Wazuh → CrowdStrike Falcon
Wazuh ↔ CrowdStrike Falcon: integration to migration path.
Wazuh deploys alongside Falcon first — file-integrity, configuration assessment and unified search land on every host while Falcon keeps owning prevention and detection. Only on a defined low-risk tier, with leadership sign-off, does Falcon then step back. No flag day, no forced re-credentialing, and every phase rolls back in minutes.
The honest exception is the headline: Wazuh is not an EDR and never replaces Falcon across your production estate. This is co-existence with scoped partial retirement — we say so up front, because the rest only matters if you can trust it.
The idea
Co-install first. Scope-retire last.
The topology that makes this zero-downtime: the Wazuh agent runs co-resident with the Falcon LightSensor on every host, with explicit cross-tool exclusions so Wazuh's file-integrity scans never churn on Falcon's channel-file directories and its active-response never targets the Falcon service. Falcon owns prevention, behavioural detection, RTR and OverWatch; Wazuh owns FIM-of-record, CIS/PCI assessment, vulnerability detection and arbitrary log decoding. That co-installed pair is both the overlap topology and the steady state on the majority of your estate.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We map every endpoint by OS and kernel, its Falcon sensor version and policy, its CMDB role (CDE / internet-facing / dev / embedded), AV co-installs, and PCI/HIPAA scope. We also capture your current Falcon ingest baseline in dollars. Read-only — nothing changes.
Stand up Wazuh; canary agent
A Wazuh manager and indexer cluster goes live in your cloud (three nodes each, HA). The Wazuh agent lands on roughly 25 non-prod hosts beside Falcon, with cross-tool exclusions so its file-integrity scans never churn on Falcon's own directories.
Roll Wazuh to the full estate
The Wazuh agent reaches 100% of in-scope endpoints, co-resident with Falcon, in waves of 10 / 25 / 50 / 100% over roughly six weeks. Falcon keeps owning prevention, behavioural detection, and response throughout.
Ingest Falcon telemetry into Wazuh
Falcon detections (Event Streams API) and scoped raw telemetry (Falcon Data Replicator) decode into the Wazuh indexer, tagged with MITRE technique IDs and deduplicated against Wazuh's own rules within a sixty-second window. Wazuh becomes SIEM-of-record across Falcon and non-Falcon sources.
Wazuh becomes FIM and SCA of record
Auditor-facing evidence flows from Wazuh: syscheck is your PCI 11.5 file-integrity evidence, SCA reports are your CIS/PCI compliance evidence. Falcon's FileWritten telemetry becomes corroborating, not primary. A QSA reviews a sample evidence packet before the cutover.
Define the retirement-eligible tier
Security leadership signs off a written allow-list of host roles eligible for scoped Falcon retirement — dev workstations, embedded appliances, isolated build runners. The CDE, internet-facing hosts, sensitive-data hosts, AD DCs and anything OverWatch monitors are explicitly excluded.
Scoped partial retirement only
Falcon is uninstalled from the allow-listed low-risk tier only, in 10%-per-week waves: Prevention Policy to detect-only, a 14-day soak, then maintenance-token uninstall. A free Microsoft Defender Antivirus baseline (ClamAV on Linux file servers) takes its place there. The rest of the estate keeps Falcon. There is no full retirement.
Feature parity
Where each tool genuinely leads.
