Feedback on Wazuh Product Experience and Suggestions for Improvement and limitations

[Security xthreating]

Dear Wazuh Team,

I hope this email finds you well. I wanted to take a moment to share my experience with Wazuh, a product I have been using extensively. I appreciate the efforts put into developing a robust security solution, and I believe it has its strengths. However, as with any product, there are areas that could be improved upon.

During my usage, I have identified several limitations and gaps, particularly in the following areas:

- *Case Management*: The current case management capabilities seem limited, and I believe there is room for enhancement to streamline incident response processes.

- *ISO 27001 Compliance*: I noticed that ISO 27001 is missing, which is a critical compliance standard for many organizations.

- *Vulnerability Assessment for Oracle OS*: The product does not support vulnerability assessment for Oracle OS, which is a significant gap.

- *Web Proxy Setting*: There is no option to configure web proxy settings within the Wazuh application, which can hinder deployment in certain network environments.

- *Customized Dashboard*: The dashboard lacks flexibility, making it challenging to tailor it to specific needs or roles within an organization.

- *Reporting*: Many reports cannot be exported in PDF format, limiting the ease of sharing and compliance reporting.

- *Agent Deployment*: The inability to push or install agents remotely is a significant operational limitation.

- *Log Correlation*: The product lacks robust log correlation capabilities, making it challenging to identify complex security incidents.

- *Backup and Restore Process*: The backup and restore process is complex and could be simplified to ensure business continuity and disaster recovery.

I believe addressing these gaps could significantly enhance the product's usability and appeal to a broader range of organizations.

I would appreciate the opportunity to discuss these points further and understand if there are plans to address these limitations in future releases.

Thank you for your attention to this matter, and I look forward to your response.

Will discuss more limitation and review.

Best regards,

Security

[Stuti Gupta]

Hi, Security xthreatinng

Glad to know you find using Wazuh interesting, and we really appreciate your feedback. We are constantly working on improving the platform, and comments from users help us understand where things can be better.

Just to clarify a few of the points you mentioned.

Case management – Wazuh mainly focuses on detection and analysis. For full case management workflows, many users usually connect it with external tools or ticketing systems. You can also check some integrations that other users from the community have worked on:
https://github.com/wazuh/integrations

ISO 27001 – Some SCA policies already include references to ISO 27001 controls in the compliance section. For example, some CIS checks map directly to ISO 27001:2013 controls.
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-it-works.html

Oracle OS vulnerability detection – The vulnerability detector depends on vendor security feeds, so support can vary depending on the availability of those feeds. In restricted or offline environments, you can also use the offline vulnerability feed update.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html#offline-vulnerability-detection

Proxy configuration – There is no separate proxy option in the UI, but proxy settings can be configured at the system or service level using environment variables like http_proxy and https_proxy. This is generally how Wazuh components handle outbound connections.
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/load-balancers.html

Dashboards – The dashboard is based on OpenSearch Dashboards, so you can create your own dashboards using fields, filters, JSON input, or markdown panels, depending on what you want to see. Many users build their own operational dashboards this way.
https://docs.opensearch.org/latest/dashboards/visualize/viz-index/

Reporting / PDF export – Reporting mostly depends on the dashboard and OpenSearch features. Some users export data directly from dashboards or use the API and small scripts to generate reports. You can also use the OpenSearch reporting plugin to generate reports from dashboards.
https://docs.opensearch.org/latest/reporting/rep-cli-install/
https://docs.opensearch.org/latest/reporting/report-dashboard-index/

Agent deployment – Wazuh does not push agents from the manager to remote systems. This is mainly due to security and design reasons, since installing software on remote hosts usually requires administrative access. Because of this, many environments handle agent installation using automation tools or deployment scripts.

Log correlation – Log correlation is handled through the rules engine. Rules can reference other rules and detect patterns across events. We are working on improving it in the upcoming 5.x versions, which will include changes to the rule engine.

Backup and restore – Since Wazuh has different components (manager, indexer, dashboard), the backup process includes a few steps. The documentation explains the process, and if the steps are followed carefully, the restore should work without issues.
https://documentation.wazuh.com/current/migration-guide/restoring/index.html

If you have specific examples or need help setting up any of these things, feel free to share more details in the community, and we’ll be happy to help.

Best regards.