Add Wazuh inbound custom integration

README.md

@@ -52,6 +52,7 @@ If you need help setting up a custom integration, you can create an [issue](http
 - [Tailscale](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/tailscale/)
 - [Tanium](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/tanium/)
 - [Ubiquiti Unifi Network](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/ubiquiti-unifi-network/)
+- [Wazuh](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/wazuh/)
 ## Export from runZero 
 - [Audit Log to Webhook](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/audit-events-to-webhook/)
 - [Sumo Logic](https://github.com/runZeroInc/runzero-custom-integrations/blob/main/sumo-logic/)

docs/integrations.json

@@ -1,6 +1,6 @@
 {
-  "lastUpdated": "2026-05-21T17:58:30.540507Z",
-  "totalIntegrations": 37,
+  "lastUpdated": "2026-05-27T20:41:38.578027Z",
+  "totalIntegrations": 38,
   "integrationDetails": [
     {
       "name": "Moysle",
@@ -188,6 +188,12 @@
       "readme": "https://github.com/runZeroInc/runzero-custom-integrations/blob/main/sumo-logic/README.md",
       "integration": "https://github.com/runZeroInc/runzero-custom-integrations/blob/main/sumo-logic/custom-integration-sumo.star"
     },
+    {
+      "name": "Wazuh",
+      "type": "inbound",
+      "readme": "https://github.com/runZeroInc/runzero-custom-integrations/blob/main/wazuh/README.md",
+      "integration": "https://github.com/runZeroInc/runzero-custom-integrations/blob/main/wazuh/custom-integration-wazuh.star"
+    },
     {
       "name": "Manage Engine Endpoint Central",
       "type": "inbound",

wazuh/README.md

@@ -0,0 +1,45 @@
+# Custom Integration: Wazuh
+
+## runZero requirements
+
+- Superuser access to the [Custom Integrations configuration](https://console.runzero.com/custom-integrations) in runZero.
+
+## Wazuh requirements
+
+- Wazuh API endpoint reachable on port 55000 (for example: https://wazuh-manager.example.com:55000).
+- Wazuh API user credentials with permission to authenticate and read agent/syscollector data.
+
+## Steps
+
+### Wazuh configuration
+
+1. Confirm API access to your Wazuh manager endpoint over HTTPS on port 55000.
+2. Create or identify an API user with access to authentication, agents, and syscollector endpoints.
+3. Validate the credentials by testing an API login to /security/user/authenticate.
+
+### runZero configuration
+
+1. (OPTIONAL) - Make any necessary changes to the script to align with your environment.
+   - Modify API calls as needed to filter inventory data.
+   - Modify datapoints uploaded to runZero as needed.
+2. [Create the Credential for the Custom Integration](https://console.runzero.com/credentials).
+   - Select the type `Custom Integration Script Secrets`.
+   - Set `access_key` to your Wazuh hostname or IP (do not include protocol or port).
+   - Set `access_secret` to `username::password`.
+3. [Create the Custom Integration](https://console.runzero.com/custom-integrations/new).
+   - Add a Name and Icon for the integration (for example: wazuh).
+   - Toggle `Enable custom integration script` to input the finalized script.
+   - Click `Validate` to ensure it has valid syntax.
+   - Click `Save` to create the Custom Integration.
+4. [Create the Custom Integration task](https://console.runzero.com/ingest/custom/).
+   - Select the Credential and Custom Integration created in steps 2 and 3.
+   - Update the task schedule to recur at the desired timeframes.
+   - Select the Explorer you would like the Custom Integration to run from.
+   - Click `Save` to kick off the first task.
+
+### What's next?
+
+- You will see the task kick off on the [tasks](https://console.runzero.com/tasks) page like any other integration.
+- The task will update existing assets with the data pulled from the custom integration source.
+- The task will create new assets when there are no existing assets that meet merge criteria (hostname, MAC, etc).
+- You can search for assets enriched by this custom integration with the runZero search `custom_integration:wazuh`.

wazuh/config.json

@@ -0,0 +1 @@
+{ "name": "Wazuh", "type": "inbound" }