| Capability | Wazuh | CrowdStrike Falcon | Parity |
|---|---|---|---|
| Endpoint event telemetry | syscollector + log decoders; Sysmon via logcollector (not kernel-native) | LightSensor kernel-mode process/network/image/registry/DNS | Partial |
| Prevention (NGAV / ML) | Signature AV only (ClamAV/Defender AV alongside) | Falcon Prevent — cloud-trained ML pre-execution | SaaS only |
| Behavioural detection content | Decoder/rule-driven (rules.xml), not behavioural kill-chain | Falcon Insight cloud behavioural detection | SaaS only |
| FIM-of-record (PCI 11.5) | syscheck — inotify/ReadDirectoryChangesW/FSEvents, whodata, report_changes | FileWritten telemetry, no FIM-of-record (QSA-skeptical) | OSS only |
| Security config assessment | SCA — CIS/PCI/HIPAA/NIST policy files, per-control pass/fail | Spotlight gives vuln context, not CIS scoring | OSS only |
| Vulnerability detection | Vulnerability Detection module (NVD/CVE, offline feed) | Falcon Spotlight (separately licensed, cloud) | Partial |
| Rootkit / posture scan | rootcheck scheduled scan | Behavioural detection, not a periodic posture scan | Partial |
| Application / cloud log decoding | decoders.xml (NGINX, Postgres, k8s audit, CloudTrail, Entra) | Host telemetry only; app/cloud logs out of scope | OSS only |
| Response (remote shell / isolation) | active-response script-on-match (block IP, kill PID) | RTR audited shell put/get/runscript/memdump; network containment | SaaS only |
| Threat hunting (managed) | Self-authored rules; no managed service | Falcon OverWatch 24/7 managed hunting | SaaS only |
| Identity protection | None (Keycloak risk auth covers app SSO only) | Falcon Identity Protection (DC Kerberos/NTLM enforcement) | SaaS only |
| Data retention | Self-hosted indexer ILM hot/warm/cold + S3 snapshot | FDR retention tier (vendor cloud, tier-priced) | At parity |
| RBAC / alert lifecycle | RBAC yes; no built-in case state machine (pair TheHive) | Native detection/incident state machine + RBAC | Partial |
| Linux/Unix/embedded coverage | Lightweight agent incl. older glibc, AIX/Solaris/HP-UX | Strong but narrower supported-kernel matrix | OSS only |
| Deployment & HA | Self-hosted (3+ manager, 3+ indexer nodes) | Falcon cloud-managed | Partial |
| Cost model | OSS free + self-host compute/storage | Per-endpoint per-SKU licensing | Partial |
What we're honest about
The caveats most vendors leave out.
Wazuh is not EDR — Falcon stays
Wazuh is file-integrity, configuration assessment, vulnerability detection and log analysis. It has no NGAV, no cloud-trained ML prevention, no behavioural kill-chain, and no kernel-mode visibility. Falcon Prevent, Insight, RTR and OverWatch have no honest OSS equivalent, so Falcon remains the prevention and detection source of record across your production estate. This is co-existence, not replacement.
Retirement is scoped to a low-risk tier only
The only Falcon retirement this path endorses is on a defined, signed-off tier of low-risk hosts. Losing Falcon Prevent, behavioural detection, RTR and OverWatch on those hosts is a real loss, partly offset by AppLocker/WDAC, rootcheck and restrictive egress. Anything in the CDE, internet-facing, or OverWatch-monitored keeps Falcon. Allow-list creep is the common regret — change control and a CDE-owner veto guard against it.
active-response is not RTR
Falcon Real Time Response is a vendor-operated, audited remote shell. Wazuh active-response is a script-on-rule-match local action. They are not equivalent and we never position them as such. For read-only DFIR collection we add Velociraptor; for interactive exec, SSH/WinRM via a bastion — heavier, with no native audit transcript.
Self-hosting means you own uptime
Once Wazuh carries your compliance evidence pipeline, its availability is your responsibility — though Falcon prevention is unaffected if Wazuh is down. We run it HA: three-plus manager nodes, three-plus indexer nodes, S3-snapshot DR, a break-glass admin path and a documented recovery-time target. Managed, not just installed.
Why this beats a flag day
Reversible at every layer.
Every per-phase change rolls back in under 15 minutes — stop the Wazuh agent, disable the ingest consumer, flip reporting back, or reinstall Falcon from a pre-staged package. And before Falcon is removed from even one allow-listed host, that host runs at least 30 days of clean Wazuh telemetry under soak, with the Defender Antivirus baseline verified current, before anything is uninstalled. You are never betting the estate on one big cutover.
See which hosts can scope-retire — and which must keep Falcon.
A call with a senior security engineer. We map your estate by role and PCI scope, find the low-risk tier where Wazuh plus a free AV baseline is honestly sufficient, and tell you exactly where Falcon stays — before you commit to anything.
Map my migration →