Wazuh generates alerts. Thousands of them. A firewall rule triggers on an outbound connection to an unfamiliar IP. An endpoint agent detects a suspicious process spawning PowerShell. A file integrity monitoring rule flags a modified binary. Each alert contains raw observables — IPs, domains, hashes — but no external context about whether those indicators are actually malicious or merely unfamiliar.
This is the gap that Wazuh threat intelligence integration is designed to fill. By connecting Wazuh to an external enrichment source, alerts arrive with reputation data, abuse history, and risk scores already attached. Analysts see context instead of raw data, and triage decisions that previously required manual lookups happen in seconds.
This guide covers integrating DFIR Platform's multi-source IOC enrichment API with Wazuh using two approaches: the Wazuh integratord module for lightweight webhook-style enrichment, and a custom active response script for on-demand enrichment triggered by specific alert rules.
Why Alert Enrichment Matters for Wazuh Deployments
Wazuh excels at detection. Its rule engine processes logs from endpoints, firewalls, cloud services, and applications, matching patterns against a comprehensive rule set. But detection and triage are different problems.
A Wazuh alert telling you that 192.0.2.47 triggered an outbound connection rule is a starting point. Without enrichment, the analyst must manually check whether that IP is associated with known threat actors, whether it has been reported for abuse, what services it exposes, and whether it appears in any threat intelligence feeds. That manual process takes 3-10 minutes per alert — time that compounds quickly when alert volumes reach hundreds per day.
With Wazuh threat intelligence integration via DFIR Platform, the enrichment happens automatically. The alert is augmented with data from 14+ sources before it reaches the analyst's screen. An IP flagged by 9 out of 14 sources with a risk score of 87 gets immediate attention. An IP flagged by zero sources with a risk score of 3 gets deprioritized. The analyst's judgment is applied to ambiguous cases, not to every alert.
Architecture Overview
The integration sits between Wazuh's alert pipeline and the DFIR Platform API:
[Wazuh Agent]
|
v
[Wazuh Manager / Alert Engine]
|
v
[Rule Match Triggers Integration]
|
+--> [integratord] --> [DFIR Platform API] --> [Enriched Alert in Wazuh Dashboard]
|
+--> [Active Response] --> [DFIR Platform API] --> [Enriched Data in Active Response Log]
Both approaches call the same DFIR Platform API endpoint (api.dfir-lab.ch/v1/ioc/enrich) and return the same normalized, multi-source enrichment data. The difference is when and how the call is triggered.
Prerequisites
- Wazuh Manager 4.x installed and running (single-node or cluster)
- Python 3.8+ on the Wazuh Manager server
- DFIR Platform API key — sign up at platform.dfir-lab.ch (free tier: 100 credits/month, no credit card required)
- The
requestsPython library installed:pip3 install requests - Network connectivity from the Wazuh Manager to
api.dfir-lab.chon port 443
Getting Started
Create a free account at platform.dfir-lab.ch and generate an API key from the dashboard. The free tier provides 100 credits per month — enough for approximately 20-33 enrichment lookups to validate the integration. For production alert volumes, the Starter plan ($29/mo for 500 credits) or Professional plan ($79/mo for 2,500 credits) will be more appropriate.
Approach 1: Wazuh Integratord
Wazuh's integratord daemon monitors alerts and forwards matching ones to external scripts. This is the simplest path to enrichment — you write a Python script that receives alert data, calls the DFIR Platform API, and logs the enriched result.
Integration Script
Create the integration script at /var/ossec/integrations/dfir-platform:
#!/usr/bin/env python3"""Wazuh integration script for DFIR Platform IOC enrichment.""" import jsonimport sysimport osimport requestsfrom datetime import datetime DFIR_API_KEY = os.environ.get( "DFIR_API_KEY", "your-dfir-platform-api-key")DFIR_API_URL = "https://api.dfir-lab.ch/v1"LOG_FILE = "/var/ossec/logs/dfir-platform-enrichment.log" def log_message(message: str): """Write a timestamped message to the enrichment log.""" timestamp = datetime.utcnow().isoformat() with open(LOG_FILE, "a") as f: f.write(f"{timestamp} - {message}\n") def enrich_ioc(ioc_type: str, value: str) -> dict: """Call DFIR Platform enrichment API.""" headers = { "X-API-Key": DFIR_API_KEY, "Content-Type": "application/json", } try: response = requests.post( f"{DFIR_API_URL}/ioc/enrich", headers=headers, json={"type": ioc_type, "value": value}, timeout=30, ) response.raise_for_status() return response.json() except requests.exceptions.RequestException as e: log_message(f"API error for {ioc_type}:{value} - {str(e)}") return {} def extract_observables(alert: dict) -> list: """Extract enrichable observables from a Wazuh alert.""" observables = [] data = alert.get("data", {}) # Source IP from network alerts src_ip = data.get("srcip") or alert.get("data", {}).get("src_ip") if src_ip and not src_ip.startswith(("10.", "172.16.", "192.168.", "127.")): observables.append(("ip", src_ip)) # Destination