Wazuh vs Open EDR®

Wazuh is a package that combines OSSEC and OSQuery on agent and ELK on Server. They don’t have an EDR agent or similar capability to what we call as an EDR. Instead they just install ossec and osquery agents and communicate back to management portal. They do not have any rules other than OSSEC rules, which are not EDR but HIDS. You also need to deploy all those server components separately and manage them yourself. OSSEC does its monitoring functionality using sysmon only. You need to install that too on top. It has no protection against detection and unloading sysmon drivers. Many malware families can evade sysmon only monitoring in our experience.

Open EDR is a full blown EDR agent, like you would find in commercial products like Crowdstrike and Sentinelone, and we believe OpenEDR is even better than what you pay for commercial ones in our view. It has its own hooking and low level I/O filter drivers. It can construct full process execution tree and combines those with process/registry/file monitoring events. You can manage the telemetry collection by Adaptive Event policies and also can extend it with alerting rules. While with Wazuh you are limited to filter by Sysmon Event IDs by Ossec Rules, OpenEDR gives you extensive filter and collection rules. These rules can be managed dynamically with our Platform. OpenEDR also uses Xcitium Valkyrie to get verdicts to any unknown files using Cloud Sandboxing and Verdict Engine, which is priceless, because you no longer have to analyze files, it gets done for you, for free (there is no such capability in Wazuh either).

1 Like