Crest Data designed and delivered a full-stack integration that automatically enriches Wazuh alerts with threat intelligence context, including IOC verdicts and severity, MITRE ATT&CK technique mappings for suspicious files, and real-world exploit intelligence for detected CVEs. The integration ships with a one-click installer, configurable enrichment modes, and a custom Wazuh ruleset, enabling mutual customers to get up and running in minutes without changes to their existing Wazuh deployment.

About the Customer  

A leading global cybersecurity and threat intelligence provider that helps organizations identify, assess, and respond to emerging cyber threats. The company delivers intelligence-driven security solutions powered by large-scale telemetry, advanced threat research, and global threat monitoring capabilities. Serving enterprises, government agencies, and security teams worldwide, the organization operates at a significant scale, providing actionable threat intelligence, risk insights, and security context that enable faster detection, investigation, and response to cyber threats across complex digital environments.

Customer Challenge  

The threat intelligence platform provides organizations with comprehensive, proactive threat detection powered by its global intelligence network and telemetry. Its value, threat verdicts, IOC feeds, MITRE ATT&CK mappings, campaign associations, and exploit intelligence are most impactful when it flows directly into the security platforms that analysts work in daily.

Wazuh is one of the most widely used open-source SIEM and XDR platforms in the enterprise security landscape, monitoring endpoints, servers, cloud workloads, and containers across thousands of organizations globally. Many of these organizations are also threat intelligence platform customers, but without a native integration, they could not bring threat intelligence context into their Wazuh workflows automatically.

A leading threat intelligence provider engaged Crest Data to close this gap by building a robust, installable integration that would make threat intelligence natively available inside Wazuh, expanding the platform ecosystem and delivering immediate, tangible value to mutual customers.

What Mutual Customers Were Missing

Enterprises running both Wazuh and the threat intelligence platform faced a workflow disconnect that limited the value they could extract from either platform. Three specific gaps stood out:

1. No Automated IOC Contextualization in Wazuh

Wazuh alerts flagged suspicious IPs, domains, URLs, and file hashes but contained no threat intelligence verdict or severity. Analysts had to leave Wazuh and manually query the threat intelligence platform for every indicator.

2. File Events Without MITRE ATT&CK Context

Suspicious file activity detected by Wazuh’s syscheck module carried no MITRE ATT&CK technique mappings, intelligence that the threat intelligence platform could provide, but had no path to deliver into Wazuh alerts.

3. CVEs Without Exploit Intelligence

Wazuh’s vulnerability detection identified CVEs, but the alerts lacked the exploitation vectors, campaign associations, and threat actor linkages available through the threat intelligence platform, leaving teams unable to prioritize effectively.

Beyond the direct workflow friction, the absence of a native integration meant the threat intelligence platform had limited visibility within one of the most active corners of the open-source security ecosystem, a gap that also affected its ability to demonstrate value to prospective mutual customers evaluating both platforms.

Proposed Solution

A Production-Ready Threat Intelligence Integration for Wazuh

Crest Data designed and delivered a complete, three-component integration that brings threat intelligence context natively into the Wazuh alert pipeline, requiring no changes to a customer’s existing Wazuh infrastructure.

IOC Ingestion Engine

A cron job fetches the latest IOC threat lists from the threat intelligence platform across configurable threat categories, ransomware, malware, phishing, cryptominer, infostealer, malicious infrastructure, threat actors, and more.

IOCs covering IPs, domains, URLs, and file hashes are stored locally in structured JSON files with enrichment metadata including verdict, severity, and threat score, enabling fast lookups without per-alert API dependency.

• Checkpoint-based incremental syncs that keep local IOC data updated after the initial fetch
• Configurable severity and verdict filters that restrict ingestion to high-confidence indicators
• Automatic IOC expiry with configurable retention periods to keep local data clean

Alert Enrichment

Registered within Wazuh’s integration framework, the enrichment engine intercepts qualifying Wazuh alerts, extracts IOC fields, and enriches them with threat intelligence context across three use cases.

IOC Enrichment

Looks up detected IPs, domains, URLs, and file hashes against locally cached IOC data. A configurable real-time mode can switch enrichment to live API lookups for the most current verdicts and threat intelligence information.

Custom field mappings allow enrichment across non-standard log fields from any agent or log source.

File MITRE ATT&CK Mapping

For file hash indicators, the integration queries behavioral analysis capabilities to retrieve:

• MITRE ATT&CK tactic IDs
• Technique IDs
• Technique names
• Behavioral signatures

This information is appended directly to the Wazuh alert so analysts can understand the attack context at a glance.

Vulnerability Exploit Intelligence

For CVEs detected by Wazuh’s vulnerability module, the integration retrieves:

• Exploitation vectors
• Active campaign associations
• Threat actor linkages

This transforms a simple CVE identifier into an actionable risk-prioritization signal.

Custom Ruleset & Installer

A predefined ruleset captures enriched alerts and surfaces them within Wazuh, categorized by enrichment type such as IOC match, vulnerability intelligence, and API status events.

A companion installation script handles end-to-end deployment, including:

• Dependency installation
• File placement with hardened permissions
• Configuration updates
• Service restart and activation

This enables customers to become operational within minutes.

Outcomes & Success Metrics

Ecosystem Reach

The threat intelligence platform gains a direct integration with Wazuh’s broad enterprise user base, extending its value to a segment of the market running open-source security infrastructure.

Faster SOC Triage

Mutual customers receive full threat intelligence context, including verdicts, severity, attack techniques, and exploit intelligence, alongside every Wazuh alert, eliminating manual cross-platform lookups.

Stronger Customer Outcomes

Organizations using both platforms now benefit from Wazuh’s detection breadth combined with the depth of commercial threat intelligence within a single unified workflow.

Analyst Efficiency

SOC analysts no longer need to pivot between Wazuh and the threat intelligence platform for IOC context. Enrichment is delivered automatically within their existing alert workflow.

About Crest Data

Crest Data is a data and AI-driven technology solutions provider for enterprises and technology innovators in cybersecurity and observability. The company specializes in building practical, integration-led solutions that connect leading security intelligence platforms with the tools enterprise SOC teams use every day.

This engagement reflects Crest Data’s broader capability in building production-grade security integrations that connect leading threat intelligence platforms with the SIEM, XDR, and SOC tooling that enterprise security teams rely on, creating durable value for platform vendors and their customers alike.