IP dst_ip = data.get("dstip") or data.get("dst_ip") if dst_ip and not dst_ip.startswith(("10.", "172.16.", "192.168.", "127.")): observables.append(("ip", dst_ip)) # Domain from DNS queries or URL fields domain = data.get("hostname") or data.get("domain") if domain: observables.append(("domain", domain)) # File hash from FIM or syscheck md5 = data.get("md5") or alert.get("syscheck", {}).get("md5_after") sha256 = data.get("sha256") or alert.get("syscheck", {}).get("sha256_after") if sha256: observables.append(("hash", sha256)) elif md5: observables.append(("hash", md5)) return observables def main(): """Process incoming Wazuh alert and enrich observables.""" # integratord passes alert file path as first argument alert_file = sys.argv[1] with open(alert_file, "r") as f: alert = json.load(f) rule_id = alert.get("rule", {}).get("id", "unknown") rule_desc = alert.get("rule", {}).get("description", "unknown") observables = extract_observables(alert) if not observables: log_message(f"No enrichable observables in rule {rule_id}") return for ioc_type, value in observables: log_message(f"Enriching {ioc_type}:{value} from rule {rule_id}") result = enrich_ioc(ioc_type, value) if result: risk_score = result.get("risk_score", 0) verdict = result.get("verdict", "unknown") sources_flagged = result.get("sources_flagged", 0) sources_queried = result.get("sources_queried", 0) log_message( f"Result for {ioc_type}:{value} - " f"score:{risk_score} verdict:{verdict} " f"flagged:{sources_flagged}/{sources_queried}" ) # Write enrichment data as a Wazuh alert for dashboard visibility enriched_alert = { "integration": "dfir-platform", "dfir_platform": { "ioc_type": ioc_type, "ioc_value": value, "risk_score": risk_score, "verdict": verdict, "sources_queried": sources_queried, "sources_flagged": sources_flagged, "original_rule_id": rule_id, "original_rule_description": rule_desc, }, } print(json.dumps(enriched_alert)) if __name__ == "__main__": main()Set the script as executable:
chmod 750 /var/ossec/integrations/dfir-platformchown root:wazuh /var/ossec/integrations/dfir-platformWazuh Manager Configuration
Add the integration block to /var/ossec/etc/ossec.conf:
<integration> <name>dfir-platform</name> <level>7</level> <alert_format>json</alert_format></integration>The <level>7</level> filter ensures only alerts at level 7 or above trigger enrichment. Adjust this threshold based on your alert volume and credit budget. Higher thresholds mean fewer enrichment calls (and fewer credits consumed) but may miss moderate-severity indicators.
To restrict enrichment to specific rule groups — for example, only network-related alerts — use the <group> filter:
<integration> <name>dfir-platform</name> <group>network,ids,firewall</group> <alert_format>json</alert_format></integration>Restart the Wazuh Manager to apply:
systemctl restart wazuh-managerApproach 2: Active Response Script
For cases where you want enrichment triggered by specific rules rather than broad alert categories, Wazuh's active response framework provides more granular control.
Active Response Script
Create the script at /var/ossec/active-response/bin/dfir-enrich.py:
#!/usr/bin/env python3"""Wazuh active response script for DFIR Platform enrichment.""" import jsonimport sysimport osimport requests DFIR_API_KEY = os.environ.get( "DFIR_API_KEY", "your-dfir-platform-api-key")DFIR_API_URL = "https://api.dfir-lab.ch/v1"OUTPUT_LOG = "/var/ossec/logs/active-responses.log" def main(): # Read the alert from stdin (active response protocol) input_data = sys.stdin.read() try: alert = json.loads(input_data) except json.JSONDecodeError: return # Extract the source IP from the alert src_ip = ( alert.get("parameters", {}).get("alert", {}) .get("data", {}).get("srcip") ) if not src_ip: return # Skip private IPs if src_ip.startswith(("10.", "172.16.", "192.168.", "127.")): return headers = { "X-API-Key": DFIR_API_KEY, "Content-Type": "application/json", } try: response = requests.post( f"{DFIR_API_URL}/ioc/enrich", headers=headers, json={"type": "ip", "value": src_ip}, timeout=30, ) response.raise_for_status() result = response.json() risk_score = result.get("risk_score", 0) log_entry = { "active_response": "dfir-enrich", "ip": src_ip, "risk_score": risk_score, "verdict": result.get("verdict", "unknown"), "sources_flagged": result.get("sources_flagged", 0), } with open(OUTPUT_LOG, "a") as f: f.write(json.dumps(log_entry) + "\n") except requests.exceptions.RequestException: pass if __name__ == "__main__": main()Active Response Configuration
Add to /var/ossec/etc/ossec.conf:
<command> <name>dfir-enrich</name> <executable>dfir-enrich.py</executable> <timeout_allowed>no</timeout_allowed></command> <active-response> <command>dfir-enrich</command> <location>server</location> <rules_id>5710,5712,31101,31104</rules_id></active-response>The <rules_id> field specifies which Wazuh rules trigger the enrichment. In this example:
- 5710, 5712 — SSH authentication failure rules (brute-force attempts)
- 31101, 31104 — Web server attack detection rules
Customize this list to match the rules that generate alerts with external IPs relevant to your environment.
