ADLER-TECH

Wazuh Advanced Training

3 days (24 hours total)

Day 1 — Advanced Architecture & Detection Engineering (8h)

Chapter 1: Advanced Wazuh Architecture (1h)

  • Multi-manager topologies
  • Distributed indexer clusters
  • HA strategies
  • Load balancing

Chapter 2: Advanced Agent Behavior (1h)

  • Agent internal queues
  • Log batching
  • Secure enrollment tokens
  • Agentless SSH-based monitoring (deep dive)

Chapter 3: Deep Dive into Decoders (2h)

  • Chained decoders
  • Regex optimization
  • Json/XML/YAML parsing
  • Using wazuh-logtest for profiling

Chapter 4: Detection Engineering with Custom Rules (2h)

  • Writing high-fidelity rules
  • Thresholding & correlation
  • Dynamic fields
  • Multi-event correlation patterns
  • Testing accuracy vs noise

Chapter 5: Zero-Noise Ruleset Tuning (2h)

  • Noise sources identification
  • Module-level tuning (FIM, SCA, Syscollector, Vulnerabilities)
  • Log pipeline suppression
  • Scaling ruleset performance

Day 2 — Threat Intelligence, Integrations & Pipelines (8h)

Chapter 6: Threat Intelligence Integration (2h)

  • MISP integration
  • STIX/TAXII feeds
  • Custom IOC lists
  • Reputation-based alerting

Chapter 7: Advanced Log Pipelines (2h)

  • Multi-source log ingestion
  • Remote syslog architectures
  • Log normalization strategy
  • Performance considerations

Chapter 8: Cloud & Container Security (2h)

  • AWS CloudTrail & Config
  • Azure Activity Logs
  • Kubernetes auditing
  • Docker runtime logs

Chapter 9: External Analytics & SIEM Integration (2h)

  • Splunk
  • Elastic federated search
  • Loki/Grafana stack
  • Forwarding Wazuh alerts to external SIEMs

Day 3 — Operations, Security Hardening & Automation (8h)

Chapter 10: Wazuh Manager Hardening (1h)

  • TLS for all components
  • API security hardening
  • Role-based access
  • Secrets storage

Chapter 11: Indexer Optimization & Scaling (1h)

  • Shards & replicas design
  • Hot/warm/cold storage
  • Curator strategies
  • High-ingest tuning

Chapter 12: Automated Operations (2h)

  • Terraform deployment of Wazuh
  • Ansible collections
  • Automated agent rollout
  • Continuous configuration enforcement

Chapter 13: Advanced Dashboards & Visualizations (2h)

  • Custom dashboards
  • Threat-hunting views
  • Correlation visualizations
  • SLA monitoring dashboards

Chapter 14: Incident Response Workflow Integration (2h)

  • SOAR platforms
  • Automated ticketing (Jira, ServiceNow)
  • Enrichment hooks
  • Playbook triggers