triaged |
Beta Was this translation helpful? Give feedback.
-
|
Our Alerts, Dashboards, and Hunt interfaces have a |
Beta Was this translation helpful? Give feedback.
Our Alerts, Dashboards, and Hunt interfaces have a
Correlateoption on the Actions menu that allows you to find related logs based on Community ID, uid, fuid, etc.:https://docs.securityonion.net/en/2.3/alerts.html#actions
https://docs.securityonion.net/en/2.3/dashboards.html#actions
https://docs.securityonion.net/en/2.3/community-id.html