Wazuh Threat Intelligence Integration: Custom Rules for Enriched Data
To make enrichment results visible in the Wazuh dashboard, create custom rules that parse the enrichment output. Add to /var/ossec/etc/rules/local_rules.xml:
<group name="dfir-platform,"> <rule id="100100" level="3"> <decoded_as>json</decoded_as> <field name="integration">dfir-platform</field> <description>DFIR Platform enrichment result received</description> </rule> <rule id="100101" level="10" frequency="1"> <if_sid>100100</if_sid> <field name="dfir_platform.risk_score">^[7-9][0-9]$|^100$</field> <description>DFIR Platform: High-risk IOC detected (score >= 70)</description> </rule> <rule id="100102" level="7" frequency="1"> <if_sid>100100</if_sid> <field name="dfir_platform.risk_score">^[4-6][0-9]$</field> <description>DFIR Platform: Suspicious IOC detected (score 40-69)</description> </rule> <rule id="100103" level="3" frequency="1"> <if_sid>100100</if_sid> <field name="dfir_platform.risk_score">^[0-3]?[0-9]$</field> <description>DFIR Platform: Low-risk IOC (score < 40)</description> </rule></group>These rules create tiered alert levels based on the enrichment risk score. High-risk IOCs (score 70+) generate level 10 alerts, which appear prominently in the Wazuh dashboard and can trigger further active responses — such as automated firewall blocks or ticket creation.
Example Alert Flow
Here is a concrete end-to-end scenario.
1. Alert generation. A Wazuh agent on a Linux server detects 15 failed SSH login attempts from 203.0.113.47 within 2 minutes. Rule 5712 fires at alert level 10.
2. Integration trigger. The integratord daemon matches the alert against the configured integration (level >= 7) and passes it to the dfir-platform script.
3. Observable extraction. The script extracts 203.0.113.47 as a source IP, confirms it is not a private address, and calls the DFIR Platform API.
4. Multi-source enrichment. The API queries 14+ sources in parallel: AbuseIPDB returns 127 reports in the last 90 days. Three threat intelligence feeds flag the IP as a known brute-force source. Passive DNS shows the IP has hosted multiple domains associated with scanning infrastructure. Geolocation places it in a data center in Eastern Europe.
5. Enriched alert. The script outputs a JSON alert with risk_score: 91, verdict: malicious, sources_flagged: 11. Wazuh ingests this as a new alert, which matches custom rule 100101 (high-risk IOC, level 10).
6. Dashboard visibility. The SOC analyst sees both the original SSH brute-force alert and the enrichment alert in the Wazuh dashboard. The enrichment data confirms the source IP is a known malicious actor. The analyst authorizes a firewall block with confidence, without needing to manually query any external service.
Credit Management and Optimization
DFIR Platform enrichment consumes approximately 3-5 credits per lookup. For a Wazuh deployment generating hundreds of alerts per day, credit management matters.
Filter aggressively. Use the <level>, <group>, and <rules_id> filters to restrict enrichment to alerts that actually contain external indicators worth checking. Internal-only alerts, compliance events, and informational logs do not benefit from IOC enrichment.
Deduplicate at the script level. The integration script can maintain a simple in-memory or file-based cache of recently enriched IOCs. If 203.0.113.47 was enriched 5 minutes ago, skip the API call and reuse the cached result. A 30-60 minute cache TTL balances freshness against credit consumption.
Start with targeted rules. Begin by enabling enrichment for 3-5 high-value rule IDs. Monitor the credit usage in the DFIR Platform dashboard for a week, then expand coverage as you understand the volume.
Upgrade when ready. The free tier (100 credits/month) is sufficient for proof-of-concept. For production Wazuh deployments, the Starter plan at $29/month provides 500 credits, and the Professional plan at $79/month provides 2,500 credits — enough for continuous enrichment across moderate to high alert volumes.
Conclusion
Wazuh detects threats. DFIR Platform contextualizes them. The integration — whether through integratord for broad enrichment or active response for targeted lookups — transforms raw alerts into actionable intelligence by adding multi-source reputation data, risk scores, and abuse history from 14+ sources.
The setup requires one Python script, one configuration block in ossec.conf, and one API key. From there, every qualifying alert arrives with the context an analyst needs to make a fast, confident triage decision.
Sign up for a free account at platform.dfir-lab.ch — 100 credits per month, no credit card required. Use code LAUNCH50 for 50% off your first paid month on Starter or Professional plans.