Extending Wazuh detection capabilities with clickdetect, Opensearch PPL and Sigma Rules - Clickdetector | by Vinicius Morais | May, 2026 | MediumSitemapOpen in appSign up<br>Sign in
Medium Logo
Get app<br>Write
Search
Sign up<br>Sign in
Extending Wazuh detection capabilities with clickdetect, Opensearch PPL and Sigma Rules - Clickdetector
Vinicius Morais
5 min read·<br>Just now
Listen
Share
Hey, souzo here. If you’ve ever wanted alerting rules that actually work in Wazuh without fighting OpenSearch’s detection engine, this post is for you.<br>Repository: https://github.com/clicksiem/clickdetect
In this blog post I will guide you to:<br>Install and configure Opensearch PPL in an existing Wazuh environment<br>Install and configure clickdetect<br>Write Opensearch PPL<br>Write Sigma rules with Opensearch PPL<br>Detect threats with your Wazuh data extending wazuh detetion capabilities<br>Introduction<br>After working many years with wazuh and opensearch, I wanted some features that currently not exists or are so broken to work with.<br>OpenSearch has been working to transform its product into a complete SIEM with a detection engine, however… it’s VERY buggy . I tested it several times with real data and always ended up with a corrupted index.<br>I looked into Elastalert, but I didn’t like its engine; I found the code and maintenance too confusing. Also, why create a rules system when I can use the datasource’s own language? So instead of forking, I created my own solution.<br>I created ClickDetect to help security teams around the world have an additional tool for generating alerts.<br>Architecture<br>Here’s how all the pieces fit together:<br>Press enter or click to view image in full size
Wazuh ships events into the OpenSearch indexer. Clickdetect queries the indexer using PPL (or compiled Sigma rules), evaluates the configured rules on a schedule, and fires alerts to your webhooks when a condition is met.<br>Clickdetect<br>Clickdetect is an alerting system tool created to help you to create your detection strategy in whatever datasource you want.<br>Clickdetect has many datasources supported like: — Clickhouse (+sigma) — Opensearch + Opensearch PPL (+sigma) — Elasticsearch — Victorialogs — PostgreSQL — Loki (+sigma) — Databricks<br>Clickdetect is multi-tenant by default, you can specify tenant in rules too.<br>Sigma<br>Clickdetect v1.4.0 actually supports sigma backend. Check out the documentation https://clickdetect.souzo.me/sigma/<br>Opensearch & Opensearch PPL<br>I created ClickDetect to work primarily with ClickHouse because, in my opinion, it’s a better alternative, as it allows for magnificent data compression, which directly impacts the price of SOC services. Furthermore, wazuh’s data is structured, so the ClickHouse JSON column makes more sense (My opinion).<br>But in this post I will show that it’s possible to use ClickDetect with OpenSearch.<br>PPL (Piped Processing Language)<br>Opensearchppl is used to search, filter, and analyze data in an easy and intuitive way. It’s very similar to the LogQL language of Loki or Splunk SPL.<br>This greatly increases the possibility of turning OpenSearch into a SIEM instead of running queries in the standard DSL format.<br>Why not SQL?<br>If you want SQL, try clickhouse or postgresql of tigerdata. PPL makes more sense for Opensearch environment.<br>Let’s bora<br>Installing Opensearch PPL in Wazuh<br>Following the documentation, we first need to install SQL plugin https://docs.opensearch.org/latest/sql-and-ppl/ppl/index/.<br>Your openseach configurations and binaries are in the directory /usr/share/wazuh-indexer/. Change your directory<br>cd /usr/share/wazuh-indexer/First, verify if your opensearch does not have Opensearch SQL Plugin installed. The plugin usually comes pre-installed with Wazuh.<br>./bin/opensearch-plugin listIf the plugin is not installed, install it.<br>bin/opensearch-plugin install opensearch-sqlRestart your wazuh indexer<br>systemctl restart wazuh-indexerNow It’s fully operational.<br>Installing and configuring clickdetect<br>Creating rules<br>mkdir -p rules/<br>cat rules/manager_started.yml<br>id: $(cat /proc/sys/kernel/random/uuid)<br>name: "Wazuh opensearch sigma test - Manager Started"<br>level: 10<br>size: ">0"<br>active: true<br>author:<br>- Vinicius Morais<br>group: base_rule<br>tags:<br>- base<br>rule: |-<br>search source=wazuh-alerts-* | where rule.id='502' and `@timestamp` >= DATE_SUB(NOW(), INTERVAL 5 HOUR )<br>EOFCreating runner<br>You need to configure a runner, runner is a file that configure the schedulers, webhooks and the datasource.<br>For this example, we will use “teams” as the webhook and configure the detector to run every 5 minute.<br>cat runner.yml<br>datasource:<br>type: opensearch-ppl<br>url: https://127.0.0.1:9200<br>username: wazuh<br>password: wazuh-adm<br>verify: false
webhooks:<br>teams_alert:<br>type: teams<br>url: https://.webhook.office.com/...<br>timeout: 10<br>verify: false
detectors:<br>my_detector:<br>name: "5m interval"<br>for: "5m"<br>description: "detect rules with 5 min interval"<br>rules:<br>- "/app/rules/*"<br>webhooks:<br>- teams_alertRunning<br>Now you can run with docker.<br>docker run -v ./runner.yml:/app/runner.yml -v...