Summary
The incident-response category has strong forensics coverage (osquery, Velociraptor, Sigma) but no unified EDR/SIEM skill. Wazuh is the leading open-source XDR/SIEM platform combining endpoint detection, log analysis, file integrity monitoring, and compliance dashboards in a single agent+manager architecture. It fills a critical gap between post-incident forensics and real-time detection.
Requested Skill: incident-response/detection-wazuh
What to Cover
Core workflows:
- Agent deployment and enrollment
# Install agent and register to manager
WAZUH_MANAGER='10.0.0.2' WAZUH_AGENT_NAME='web-prod-01' \
apt install wazuh-agent && systemctl start wazuh-agent
- Custom detection rules — write rules that trigger on specific log patterns
<!-- Detect sudo privilege escalation -->
<rule id="100001" level="10">
<if_sid>5402</if_sid>
<match>COMMAND=/bin/bash</match>
<description>Sudo to bash shell detected - possible privilege escalation</description>
<mitre><id>T1548.003</id></mitre>
</rule>
- File Integrity Monitoring — detect unauthorized changes to critical files
<syscheck>
<directories check_all="yes" report_changes="yes" realtime="yes">
/etc,/usr/bin,/usr/sbin
</directories>
</syscheck>
- Active response — auto-block IPs triggering brute-force rules
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5763</rules_id> <!-- SSH brute force -->
<timeout>600</timeout>
</active-response>
- Compliance dashboards — query PCI-DSS, HIPAA, GDPR compliance status via API
Integration with Existing Skills
- Sigma rules (
detection-sigma) can be converted to Wazuh XML rules using sigma convert -t wazuh
- osquery results can be forwarded to Wazuh as custom log sources
- Wazuh alerts can trigger Velociraptor hunts for deep forensic collection
Frameworks
- MITRE ATT&CK (native integration in Wazuh dashboard)
- PCI-DSS Req 10 (logging), Req 11.4 (IDS/IPS)
- HIPAA § 164.312(b) (Audit Controls)
- GDPR Article 32 (security of processing)
- NIST CSF DE.CM (Continuous Monitoring)
- CIS Controls v8 — Control 8 (Audit Log Management), Control 13 (Network Monitoring)
Summary
The
incident-responsecategory has strong forensics coverage (osquery, Velociraptor, Sigma) but no unified EDR/SIEM skill. Wazuh is the leading open-source XDR/SIEM platform combining endpoint detection, log analysis, file integrity monitoring, and compliance dashboards in a single agent+manager architecture. It fills a critical gap between post-incident forensics and real-time detection.Requested Skill:
incident-response/detection-wazuhWhat to Cover
Core workflows:
Integration with Existing Skills
detection-sigma) can be converted to Wazuh XML rules usingsigma convert -t wazuhFrameworks