How Loki Labs integrates leading EDRs with Wazuh for unified SOC operations.
Supported EDRs and Integration Methods
CrowdStrike Falcon Integration
• Syslog forwarding via rsyslog or syslog-ng
• API integration using CrowdStrike Falcon API
• Webhook configuration for real-time alerts
• Data normalization in JSON format
SentinelOne Integration
• Syslog integration with CEF format
• RESTful API for alert and event retrieval
• Webhook endpoints for immediate notifications
• Deep Visibility data extraction
Microsoft Defender Integration
• Advanced Hunting query exports
• Microsoft Graph Security API
• Azure Sentinel connector
• Event Hub streaming
Carbon Black Integration
• Carbon Black Cloud API
• Syslog forwarding configuration
• Raw event streaming
• Alert webhook integration
Normalization and Correlation in Wazuh
Wazuh Decoders for EDR Events
• CrowdStrike detection decoder
• SentinelOne threat decoder
• Microsoft Defender alert decoder
• Generic EDR event decoder
Correlation Rules
• Multi-source threat correlation
• Timeline reconstruction rules
• Behavioral pattern detection
• False positive reduction logic
Sample Wazuh Rules for Common EDR Alerts
Malware Detection Rule
• Rule ID: 100001
• Description: EDR malware detection correlation
• Level: 12 (High)
• Conditions: EDR vendor alert + file hash match
Ransomware Activity Rule
• Rule ID: 100002
• Description: Ransomware behavior correlation
• Level: 15 (Critical)
• Conditions: File encryption patterns + process behavior
SOAR and Ticketing Workflow
Freshdesk Integration Mapping
• Critical alerts → P1 tickets
• High alerts → P2 tickets
• Medium alerts → P3 tickets
• Automated ticket creation
• Analyst assignment rules
SOAR Playbook Triggers
• Webhook-based automation
• API-driven response actions
• Escalation procedures
• SLA enforcement
Playbooks
Ransomware Response Playbook
Detection Phase
• EDR identifies encryption activity
• Wazuh correlates multiple indicators
• Automatic containment triggers
Containment Phase
• Network isolation of affected endpoints
• Process termination
• File system protection
• User account suspension
Eradication Phase
• Malware removal
• System restoration
• Vulnerability patching
• Security control updates
C2 Beacon Detection Playbook
Identification
• Network traffic analysis
• Beacon pattern detection
• DNS query analysis
• Process network activity
Investigation
• Timeline reconstruction
• Lateral movement assessment
• Data exfiltration analysis
• Attribution research
Response
• Network blocking
• Endpoint isolation
• Threat hunting expansion
• Intelligence sharing
Lateral Movement Playbook
Detection Indicators
• Unusual authentication patterns
• Remote execution attempts
• Credential dumping activities
• Network reconnaissance
Investigation Steps
• Authentication log analysis
• Process execution review
• Network traffic inspection
• Asset inventory check
Containment Actions
• Account privilege reduction
• Network segmentation
• Monitoring enhancement
• Access control updates
Persistence Mechanism Playbook
Common Persistence Techniques
• Registry modifications
• Scheduled task creation
• Service installation
• Startup folder changes
Detection Methods
• File system monitoring
• Registry monitoring
• Process creation logs
• Service control logs
Remediation Steps
• Persistence removal
• System hardening
• Monitoring deployment
• User education
KPIs and Dashboards
Security Operations Metrics
• Mean Time to Detection (MTTD)
• Mean Time to Response (MTTR)
• Mean Time to Containment (MTTC)
• Alert volume and trends
• False positive rates
Threat Intelligence Metrics
• IOC hit rates
• Threat actor attribution
• Campaign tracking
• Vulnerability exploitation
Compliance Metrics
• Regulatory requirement coverage
• Audit trail completeness
• Incident documentation
• Response time compliance
Dashboard Components
• Real-time threat overview
• Alert priority distribution
• Investigation status tracking
• Performance trending
• Geographic threat mapping
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article