Multitenant SOC with Wazuh & OpenSearch: Alert Enrichment

Introduction

While building a multitenant SOC architecture using Wazuh and OpenSearch, I quickly ran into a critical issue:

Wazuh alerts do not include the agent group(s) by default.

In a setup where each client is represented by a group of agents, this missing field becomes a major obstacle for filtering, visualizing, and correlating events effectively.

This post walks through the entire process I followed to solve this limitation by creating a smart ingestion pipeline that enriches alerts with the agent_group field.

Technical Architecture

Here are the key components of the system:

Wazuh Manager: collects and analyzes security events
Filebeat: lightweight forwarder that ships alerts to OpenSearch
OpenSearch: search and analytics engine
OpenSearch Dashboards: visualization interface
Ingest Pipeline: custom pipeline to enrich incoming documents

At the end to implement our pipeline, in the logic architecture view we can have something like this :

Initial Problem

Wazuh alerts include fields like agent.id and agent.name, but not agent.group.name, even when agents are assigned to groups in the Wazuh Manager.

This makes it impossible to:

Filter alerts by client in Discover
Build multitenant dashboards
Automate alerting per group

Resolution Steps

1. Inspecting the Data

I started by querying OpenSearch:

GET wazuh-alerts-*/_search
{
  "size": 1,
  "_source": ["agent.id", "agent.name", "agent.group.name"]
}

Result: agent.group.name was missing.

2. Attempts on the Wazuh Side

I tried assigning agents to groups:

/var/ossec/bin/agent_groups -a -i 001 -g clientA
/var/ossec/bin/agent_control -i 001

Then modified ossec.conf:

<agent_info>yes</agent_info>

Restarted the manager:

sudo systemctl restart wazuh-manager

Still, the field didn’t appear in the alerts.

3. Solution: Manual Enrichment via Filebeat

I added a conditional enrichment block in filebeat.yml:

processors:
  - add_fields:
      when:
        equals:
          agent.name: "clientA-agent"
      fields:
        agent_group: "clientA"
      target: ""

This adds the agent_group field to each matching document.

We can then have something like the following screenshot during the configuration :

4. Testing and Validation

Now we have to restart Filebeat by executing the following command:

sudo systemctl restart filebeat

Triggered an alert on the agent.
We can now check in Discover: agent_group was present and correctly populated.

5. Reindexing Historical Data

To enrich past alerts:

POST _reindex
{
  "source": {
    "index": "wazuh-alerts-2025.06.18"
  },
  "dest": {
    "index": "wazuh-alerts-2025.06.18-reindexed",
    "pipeline": "add-agent-group"
  }
}

6. Visualization in OpenSearch Dashboards

Created a new index pattern for the reindexed data
Verified agent_group in Discover
Built dashboards with filters by group

You can notice tis beautiful enrichement on the following screenshot of my home lab after completing the implementation of my pipelines:

Final Outcome

Thanks to this pipeline:

Alerts are automatically enriched with agent group data
Client-based filtering and visualization is now possible
The SOC can operate in true multitenant mode

Future Improvements

This pipeline can be extended to:

Handle hundreds of agents
Use external mapping files (JSON, YAML)
Apply advanced enrichment via OpenSearch scripting (Painless)

Conclusion

This project turned a technical limitation into an architectural opportunity.
By mastering data ingestion and enrichment, I made Wazuh + OpenSearch truly multitenant — ready for SOC-as-a-Service.

Data means nothing without context.
And context is what we build.

Follow me for more posts on cybersecurity, SOC engineering, and DevSecOps automation!

Here is my linkedin post related to this article —> https://www.linkedin.com/posts/yves-stanislas-adani_wazuh-socasaservice-multitenancy-activity-7341279532831674368-Y0T5?utm_source=share&utm_medium=member_desktop&rcm=ACoAADlkl3EB5_DFg8rmXKh81v-v_UYFaetVO-w

Automate Your Wazuh Alert Enhancement Process

Table of contents