Program Highlights
Wazuh Hands-on Online Training is an enterprise-focused, practical SIEM & XDR training program designed to build real-world SOC, detection engineering, and threat monitoring skills using the Wazuh open-source platform. This course provides deep, hands-on exposure to log ingestion, decoding, detection engineering, endpoint telemetry, active response, vulnerability detection, compliance monitoring, and SOC operations.
Participants will work in a live Wazuh environment, tracing alerts from raw logs to dashboards, building custom decoders and rules, tuning detections, simulating attacks, and executing automated responses. The program emphasizes SOC Analyst workflows, detection accuracy, performance tuning, and operational visibility, making it ideal for modern Blue Teams.
24-Hour Instructor-led Training 
Hands-on SIEM & XDR SOC Training 
Real-World Detection Engineering & Alert Tuning 
3 Capstone Projects for hands-on learning 
Get job-ready with interview preparation sessions 
20+ Attack Simulation Use Cases 
Real-World Platform Walkthroughs 
Vulnerability Detection & Compliance Monitoring 
Recorded Sessions & Post-Training Support
Training Schedule
- upcoming classes
- corporate training
- 1 on 1 training
Looking for a customized training?
REQUEST A BATCHWhy Choose Our Corporate Training Solution
- Upskill your team on the latest tech
- Highly customized solutions
- Free Training Needs Analysis
- Skill-specific training delivery
- Secure your organizations inside-out
Why Choose 1-on-1 Training
- Get personalized attention
- Customized content
- Learn at your dedicated hour
- Instant clarification of doubt
- Guaranteed to run
About Course
InfosecTrain’s Wazuh Hands-on Online Training is designed for professionals responsible for monitoring, detecting, and responding to security threats using SIEM and XDR technologies.
The course starts with Wazuh fundamentals and architecture, then progressively builds skills in log decoding, detection engineering, active response, vulnerability management, performance tuning, and SOC operations. Participants will gain hands-on experience across endpoint telemetry, rule tuning, dashboard creation, and alert investigation.
Course Curriculum
- Module 0 – Orientation & Wazuh Mental Model
- What Wazuh is and What it is Not
- SIEM vs XDR vs EDR Clarification
- Core Wazuh Components: Agent, Manager, Indexer, Dashboard
- End-to-End Data Flow
- Navigating a Live Wazuh Environment
- Tracing an Alert from Raw Log to Dashboard
- Module 1 – Wazuh Architecture, Installation & Deployment
- Deployment Models: Single-Node vs. Distributed
- Manager, Indexer, and Dashboard Separation
- TLS, Certificates, and Secure Communication
- Agent Enrollment and Authentication
- Linux and Windows Agent Installation
- Agent Registration Troubleshooting
- Health Checks and Baseline Validation
- Module 2 – Wazuh Agent Internals & Endpoint Telemetry
- Agent Architecture and Internals
- Configuration Hierarchy and Agent Groups
- Windows Event Channels and Sysmon Integration
- Linux Log Collection and Auditing
- File Integrity Monitoring (FIM)
- Rootcheck Fundamentals
- Validating Agent-Generated Alerts
- Module 3 – Log Decoders: Parsing & Normalization
- Decoder Role and Structure
- Regex, Prematch, and Field Extraction
- JSON and Structured Logs
- Writing Custom Decoders (Linux & Windows)
- Decoder Ordering and Conflict Resolution
- Debugging with wazuh-logtest
- Module 4 – Detection Engineering with Wazuh Rules
- Rule Structure, Levels, and Hierarchy
- Correlation, Frequency, and Timeframe Rules
- Rule Chaining and Conditional Logic
- Custom Detection for Attack Scenarios
- False-Positive Reduction and Tuning
- MITRE ATT&CK Mapping
- Multi-stage Attack Detection
- Module 5 – Active Response & Automated Actions
- Active Response Architecture
- Built-in and Custom Responses
- Bash and PowerShell Automation
- Safety Controls and Validation
- Response Logging and Rollback
- Module 6 – Vulnerability Detection & Compliance Monitoring
- Vulnerability Detection Engine
- Software Inventory and CVE Correlation
- Vulnerability Alert Validation
- Compliance Monitoring Frameworks
- Configuration and Policy Compliance
- Module 7 – Indexer Internals, Performance & Scaling
- OpenSearch Indexer Architecture
- Shards, Replicas, and ILM
- Disk and Performance Monitoring
- High-Ingestion Tuning
- Query and Dashboard Troubleshooting
- Module 8 – Dashboarding, Queries & SOC Operations
- Navigating the Wazuh Dashboard
- Alert Querying and Filtering
- SOC-focused Dashboards
- Alert Triage and Investigations
- Analyst Productivity Optimization
- Lab Environment Note:
- If a participant wishes to run the lab locally over VM (Virtual Machine) and does not have a credit card, below are the bare minimum specifications for their system or laptops.
