Wazuh SIEM : From Zero to Professional Security Engineer

Wazuh Full Stack: Deployment, Management and Incident Response.

New

Created byLuis López Sánchez

Last updated 6/2026

English

What you'll learn

Design and implement a scalable and highly available Wazuh architecture (cluster) for complex business environments.
Develop custom rules and decoders to detect threats and anomalous behavior specific to your infrastructure.
Configure and automate active responses to contain security incidents in real time, minimizing the impact.
Integrate Wazuh with third-party tools (such as Kaspersky, Telegram, AI) to manage and enrich alerts.

Course content

12 sections • 70 lectures • 14h 37m total length

IMPORTANT!: Before starting2:47
It's important that you see this short announcement and welcome message. Please check the messages we always send through this channel.
All-in-One Installation7:14
In this lesson, you'll see firsthand the steps for a quick Wazuh installation using a single virtual machine or server. This deployment method can be useful for practice and for companies with a small number of agents or devices to monitor.
Separate installation by component (without cluster)24:27
In this class we will learn how to install Wazuh by separating each component into a separate virtual machine; we will use one VM for the dashboard, one for the server, and another for the indexer.
Separate installation by component and with cluster29:47
In this lesson, we'll see the Wazuh installation process broken down by component, but using multiple virtual machines in cluster mode—a design for large enterprise environments with many agents or endpoints. The lesson includes an explanation of how to use HA Proxy for load balancing across the nodes.
Installing Wazuh with Docker12:59
In this class we will be looking at the installation of Wazuh in its docker mode, this is a fairly easy installation but it can be more complex later to access the configuration files.

Creating the Groups (Do not do anything without creating the groups first.)4:15
People often fail to grasp the importance of this first step. You shouldn't do anything in Wazuh until you've properly created all the necessary groups; this will save you time and effort. In this lesson, you'll learn the how and why of this practice.
Create a personal user account with administrative rights7:09
In this video we will learn how to create a personal account with administrator rights in Wazuh
Create read-only user account7:06
Create read-only user account

Installing the first agent8:37
In this class we will learn how to install agents in the easiest way using the wizard or form provided by Wazuh
Removing a previously installed agent4:52
In this class you will learn how to remove a Wazuh agent if you have already removed it from the final team or if it is an endpoint that will no longer be used.
Agent migration between groups2:44
In this class you will learn how to change or migrate an agent from one group to another.
Update the agent versions.2:59
In this lesson, you will learn how to update the agent version if your Wazuh server has been updated to a new version. If you don't update the agents, they may not be sending all the expected information.
Deploying agents through group policies (GPOs)38:40
In this class you will learn how you can schedule the installation of agents across your company's network using domain policies; this is ideal for companies with many endpoints joined to a domain.
Connecting devices that do not support agents11:00
In our company, we likely have equipment and systems that don't allow agent installation, for example, your firewall, a smart switch, an access point, etc. These devices generate logs, but you can still share this data with Wazuh; I'll explain how here.

A tour of the main file, ossec.conf5:32
The ossec.conf file is at the heart of everything, the file we'll be using most to configure Wazuh, so in this lesson I'll give you a tour of all the configuration blocks in the file.
Configuring Discover to display events.10:24
The Discover section on the Wazuh management website allows us to view events in real time. It's important to know how to configure it and create the necessary templates for better event visualization.
Tool for testing rules and decoders.4:28
In this video I'll show you how to use this testing tool, as it will be very useful for verifying if our rules are working as expected.
How to simulate an event or attack for testing11:10
In this class you will learn how you can prepare your server to simulate events according to your needs for testing purposes.

What are rules and decoders?21:45
To begin this section, it's necessary to give an introduction to the topic. Here's what it's about.
Creating our first rule and decoder.29:31
In this lesson I show you step by step how we can make a rule and decoder for an event that Wazuh does not detect by default.
Creating a correlation rule (example 1)21:21
Correlation rules demonstrate advanced knowledge in rule creation; here you will learn to create some example rules and with them you can develop your own ideas.
Creating a correlation rule (example 2)17:35
In this class we will see another case in which we can use correlation rules.
Creating CDB list rules32:34
In this class we learn how to use CBD lists and how to create various rules that utilize this information.
Creating a rule to eliminate noise alerts or false positives13:26
In this class I teach you how to create the "silencer" rules that are used to make Wazuh ignore or skip alerts or events that are false positives or network noise.
Creating our automatic rule generator and decoders17:46
Creating our automatic rule generator and decoders

How to monitor a specific directory in real time.11:45
In this video we will learn what the FIM module does and how to configure it
How to monitor directories centrally12:30
In this video, I'll show you how we can set up monitoring configurations directly from the Wazuh server, avoiding the need to access the end-user devices.
Complete file check and how to tell if it has been modified.6:09
In this video we will learn how we can add more information to a file modification alert and detect exactly what was modified in terms of text.
Who did what: The "Who-Data" mode7:10
We will learn how to use the Who-Data tag to obtain information about the user who made the modification.
Enabling Sysmon for Windows4:57
In this video I explain the steps to configure Sysmon on your agents with the Windows operating system
Enabling Audit for Linux5:03
Scheduled Scans and Real-World Use Cases12:31
In this video I show you how we can apply what we learned in this FIM module session to different examples.

