diff --git a/.vscode/settings.json b/.vscode/settings.json
index 057b1f1..2aa54dc 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -255,6 +255,7 @@
"sdkman",
"setfacl",
"setfattr",
+ "siem",
"slurm",
"spiffe",
"sshfs",
@@ -290,6 +291,7 @@
"userspace",
"vaultwarden",
"venv",
+ "wazuh",
"whalebrew",
"winget",
"wlan",
diff --git a/knowledge base/acronyms and abbreviations.md b/knowledge base/acronyms and abbreviations.md
index 5dd8006..e2f6e59 100644
--- a/knowledge base/acronyms and abbreviations.md
+++ b/knowledge base/acronyms and abbreviations.md
@@ -78,6 +78,7 @@
| RPM | RPM Package Manager | Package management system used by Linux distributions like Red Hat, (open)SuSE and Fedora |
| SAFE | Scaled Agile FramEwork | |
| SBOM | Software Bill Of Materials | See [SBOM at a Glance] |
+| SIEM | [Security Information and Event Management)][siem] | |
| SOPS | Secrets OPerationS | |
| SPIFFE | Secure Production Identity Framework for Everyone | |
| SQL | Structured Query Language | |
@@ -131,6 +132,7 @@
[fish]: fish.md
[iac]: iac.md
[kubernetes]: kubernetes/README.md
+[siem]: siem.md
[ssh]: ssh.md
[sssd]: sssd.md
[terraform enterprise]: terraform%20enterprise.md
diff --git a/knowledge base/siem.md b/knowledge base/siem.md
index bd680a7..7d1c921 100644
--- a/knowledge base/siem.md
+++ b/knowledge base/siem.md
@@ -1,30 +1,19 @@
# Security information and event management
-## Table of contents
-
-1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
-1. [Sources](#sources)
-
-## TL;DR
## Further readings
- [Wazuh]
-## Sources
-
-All the references in the [further readings] section, plus the following:
-
-[further readings]: #further-readings
-
-[wazuh]: https://wazuh.com/
+[wazuh]: wazuh/README.md
diff --git a/knowledge base/wazuh.md b/knowledge base/wazuh.md
deleted file mode 100644
index e478f3e..0000000
--- a/knowledge base/wazuh.md
+++ /dev/null
@@ -1,48 +0,0 @@
-# Wazuh
-
-Open source security platform.
-
-1. [TL;DR](#tldr)
-1. [Further readings](#further-readings)
- 1. [Sources](#sources)
-
-## TL;DR
-
-
-
-
-
-
-
-## Further readings
-
-- [Website]
-- [Github]
-
-### Sources
-
-
-
-
-
-
-
-[github]: https://github.com/wazuh/wazuh
-[website]: https://wazuh.com/
-
-
diff --git a/knowledge base/wazuh/README.md b/knowledge base/wazuh/README.md
new file mode 100644
index 0000000..60e6f11
--- /dev/null
+++ b/knowledge base/wazuh/README.md
@@ -0,0 +1,80 @@
+# Wazuh
+
+Open source security platform.
+Provides unified XDR and SIEM protection for endpoints and cloud workloads.
+
+1. [Components](#components)
+ 1. [Indexer](#indexer)
+ 1. [Server](#server)
+ 1. [Dashboard](#dashboard)
+ 1. [Agent](#agent)
+1. [Further readings](#further-readings)
+ 1. [Sources](#sources)
+
+## Components
+
+| Component | Type | Description |
+| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Indexer | Central | Full-text search and analytics engine.
Indexes and stores alerts generated by the server. |
+| Server | Central | Analyzes data received from the agents.
Can set up in a cluster.
Manages the agents. |
+| Dashboard | Central | Web UI for data visualization and analysis.
Used to configure and monitor Wazuh. |
+| Agent | Endpoint | Installed on monitored endpoints (i.e.: laptops, servers, cloud instances, virtual machines).
Used for threat prevention, detection, and response. |
+
+Wazuh can also monitor agent-less devices (e.g: firewalls, switches, routers) via Syslog, SSH or APIs.
+
+
+
+### Indexer
+
+Stores data as JSON documents.
+
+_Indexes_ are collections of documents related to each other.
+The stored documents are distributed across multiple different _shards_.
+Shards are distributed on multiple nodes for redundancy.
+
+Different indices store different event types.
+
+| Index | Content | Notes |
+| ------------------ | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| `wazuh-alerts` | Alerts generated by the server | Created each time an event trips a rule with a high enough priority. |
+| `wazuh‑archives` | Events received by the server | Created whether or not events trip a rule. |
+| `wazuh‑monitoring` | Data related to the agent's status over time | Used by the web interface to show when individual agents are or have been _active_, _disconnected_, or _never connected_. |
+| `wazuh‑statistics` | Data related to the server's performance | Used by the web interface to show performance statistics. |
+
+One can interact with the indexer cluster using its REST API.
+
+### Server
+
+TODO
+
+### Dashboard
+
+TODO
+
+### Agent
+
+TODO
+
+## Further readings
+
+- [Website]
+- [Github]
+
+### Sources
+
+- [Documentation]
+
+
+
+
+
+
+
+[documentation]: https://documentation.wazuh.com/current/
+[github]: https://github.com/wazuh/wazuh
+[website]: https://wazuh.com/
+
+
diff --git a/knowledge base/wazuh/components and data flow.png b/knowledge base/wazuh/components and data flow.png
new file mode 100644
index 0000000..a8257ed
Binary files /dev/null and b/knowledge base/wazuh/components and data flow.png differ