Best Wazuh Configuration for Enhanced Threat Detection in your SIEM

Configuring Wazuh SIEM

The evolving cyber threat landscape demands security tools that adapt quickly and offer deeper visibility into endpoints and network activity. Wazuh, an open-source Security Information and Event Management (SIEM) solution, has become indispensable for many businesses looking for a way to collect and correlate security events at scale. Yet even with Wazuh’s strong foundational coverage of standard Windows event logs, more specialized threat detection can be achieved by integrating Sysmon and LDAP logging into your environment. The result is a comprehensive, layered detection strategy that helps uncover malicious behaviors early and effectively when you are configuring Wazuh SIEM.

In this blog post, I want to expand on another post I made last year and explore why integrating Sysmon and LDAP with configuring Wazuh SIEM can dramatically broaden your detection capabilities. I will discuss how Sysmon provides highly granular endpoint monitoring and how LDAP logs allow defenders to track suspicious network-based queries, such as those seen during domain enumeration. Combining these data sources creates a deeper and more resilient security posture.

Background on Wazuh as an Open-Source SIEM

Wazuh excels at collecting logs from various endpoints, analyzing them in near real-time, and generating alerts when suspicious patterns emerge. By default, it monitors key Windows event log channels, Security, System, Application, and a few operational channels. These logs give insights into system events like user authentications, system configuration changes, and other activities that might signal potential security issues.

However, most modern threat actors use techniques beyond the scope of basic Windows events. Attackers often employ covert methods, such as leveraging native executables for malicious purposes or stealthy enumeration of Active Directory. While Wazuh’s default coverage provides a solid start, expanding it to capture Sysmon logs and LDAP queries can drastically improve detection of these more advanced tactics.

Importance of Sysmon for Endpoint Visibility

Sysmon, a tool from Microsoft Sysinternals, is renowned for offering comprehensive visibility into processes, image loads, and network connections on Windows hosts. Where standard Windows event logs might only show high-level data, Sysmon digs into intricate details. For instance, it tracks process creation and command-line arguments in ways that make suspicious behavior easier to spot.

When attackers seek to gain persistence or execute malicious code, they often rely on subtle system changes or new processes spawning under unusual circumstances. Sysmon’s granular logs excel at catching these anomalies. Many organizations have learned that relying only on Windows event logs can allow stealthy threats to slip past defenses. Sysmon closes this visibility gap by surfacing low-level events that general logs typically miss.

SwiftOnSecurity’s Baseline Configuration

Despite Sysmon’s power, configuring it without care can generate noise to the point of overwhelming analysts and storage systems. A popular option is SwiftOnSecurity’s baseline configuration, which aims to capture critical events while reducing the amount of unhelpful “chatter.” It focuses on relevant process creation and network activity without setting up overly broad registry monitoring. Starting with a baseline, you can fine-tune which events you must investigate, balancing visibility and performance.

Integrating Sysmon when Configuring Wazuh SIEM

Once you have Sysmon running on your Windows endpoints, the next step is to pull these enhanced logs into Wazuh. The default Wazuh configuration uses only standard event channels, so you need to add the Sysmon event log channel to ossec.conf. You can do this on each agent directly or deploy the changes through the centralized management console. This process ensures that Sysmon’s channel is recognized and included in Wazuh’s data ingestion pipeline.

After configuring the agent, Sysmon events should start flowing to your Wazuh server. These entries will appear under a new “Sysmon” source, helping analysts differentiate them from standard Windows events. This expanded data set gives your security team deeper insights into endpoint behavior.

Tuning Sysmon-Related Rules

Wazuh already includes a set of default Sysmon rules that help identify noteworthy events, such as suspicious command-line usage or anomalous process behaviors. While these default rules offer a head start, fine-tuning them is key to reducing unwanted alerts. For instance, if you rarely use WinRM in your environment, you can configure a rule to flag or block WinRM-based process creation attempts. Similarly, you could monitor certutil.exe usage, which attackers commonly exploit for downloading payloads or obfuscating communications.

“One of the biggest challenges we see is that organizations underestimate the power of Sysmon logs for proactively identifying malicious behavior. With the right tuning, these logs can be a game changer for security teams,” says Jake Otte, Security Engineer at Tanner Security.

Creating custom rules in Wazuh is straightforward once you understand Sysmon’s event IDs. For example, Event ID 1 corresponds to Process Creation, making it easy to filter and alert on high-integrity shells. By leveraging these event IDs and focusing on processes or command-line patterns tied to known attacker techniques, your alerts become more targeted and less prone to false positives.

Enhancing Detection with LDAP Logging

While Sysmon provides detailed insight at the endpoint level, many attacks also suspiciously manipulate or query Active Directory (AD). Most famously, attackers can enumerate accounts, look for Kerberoastable Service Principal Names (SPNs), or discover objects vulnerable to privilege escalation. These techniques often rely on LDAP queries to the Domain Controller. By default, Windows DCs do not log incoming LDAP queries in a way that surfaces all potential reconnaissance attempts. As a result, suspicious LDAP traffic can remain invisible to your SIEM.

To remedy this, you can enable LDAP query and bind logging by making specific registry changes on your Domain Controllers. Once enabled, Windows produces Event ID 1644 in the Directory Service event channel for each LDAP query that meets specific performance thresholds. If you lower these thresholds to “1,” practically every incoming LDAP query will trigger an event. While this captures a trove of data, be aware of potential increases in event volume. Depending on your environment, you may need to adjust thresholds more conservatively.

Integrating LDAP Logs into Wazuh

Like Sysmon, LDAP logging requires additional steps to ingest these new events into Wazuh. You can modify ossec.conf locally on each machine, or batch deploy these changes. Wazuh’s Directory Service configuration lines point the agent to recognize Event ID 1644 logs. However, simply enabling the channel will not automatically generate alerts. You must craft rules that tell Wazuh how to categorize and respond to different LDAP events.

One catch: the current Wazuh release has a known issue with log testing for newly added channels like Directory Service. If you attempt to test your new rule via the browser interface or wazuh-logtest, it might not behave as expected until you adjust the parent Windows rule. Despite this minor inconvenience, the data pipeline flows seamlessly once you set everything up correctly.

Crafting LDAP-Specific Rules

The first layer of your LDAP logging strategy could be filtering out “loopback” queries sourced by the Domain Controller. This step helps you zero in on genuine remote queries, which are more likely to signal possible reconnaissance. You can refine your rules to highlight queries from standard user accounts, since attackers often rely on an initially compromised user to enumerate AD.

Beyond basic filtering, consider identifying queries that reveal sensitive data, such as requests for Kerberoastable SPNs or Constrained Delegation principals. Look for patterns like “servicePrincipalName” or “TrustedToAuthForDelegation” in the query string. These markers often correlate with attempts to escalate privileges or carry out lateral movement across the domain. By capturing and alerting on these patterns, you significantly raise the difficulty level for attackers trying to move under the radar.

Practical Use Cases and Attack Detection Scenarios

Sysmon and LDAP logs help defenders by providing extensive coverage of both host-level behavior and domain-level queries. For example, a typical attack sequence might begin with a phishing payload that spawns a new PowerShell process (captured by Sysmon’s Process Creation event). The attacker could then query AD for SPNs to start Kerberoasting (picked up by LDAP logging). When these correlated alerts appear in Wazuh, security teams gain a near “real-time” timeline of the breach pathway, making disrupting the attacker’s activities easier before significant damage occurs.

This synergy is equally valuable in spotting lateral movement: Sysmon captures suspicious processes launched via remote protocols, and LDAP logs reveal unusual user account queries. By joining these data sources, defenders can more confidently determine which actions merit immediate quarantine, investigation, or further forensic analysis.

Configuring Wazuh SIEM Conclusion

As attackers refine new tactics, companies need equally robust defenses combining visibility at the endpoint level and within the network fabric. Wazuh’s open-source nature already provides a flexible backbone for SIEM capabilities, and layering in Sysmon logs and LDAP query analysis takes threat detection to the next level. These enhanced detections help identify everything from advanced malware and living-off-the-land techniques to unauthorized Active Directory reconnaissance.

However, unlocking the full potential of Sysmon and LDAP logging requires a thoughtful approach. Configuration and tuning are critical to capture legitimate threats without overwhelming your team with noise. The reward is a unified, powerful threat detection system that shines a spotlight on suspicious activity wherever it occurs in your environment. Adopting this layered approach significantly improves businesses’ ability to detect, investigate, and respond to cyber threats before they escalate.