Filtering Security Data with the Wazuh Query Language (WQL)#

Introduction#

In the world of security monitoring, the ability to quickly find relevant information within vast amounts of data can mean the difference between preventing a breach and cleaning up after one. The Wazuh Query Language (WQL) transforms how security analysts interact with Wazuh, providing a powerful yet intuitive way to filter and analyze security data.

WQL brings several advantages:

🔍 Precise Filtering: Target exactly the data you need
⚡ Quick Analysis: Reduce time spent searching through logs
🎯 Focused Threat Hunting: Build complex queries for specific threats
📊 Better Visibility: Extract meaningful insights from raw data
🤝 User-Friendly Syntax: Easy to learn and use

Understanding WQL Fundamentals#

Basic Syntax Structure#

At its core, WQL follows a simple pattern:

1
fieldname operator value

Core Components#

Field Names: The data type you want to filter
Operators: How to compare the data
- Equality: =
- Inequality: !=
- Greater than: >
- Less than: <
- Like/Contains: ~
Values: The specific data you’re looking for
Separators: Combine queries with and, or
Grouping: Use parentheses () for complex logic

Where Can You Use WQL?#

1
flowchart TB
2
    subgraph "WQL-Enabled Dashboard Areas"
3
        A[Security Configuration Assessment]
4
        B[Endpoint Summary]
5
        C[MITRE ATT&CK Intelligence]
6
        D[Agent Inventory Data]
7
        E[Rule Management]
8
        F[Decoder Management]
9
        G[CDB List Management]
10
        H[Group Management]
11
    end
12

13
    subgraph "Query Types"
14
        Q1[Simple Queries]
15
        Q2[Compound Queries]
16
        Q3[API Queries]
17
    end
18

19
    Q1 --> A
20
    Q2 --> B
21
    Q3 --> C
22
    Q1 --> D
23
    Q2 --> E
24
    Q3 --> F
25
    Q1 --> G
26
    Q2 --> H
27

28
    style Q1 fill:#51cf66
29
    style Q2 fill:#4dabf7
30
    style Q3 fill:#ffd43b

Infrastructure Setup#

For our demonstrations, we’ll use:

Wazuh Server: Pre-built OVA 4.7.3 with all core components
Monitored Endpoints:
- Ubuntu 22.04.3 with Wazuh agent 4.7.3
- Windows 10 with Wazuh agent 4.7.3 (for multi-agent scenarios)

Practical Use Cases#

Use Case 1: Hunting Critical Vulnerabilities#

Scenario: Find all BusyBox vulnerabilities with severity greater than High.

Configuration#

Enable vulnerability detection on the Wazuh server:

1
<vulnerability-detector>
2
    <enabled>yes</enabled>
3
    <interval>5m</interval>
4
    <min_full_scan_interval>6h</min_full_scan_interval>
5
    <run_on_start>yes</run_on_start>
6
    <!-- Ubuntu OS vulnerabilities -->
7
    <provider name="canonical">
8
        <enabled>yes</enabled>
9
        <os>trusty</os>
10
        <os>xenial</os>
11
        <os>bionic</os>
12
        <os>focal</os>
13
        <os>jammy</os>
14
        <update_interval>1h</update_interval>
15
    </provider>
16
</vulnerability-detector>

Restart the Wazuh manager:

1
systemctl restart wazuh-manager

WQL Query#

Navigate to Modules > Vulnerabilities and use:

1
name ~ busybox and severity < High

Query Breakdown:

name ~ busybox: Find packages containing “busybox”
and: Combine conditions
severity < High: Only show Critical severity (less than High means more severe)

Understanding the Results#

1
flowchart LR
2
    subgraph "Query Components"
3
        F1[Field: name]
4
        O1[Operator: ~]
5
        V1[Value: busybox]
6

7
        F2[Field: severity]
8
        O2[Operator: <]
9
        V2[Value: High]
10
    end
11

12
    subgraph "Logic Flow"
13
        F1 --> O1 --> V1 --> AND
14
        F2 --> O2 --> V2 --> AND
15
        AND --> Result[Filtered Results]
16
    end
17

18
    style AND fill:#ffd43b
19
    style Result fill:#51cf66

Use Case 2: Multi-Criteria Agent Filtering#

Scenario: Find agents in the default group, exclude Windows10, and ensure they’re connected to node01.

