Kikimora
← all integrations
Wazuh

Detection & SIEM

Wazuh

Host-based detection events in the same conversation as the rest of your stack.

✦ built-in

Core platform capability - included with every plan. No third-party account, license, or API key required.

TRY ASKING:

“Summarize Wazuh alerts from the last 24 hours by severity.”

  • “Show high-severity Wazuh alerts from the last hour and the hosts they hit.”
  • “Which endpoints have a Wazuh agent that is offline or out of date?”
  • “Pull the Wazuh events around this host into the incident timeline.”

Kikimora connects to Wazuh so host-level alerts and agent health join your cloud, code, and edge findings in one conversational view.

Triage host detection events from one conversation

The capability covers the host-based detection layer: querying security events and alerts by time window and severity, checking agent coverage and health across your fleet, and pulling that context into an incident timeline. Endpoint detection is often the signal that tells you an exposure was actually used, so having it next to your cloud and network findings turns scattered alerts into a coherent story. Agent coverage is the quiet failure mode here. A detection platform only sees the hosts that still have a healthy agent reporting in, and the machine where the agent stopped is exactly the one you most want eyes on. Asking which agents are offline or stale is as important as triaging the alerts themselves, and the agent treats both as ordinary questions you can ask in the same conversation as the rest of your stack.

What you can do

  • Query security events and alerts by time window and severity.
  • Check agent coverage and status across your fleet.
  • Pull Wazuh context into incident timelines.

Things you might ask

  • “Summarize the high-severity Wazuh alerts from the last 24 hours and which hosts triggered them.”
  • “Which endpoints have a Wazuh agent that is offline, so we have blind spots in coverage?”
  • “Pull every Wazuh event around this host into the timeline for the incident I am building.”

Wazuh provides the host-level detection signal. Pair it with the Sentry integration, which adds application error and exception data, and with the built-in Network Scanner integration to confirm what is actually exposed on the host’s subnet, so detection, application, and exposure all sit in one conversation.

Use Wazuh - included free Browse all integrations

[ faq ]

Do I need to license or stand up Wazuh myself? +

No. Wazuh is built in as a core platform capability. There is no separate account, license, or API key to manage. The detection layer is provided, and you query it conversationally.

How do I activate it? +

It is included with every plan. There is nothing to procure. You ask about host events, alerts, or agent coverage and the agent answers.

Is querying alerts read-only? +

Yes. Reviewing events, triaging alerts, and checking agent health are read operations. The integration surfaces detection data into conversation rather than changing your rules.

Can Wazuh alerts feed into an incident? +

Yes. Host-level events fold into incident timelines alongside your cloud, code, and edge findings, so a single conversation holds the whole picture.