TL;DR: A Wazuh SIEM and XDR deployment built across four layers (manager and agents, active response, network monitoring, traffic filtering) to move an environment from reactive log review to automated detection and response. Sanitized rules and decoders are public, linked at the end.
The architecture, in the order the layers depend on each other:
Layer 1 Manager + agents -> broad endpoint coverage, secure agent comms, central dashboard
Layer 2 Active response -> auto-block/mitigate brute force and unauthorized access
Layer 3 Network monitoring -> real-time log/network watch, correlation across signals
Layer 4 Traffic filtering -> block known-bad IPs, domains, signatures; updated on intel
Before this deployment, the environment looked like most: fragmented visibility, log review that depended on someone actually doing it, and no automated response for the threats that show up constantly, brute force, unauthorized access, malicious traffic. That means you find out late and every response starts cold. The goal was not to install a platform. It was to build a monitoring and response layer that acts on its own.
Layer 1: manager, agents, and the dashboard
The foundation is the Wazuh manager with agents deployed across endpoints for broad coverage, a dashboard centralizing alerting and rule management, and secure communication between manager and agents so the monitoring data itself cannot be tampered with in transit. Get this layer wrong and everything above it is built on unreliable signal.
Layer 2: active response, and where it earns its keep
Active response rules target higher-risk behavior, brute force, unauthorized access, and are designed to block or mitigate automatically. The part that separates a useful deployment from a noisy one is the refinement: the rules get tested and tuned to stay reliable while keeping false positives down. Active response that fires on legitimate activity gets ignored within a week, which is worse than no automation at all, because now nobody trusts the alerts either.
Layer 3: network and log monitoring
Real-time monitoring of system logs and network activity watches for the patterns that matter: unusual logins, unexpected outbound connections, privilege escalations. Existing monitoring signals are integrated so the system can correlate across sources instead of treating each in isolation. Correlation is where you catch the things a single log never shows you.
Layer 4: traffic filtering
Custom filtering rules detect and block unwanted patterns, known malicious IPs, suspicious domains, harmful signatures, and they get updated as threat intelligence evolves so the deployment stays current instead of going stale. Static filtering rules are a snapshot of last quarter's threats.
What changed
The environment moved from reactive to structured. Detection improved through real-time visibility into logs, traffic, and endpoint activity. Mitigation got faster because active response shrinks the window between a threat appearing and something being done about it. Network control tightened through filtering. And it integrated without disrupting operations, which is the part that makes it sustainable rather than a one-time project that decays.
The full deployment, with a video walkthrough of the actual setup and configuration, is at https://www.jeremyburgos.com/projects/wazuh-siem-and-xdr-deployment/. Sanitized detection rules and decoders are public at https://github.com/Jeremy-Burgos/wazuh-detection-engineering.
Originally published at https://www.jeremyburgos.com/projects/wazuh-siem-and-xdr-deployment/
Top comments (0)