Integration with VirusTotal as a starting point for understanding integrations18:41
In this class we will be showing the steps for integration with Virus Total as a basis for understanding how integrations work and making it easier to understand the following ones.
Integration with Kaspersky for virus detection20:05
In this class we will be learning how to use the Kaspersky Ti platform to scan or check files for viruses; this is an alternative solution to not using VirusTotal.
Integration with Gemini AI for enhanced alerts17:57
In this class we will be learning how to use an AI model like Gemini to achieve an enrichment of the important events that are detected in our network.
Combining Integrations - Sending a custom Gemini notification9:25
In this class we can learn how to combine the functionalities of our integrations so that they work together and give us better results.
Integration with Alien Vault OTX for correlation of IOC events14:41
In this lesson, you'll learn how to expand Wazuh's detection capabilities using AlienVault OTX knowledge sources. I forgot to mention that you need to obtain the API key to use OTX by registering on the website otx.alienvault.com
Integration with AbuselPDB11:41
In this class you will learn how to integrate Wazuh and AbuseIPDB for greater detection and correlation capabilities.
Telegram integration for real-time notifications15:08
In this lesson I'll show you how you can integrate Wazuh with Telegram for real-time notifications of important alerts.
Integration with Microsoft Teams11:34
Integration with Shodad10:13
In this class we will learn about Shodan, a threat intelligence platform that can also provide information to wazuh.
Integration with Microsoft Windows Defender8:11
In this video you can see how we can listen to Windows Defender virus detection events in Wazuh.
Integration with MalwareBazzar4:59
In this lesson we will be looking at how we can achieve integration with Malwarebazzar
Integration between Wazuh and Nod32 for Linux and Windows21:04
In this class you will learn how to integrate Wazuh with ESET Antivirus so that you are informed of events occurring on your network with virus detection.
Integration with ClamAV5:55
In this video I share some ideas on how you can put the current integrations made in class into production.
Network architectures with integrations7:10
In this video I share some ideas on how you can put the current integrations made in class into production.
Integration with Openvas20:51
In this lesson I'll show you how you can start receiving alerts about vulnerabilities detected by OpenVAS in Wazuh.
Integration with Trivy "Container Vulnerab. Scanner"16:33
Integration with Snusbase for filtered data10:54
In this class I show you how to implement an integration with snusbase to detect data exfiltration.

Introduction to Active Response (AR)39:22
A.R. for Vulnerability Management23:01
A.R. for the detection of equipment connected outside of business hours11:25
A.R. to block an attacking IP address in the server's local firewall7:23
R.A. Block attacker IP on Fortigate7:25
Deploying scripts for active response in a centralized manner14:52
In this class we teach you how we can deploy active response scripts to agents in a centralized manner.

Requirements

No prior knowledge is needed; in this course we start from scratch.

Description

!This course contains the use of artificial intelligence!

Are you ready to master the world's most powerful open-source cybersecurity platform and take your career to the next level?

Wazuh isn't just a free SIEM; it's a complete Extended Detection and Response (XDR) platform capable of unifying the security of complex infrastructures, from on-premises servers to hybrid clouds. In this Wazuh Masterclass, you'll learn to design, implement, and manage an active defense infrastructure from a professional engineering perspective.

This course is designed to break down the barrier between "installing a tool" and "managing cybersecurity." Throughout the modules, we'll cover the entire security lifecycle: from designing scalable, high-availability architectures to advanced integration with external threat hunting and response orchestration platforms. We won't just scratch the surface; we'll delve into detection engineering, teaching you how to create custom decoders and rules that identify attacks that go undetected by traditional systems.

What makes this course unique: Unlike other courses, we won't just be showing you what you can easily read in the official documentation. Instead, I'll be applying that knowledge to real-world scenarios that you can use in your professional environment to demonstr

Don't forget to join our Telegram channel where we support students.ate your skills and learning. I intend for this to be the best Wazuh course on all of Udemy.

Who this course is for:

This course is designed for all people who want to implement wazuh in their companies.

Wazuh SIEM : From Zero to Professional Security Engineer

What you'll learn

Explore related topics

Course content

Let's get to work. Let's start installing.5 lectures • 1hr 17min

Wazuh Post-Installation Configurations3 lectures • 19min

Agent Installation and Management6 lectures • 1hr 9min

Notes needed for the next phase4 lectures • 32min

Learning to create Rules and Decoders7 lectures • 2hr 34min

Real-time notifications and emails for alerts.4 lectures • 48min

Vulnerability Management3 lectures • 28min

File Integrity Monitor (FIM)7 lectures • 1hr

Integrations with external platforms17 lectures • 3hr 45min

Active Response (AR)6 lectures • 1hr 43min

Requirements

Description

Who this course is for: