Multiple integrations not running in parallel (only one executes at a time)

33 views
Skip to first unread message

kushagra varshney

unread,
Nov 10, 2025, 3:39:47 AM (yesterday) Nov 10
to Wazuh | Mailing List

Hello team,

I am facing an issue with Wazuh integrations execution order.
I currently have 3 external integrations configured:

  • IRIS

  • AbuseIPDB

  • MISP

The problem is that when alerts are generated, only one integration executes at a time.
Sometimes IRIS does not execute at all if other integrations (for example MISP) are already running or busy processing events.

Use case example:
I get around ~1000 alerts in 2 minutes. MISP runs first, then AbuseIPDB, but IRIS never gets triggered in many cases. It looks like integrations are not running concurrently and if one integration is slow or overloaded, the others get blocked.

Questions:

  1. Is this the expected behaviour that integrations are executed sequentially and not parallel?

  2. Is there any configuration available to allow integration parallel execution or queueing?

  3. If not available today, is this a planned feature or improvement? It becomes a major limitation in high volume environments where multiple enrichment sources are needed.

  4. Any recommended workaround to ensure all integrations get a chance to run reliably?

  5. Is there any rate limit issues on incoming and outgoing traffics? if there is then how to solve it.

Thanks,
Kushagra

musbau....@wazuh.com

unread,
Nov 10, 2025, 10:51:54 AM (22 hours ago) Nov 10
to Wazuh | Mailing List
Hi,

This is a known limitation as Wazuh runs integrations sequentially, not in parallel. So if MISP is slow or backed up, IRIS or AbuseIPDB might never get triggered, especially during alert bursts.

There’s no built-in way to run them concurrently, and under high load, integrations can time out or get skipped.

You can offload enrichment to a SOAR like Shuffle as Wazuh recently made a partnership with them and send Wazuh alerts there and run your IRIS/MISP/AbuseIPDB lookups in parallel with proper error handling.

Also, double-check rate limits on those external APIs—they can silently stall your scripts.

Hope that helps!

You can use the documentation below for reference.

https://wazuh.com/blog/integrating-wazuh-with-shuffle/

kushagra varshney

unread,
1:12 AM (7 hours ago) 1:12 AM
to Wazuh | Mailing List
Hi,

Lets say if I just put MISP and abuseipdb on Wazuh and iris on shuffle will it be able to match the all 20lakh alerts that come in 12-13hrs with MISP without dropping any alert.

Regards,
Kushagra 
Reply all
Reply to author
Forward
0 new messages