Complex Query Construction#

1
( group = default and name != Windows10 ) and node_name = node01

Query Breakdown:

Parentheses group related conditions
First group: Agents in default group excluding Windows10
Second condition: Must be on node01

Query Logic Visualization#

1
flowchart TB
2
    subgraph "First Condition Group"
3
        C1[group = default]
4
        C2[name != Windows10]
5
        C1 --> AND1[AND]
6
        C2 --> AND1
7
    end
8

9
    subgraph "Second Condition"
10
        C3[node_name = node01]
11
    end
12

13
    AND1 --> AND2[AND]
14
    C3 --> AND2
15
    AND2 --> R[Final Result]
16

17
    style AND1 fill:#4dabf7
18
    style AND2 fill:#4dabf7
19
    style R fill:#51cf66

Use Case 3: MITRE ATT&CK Threat Intelligence#

Scenario: Find command-line tools used for Active Directory attacks.

Targeted Threat Hunting#

Navigate to Modules > MITRE ATT&CK > Intelligence > Software:

1
description ~ "Active Directory" and description ~ "command-line"

This query reveals tools like:

Mimikatz: Credential dumping
PsExec: Remote execution
BloodHound: AD reconnaissance
PowerSploit: PowerShell exploitation

Use Case 4: System Inventory Analysis#

Scenario: Monitor a Python 3 web server running on port 8888.

Setup Python Web Server#

Configure rapid inventory updates (for testing only):

1
<!-- /var/ossec/etc/ossec.conf on agent -->
2
<wodle name="syscollector">
3
    <disabled>no</disabled>
4
    <interval>1m</interval>
5
    <scan_on_start>yes</scan_on_start>
6
    <hardware>yes</hardware>
7
    <os>yes</os>
8
    <network>yes</network>
9
    <packages>yes</packages>
10
    <ports all="no">yes</ports>
11
    <processes>yes</processes>
12
</wodle>

Start the test server:

1
python3 -m http.server 8888

Multi-Aspect Queries#

1. Find Python 3 Packages:

1
name ~ python3 and version > 3.10

2. Locate Open Ports:

1
(local.port > 8000 and local.port < 9000) and state=listening

3. Identify Python Processes (via API):

1
GET /syscollector/001/processes?euser=root&name=python3

Use Case 5: Security Rules and Decoders#

Scenario: Find all Docker-related security rules and decoders.

API Console Queries#

Access Tools > API Console and run:

Find Docker Decoders:

1
GET /decoders/files?search=docker&status=enabled

Find Docker Rules:

1
GET /rules/files?search=docker&status=enabled

Advanced WQL Techniques#

Combining Multiple Conditions#

1
# Find high-severity vulnerabilities in web packages
2
(name ~ apache or name ~ nginx) and severity < Medium and status = Active
3

4
# Find agents offline for more than 24 hours
5
status = disconnected and last_keepalive < 24h and os.platform = linux

Using Wildcards and Patterns#

1
# Find all log4j related packages
2
name ~ log4j*
3

4
# Find IP addresses in specific range
5
ip ~ 192.168.1.*

Time-Based Queries#

1
# Find recent authentication failures
2
rule.id = 5503 and timestamp > now-1h
3

4
# Find vulnerabilities discovered this week
5
detection_time > now-7d and severity = Critical

WQL Best Practices#

1. Query Optimization#

1
flowchart LR
2
    subgraph "Inefficient"
3
        I1[Broad Search]
4
        I2[Multiple OR conditions]
5
        I3[No field specification]
6
    end
7

8
    subgraph "Efficient"
9
        E1[Specific Fields]
10
        E2[Indexed Values]
11
        E3[Logical Grouping]
12
    end
13

14
    I1 -->|Optimize| E1
15
    I2 -->|Optimize| E2
16
    I3 -->|Optimize| E3
17

18
    style I1 fill:#ff6b6b
19
    style I2 fill:#ff6b6b
20
    style I3 fill:#ff6b6b
21
    style E1 fill:#51cf66
22
    style E2 fill:#51cf66
23
    style E3 fill:#51cf66

2. Query Templates#

Create reusable query templates for common scenarios:

1
# Template: Find authentication anomalies
2
rule.groups ~ authentication and rule.level > 10 and agent.name = $AGENT_NAME
3

4
# Template: Compliance violations
5
rule.groups ~ compliance and (rule.gdpr = * or rule.pci_dss = *)
6

7
# Template: Network security events
8
rule.groups ~ network and (data.dstport < 1024 or data.srcip ~ 10.*)

3. Progressive Filtering#

Start broad and narrow down:

1
# Step 1: All vulnerabilities
2
severity = Critical
3

4
# Step 2: Add package filter
5
severity = Critical and name ~ kernel
6

7
# Step 3: Add time constraint
8
severity = Critical and name ~ kernel and detection_time > now-24h

