- PERSONA
- Wazuh / SOC Engineer
- CATEGORY
- Integration
- ENDPOINTS
- 3 used
- UPDATED
- April 2026
USE CASE · WAZUH / SOC ENGINEER
Alert enrichment for Wazuh
Wazuh agents generate high alert volume — firewall hits, suspicious processes, FIM changes. The raw observable is there, but the reputation context isn't. DFIR Platform plugs into Wazuh's `integratord` daemon so alerts arrive at the analyst with risk score and TI verdict already attached.
CONTEXT
Raw alerts force manual lookup
Wazuh excels at detection — its rule engine pattern-matches across endpoints, firewalls, cloud services and applications. But detection and triage are different problems. An alert telling you `192.0.2.47` triggered an outbound rule is a starting point; without enrichment, an analyst spends 3–10 minutes per alert chasing reputation data across half a dozen tools.
- Hundreds of alerts/day, each with IPs or domains needing manual TI lookup.
- No native way for Wazuh to pull external reputation data into an alert before it reaches the analyst.
- Per-source TI integrations mean per-source keys, quotas, and script code — enough friction that most teams skip it entirely.
The reality
“Hundreds of alerts/day, each with IPs or domains needing manual TI lookup.”
CAPABILITIES
The endpoints that solve it
Wazuh's `integratord` daemon watches the alerts pipeline and forwards matching alerts to an external script. Point that script at DFIR Platform's enrichment endpoint and every alert with an IP, domain, URL or hash comes out the other side with multi-source verdict data appended — ready to drive analyst prioritisation or downstream SOAR automation.
Multi-source enrichment endpoint
POST /v1/enrichment/lookup
Accepts an indicators[] array extracted from the Wazuh alert (srcip, dstip, domain, hash). Returns a normalized verdict aggregated across up to 11 integrated sources.
integratord integration
Standard Wazuh `<integration>` block in ossec.conf, optionally scoped to a rule group or minimum level, so you only enrich alerts that warrant a credit spend.
Active-response alternative
Same API call, but triggered as an active-response command on specific rule IDs — useful when you want enrichment only on narrowly scoped detections (e.g. malware-related rule group).
WORKFLOW
ossec.conf `<integration>` block + a small script
Wazuh ships the integratord daemon specifically for third-party hooks. You declare the integration in ossec.conf and drop a script under `/var/ossec/integrations/`. The daemon feeds it a JSON blob per matching alert; the script extracts observables and POSTs them to the enrichment API. Full setup (alert parsing, filtering by rule group, writing results back into the alert pipeline) is in the article.
$ dfir-lab run wazuh-alert-enrichment
<!-- /var/ossec/etc/ossec.conf -->
<integration>
<name>custom-dfir-platform</name>
<hook_url>https://api.dfir-lab.ch/v1/enrichment/lookup</hook_url>
<api_key>REPLACE_WITH_DFIR_API_KEY</api_key>
<level>7</level>
<group>attacks,malware,ids</group>
<alert_format>json</alert_format>
</integration>ossec.conf teaser — the integratord daemon forwards matching alerts to the script at /var/ossec/integrations/custom-dfir-platform.
- 01Step 01
Declare the integration
Add `<integration>` to ossec.conf scoped by `<level>` and `<group>` so only alerts worth enriching are forwarded to the API.
- 02Step 02
Drop in the script
`/var/ossec/integrations/custom-dfir-platform` — a small Python script that extracts observables, POSTs to /v1/enrichment/lookup with `Authorization: Bearer <api_key>`, and logs the enriched result.
Full integration guide
Step-by-step walkthrough with configuration, error handling, and deployment notes.
PRICING
Pricing that tracks your workload
Wazuh fires a lot of alerts; even with `<level>` and `<group>` filters, enrichment volume adds up fast. Professional (2,500 credits/mo) is the realistic starting tier. Busy environments where every alert with an external IP gets enriched should expect to run on Enterprise or lean on caching.
Professional
2,500 credits / month
Entry price
$99/mo
- 01
Narrow scope — 30 high-level alerts/day, 1 IOC each
30 × 30 × 3 credits = 2,700 credits/monthProfessional ($99, 2,500 credits) with a small top-up. - 02
Typical SOC — 150 filtered alerts/day, 2 IOCs each
150 × 2 × 30 × 3 credits = 27,000 credits/monthEnterprise (custom) — or cache results per indicator with a TTL to cut API volume by 5–10x. - 03
Evaluation — narrow rule group, ~10 alerts/day
10 × 30 × 3 credits = 900 credits/monthStarter ($29, 500) covers about half a month; Professional for steady coverage.
GET STARTED
Three ways to evaluate
Pick the path that matches your stage. No sales call, no credit card required.
FAQ
Frequently asked
- Q / 01
- integratord for broad, alert-volume enrichment (filtered by `<level>` and `<group>`). Active-response for narrow, targeted enrichment tied to specific rule IDs. Many teams deploy both: integratord for the main pipeline, active-response for rules where the enriched result feeds an automated action.
- Q / 02
- Yes. The integration uses the standard integratord daemon shipped with Wazuh Manager 4.x. The article walks through ossec.conf placement, script permissions, and restart procedure.
- Q / 03
- Filter hard at the `<integration>` block — `<level>` and `<group>` cut out the long tail of low-value alerts. Cache enrichment results per indicator for 12–24 hours on disk to avoid re-hitting the API on repeat offenders.
- Q / 04
- Yes — the integration script can write a synthetic alert (or append a `data.dfir_platform` field) back into the Wazuh pipeline so the enrichment shows up alongside the original alert in the dashboard.
integratord or active-response — which should I use?
Does this work with Wazuh 4.x?
How do I keep credit usage predictable?
Can the enriched data feed back into the Wazuh alert for dashboards?
RELATED · INDEX
Other teams solving adjacent problems
Stop triaging by hand.
Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.