- LOCAL VM (No Credit Card Required)
- RAM: 16 GB
- Storage: 300 GB or more
- CPU: 8 Cores
- Supports Wazuh + Windows Lab Setup
- CLOUD VM (Optional)
- Instructor-supported DigitalOcean setup
- $200 Free Credits (approx. 15-20 days)
- Credit card required
- Instructor assists with account and setup
Target Audience
- SOC Analysts (Tier 1/Tier 2/Tier 3)
- Detection Engineers
- Blue Team Professionals
- Security Monitoring Engineers
- SIEM Engineers
- Incident Response Analysts
- Cybersecurity Students and Practitioners
Pre-requisites
- Basic understanding of cybersecurity concepts
- Familiarity with Linux and Windows environments
- Basic networking and log analysis knowledge
- Prior SOC or SIEM exposure is helpful but not mandatory
Course Objectives
You will be able to:
- Deploy and operate Wazuh as a SIEM & XDR platform
- Collect and analyze endpoint telemetry
- Build custom decoders and detection rules
- Tune alerts and reduce false positives
- Execute active response and automation
- Perform vulnerability detection and compliance checks
- Investigate alerts using SOC dashboards
Vision
Goal
Skill-Building
Mentoring
Direction
Support
Success
Benefits of Wazuh Hands-on Online Training
Operate Wazuh as a full SIEM & XDR platform
Perform SOC alert triage and investigations
Build custom decoders and detection rules
Execute active response and automation workflows
Monitor endpoints using Windows & Linux telemetry
Average Salary
Average Salary
Hiring Companies
"Source: Indeed, Glassdoor"
Confused about the right course for yourself?
6+ Years of Experience
It was a very good experience with the team. The class was clear and understandable, and it benefited me in learning all the concepts and gaining valuable knowledge.
I loved the overall training! Trainer is very knowledgeable, had clear understanding of all the topics covered. Loved the way he pays attention to details.
I had a great experience with the team. The training advisor was very supportive, and the trainer explained the concepts clearly and effectively. The program was well-structured and has definitely enhanced my skills in AI. Thank you for a wonderful learning experience.
The class was really good. The instructor gave us confidence and delivered the content in an impactful and easy-to-understand manner.
The program helped me understand several areas I was unfamiliar with. The instructor was exceptionally skilled and confident in delivering content.
The program was well-structured and easy to follow. The instructor’s use of real-life AI examples made it easier to connect with and understand the concepts.
Frequently Asked Questions
What is Wazuh, and how does it work as a SIEM and XDR platform?
Wazuh is an open-source security platform that functions as both a SIEM and XDR by collecting endpoint and log data, decoding and correlating events, generating alerts, and providing centralized visibility through dashboards for detection and response.
Is Wazuh a SIEM, XDR, or EDR tool?
Wazuh is primarily a SIEM and XDR platform. It provides endpoint telemetry similar to EDR while extending capabilities across log correlation, detection engineering, compliance monitoring, and centralized SOC operations.
Who should enroll in a Wazuh training course?
This course is ideal for:
- SOC Analysts (Tier 1/Tier 2/Tier 3)
- Detection Engineer
- Blue Team Professionals
- Security Monitoring Engineers
- SIEM Engineers
- Incident Response Analysts
- Cybersecurity Students and Practitioners
Is Wazuh training suitable for SOC Analysts and Detection Engineers?
Yes. The training is specifically designed for SOC workflows and detection engineering, covering alert triage, investigation, rule tuning, decoders, and automation.
What skills will I gain from a Wazuh SIEM and XDR course?
You will gain skills in Wazuh deployment, agent management, log decoding, detection engineering, alert tuning, endpoint telemetry analysis, active response, vulnerability detection, and SOC dashboard operations.
Does the Wazuh course include hands-on labs and real SOC scenarios?
Yes. The course is fully hands-on, using live Wazuh environments with real SOC scenarios, alert investigations, detection tuning, and attack simulations.
How is Wazuh different from Splunk, QRadar, and other SIEM tools?
Wazuh is open-source and agent-based, offering SIEM, XDR, compliance, and endpoint monitoring without high licensing costs, while still supporting enterprise SOC use cases.
Does the Wazuh course cover detection engineering and custom rules?
Yes. The course includes in-depth detection engineering, covering rule structure, correlation logic, severity tuning, MITRE ATT&CK mapping, and custom detection creation.
Will I learn how to create custom decoders in Wazuh?
Yes. Participants learn to build, debug, and tune custom decoders for Linux and Windows logs using regex, prematch, JSON parsing, and wazuh-logtest.
Does the Wazuh course include active response and automation?
Yes. The training covers active response architecture, built-in responses, and custom automation using Bash and PowerShell, including testing and rollback.
Does the course cover Wazuh agent internals and endpoint telemetry?
Yes. The course includes detailed coverage of agent internals, configuration hierarchy, Windows and Linux telemetry, Sysmon integration, FIM, and Rootcheck.
Are vulnerability detection and compliance monitoring covered in Wazuh training?
Yes. The course covers Wazuh’s vulnerability detection engine, CVE correlation, software inventory, and compliance monitoring with drift detection.
Does the Wazuh course include threat intelligence integration?
Threat intelligence is addressed through contextual enrichment and correlation within detection rules and SOC analysis workflows as part of detection engineering.
Is this Wazuh course beginner-friendly or advanced-level?
The course is beginner-friendly at the start and progresses to an advanced, hands-on level, making it suitable for both early-career and experienced security professionals.
Will I receive a certificate after completing the Wazuh training?
Yes. Participants receive a course completion certificate from InfosecTrain after successfully completing the training.