Troubleshooting WQL Queries#

Common Issues and Solutions#

Issue 1: No Results Returned#

1
# Problem: Using wrong operator
2
name = *python*  # Won't work
3

4
# Solution: Use ~ for pattern matching
5
name ~ python

Issue 2: Case Sensitivity#

1
# Problem: Case mismatch
2
status = Active  # May not match "active"
3

4
# Solution: Check exact field values in suggestions
5
status = active

Issue 3: Complex Logic Errors#

1
# Problem: Incorrect grouping
2
group = default and name != Windows or node = node01
3

4
# Solution: Use parentheses
5
(group = default and name != Windows) or node = node01

Performance Considerations#

Query Efficiency Tips#

Use Indexed Fields: Queries on indexed fields are faster
Limit Time Ranges: Add time constraints when possible
Avoid Wildcards at Start: *pattern is slower than pattern*
Use Specific Values: Exact matches are faster than patterns

Query Performance Comparison#

Query Type	Performance	Example
Exact Match	⚡ Fastest	`agent.id = 001`
Prefix Match	🚀 Fast	`name ~ python*`
Contains	🏃 Moderate	`description ~ Active`
Complex Logic	🐢 Slower	Multiple nested conditions

Integration with Automation#

Scripted WQL Queries#

1
#!/usr/bin/env python3
2
import requests
3
import json
4

5
# Wazuh API configuration
6
API_URL = "https://wazuh-server:55000"
7
API_USER = "wazuh"
8
API_PASS = "wazuh"
9

10
def run_wql_query(endpoint, query):
11
    """Execute WQL query via Wazuh API"""
12

13
    response = requests.get(
14
        f"{API_URL}/{endpoint}?{query}",
15
        auth=(API_USER, API_PASS),
16
        verify=False
17
    )
18

19
    return response.json()
20

21
# Example: Find critical vulnerabilities
22
vulns = run_wql_query(
23
    "vulnerability/001",
24
    "severity=Critical&status=Active"
25
)
26

27
# Example: Find specific processes
28
processes = run_wql_query(
29
    "syscollector/001/processes",
30
    "name=python3&state=running"
31
)

Scheduled Query Reports#

1
#!/bin/bash
2
# Critical vulnerabilities check
3
echo "=== Critical Vulnerabilities ==="
4
curl -u wazuh:wazuh -k \
5
  "https://localhost:55000/vulnerability?severity=Critical&status=Active"
6

7
# Disconnected agents check
8
echo "=== Disconnected Agents ==="
9
curl -u wazuh:wazuh -k \
10
  "https://localhost:55000/agents?status=disconnected"
11

12
# Failed authentication summary
13
echo "=== Authentication Failures ==="
14
curl -u wazuh:wazuh -k \
15
  "https://localhost:55000/security/events?rule.id=5503&time_frame=24h"

Real-World Scenarios#

Incident Response Query Set#

1
# 1. Find compromised user accounts
2
rule.groups ~ authentication_failed and data.srcuser = $SUSPECTED_USER
3

4
# 2. Track lateral movement
5
rule.mitre.technique ~ T1021 and agent.ip ~ 192.168.*
6

7
# 3. Identify data exfiltration
8
rule.groups ~ network and data.bytes_out > 1000000
9

10
# 4. Detect privilege escalation
11
rule.groups ~ privilege_escalation or rule.mitre.technique ~ T1548

Compliance Monitoring#

1
# PCI DSS violations
2
rule.pci_dss ~ 10.* and rule.level > 7
3

4
# GDPR compliance checks
5
rule.gdpr ~ * and rule.groups ~ compliance
6

7
# HIPAA related events
8
rule.hipaa ~ 164.* and timestamp > now-24h

Future of WQL#

Upcoming Features#

Machine Learning Integration: Anomaly detection in queries
Natural Language Processing: Convert plain English to WQL
Query Optimization Engine: Automatic query performance tuning
Visual Query Builder: Drag-and-drop interface

Conclusion#

The Wazuh Query Language transforms security data analysis from a tedious task into an efficient, precise operation. By mastering WQL, security teams can:

🎯 Quickly identify threats in large datasets
📊 Generate meaningful reports with targeted queries
🔍 Perform deep investigations using complex filters
⚡ Reduce response times through efficient data retrieval
🤝 Collaborate better with shareable query templates

Start with simple queries and gradually build complexity as you become comfortable with the syntax. Remember, effective security monitoring isn’t about querying everything—it’s about querying the right things.

Key Takeaways#

Start Simple: Master basic syntax before complex queries
Use Suggestions: WQL provides helpful field suggestions
Leverage Operators: Choose the right operator for your need
Group Logically: Use parentheses for clear logic
Test Incrementally: Build complex queries step by step

Resources#

Master your security data with WQL. Query smarter, respond faster! 🚀