Wazuh 4.12.0 Is Here—and It Brings Major Innovations! The long-awaited Wazuh 4.12.0 has officially been released, delivering significant improvements that are well worth exploring, especially if you manage system security or work with diverse architectures.
To begin with, this new version now supports ARM architectures across its core components. This greatly expands its potential use cases, particularly in environments that don’t rely exclusively on x86 hardware. It’s excellent news for those seeking greater flexibility in their infrastructure.
In addition, Wazuh has enhanced its threat intelligence capabilities. The platform now includes CTI (Cyber Threat Intelligence) references within CVE data, providing much richer context when evaluating vulnerabilities. It’s no longer just about knowing a problem exists—you now gain a clearer understanding of its severity and how best to address it.
Another key improvement is the integration of eBPF into the File Integrity Monitoring (FIM) module. This makes monitoring Linux endpoints more efficient and less resource-intensive—an especially welcome upgrade when managing multiple devices or working with limited resources.
One of the standout features in Wazuh 4.12.0 is the direct integration of Cyber Threat Intelligence (CTI) references into vulnerability detection results within the Wazuh dashboard. Essentially, whenever a vulnerability is detected, you’ll now see an automatically generated link (based on the CVE ID) that takes you straight to the Wazuh Vulnerability Explorer.
What does this mean for you? It means that not only will you be alerted to the existence of a problem, but you’ll also gain detailed information and external threat context. This allows for quicker and better-informed vulnerability assessments.
Moreover, the Wazuh CTI system is no lightweight feature. It aggregates vulnerability data from a wide range of sources—including operating system vendors and specialized databases—and consolidates them into a single, reliable repository. This saves you from hunting for information across multiple platforms and enables you to make more informed decisions directly from a unified dashboard.
One of the most exciting improvements in Wazuh 4.12.0 is that its File Integrity Monitoring (FIM) module now supports eBPF (Extended Berkeley Packet Filter). What does this mean? It means the system can now detect any changes to files and folders on monitored Linux endpoints in real time.
The major advantage of using eBPF is that it operates directly within the system kernel, enabling much faster event collection without relying on external tools like auditd. On top of that, the system can now tell you exactly which user and process made each modification—extremely useful for tracking who did what and when.
And if your system doesn’t support eBPF, no worries. Wazuh automatically switches to using auditd or inotify, ensuring that monitoring continues smoothly in most Linux environments.
If you prefer, you can also manually select which data source to use for identifying who made the changes. Just configure the <provider> field within the <whodata> block in the FIM configuration. If no provider is specified, Wazuh defaults to using auditd. For more details about how the eBPF mode works, you can check the official documentation.
Good news for those working with diverse hardware: Wazuh now supports the ARM architecture across its core components—the manager, indexer, and dashboard. This means you can now install Wazuh on a much wider range of devices and platforms. It’s ideal if you’re operating in mixed environments or looking for greater flexibility in your infrastructure.
There’s also an update in the area of Security Configuration Assessment (SCA). Wazuh has released a new SCA policy specifically for Linux endpoints, replacing the older UNIX-based SCA policy. This new policy aligns with the latest CIS benchmark recommendations and expands coverage to assess configurations across a broader range of Linux distributions.
In short: better coverage and improved compliance support for your Linux systems. If you want more details, you can review all available SCA policies in the official documentation.
Wazuh continues to enhance its platform with increasingly comprehensive security features, helping protect IT infrastructures against ever-evolving threats. If you want to explore all the new features, improvements, and fixes included in version 4.12.0, you can check out the release notes and changelog for specific updates. And if you’d like to learn more about how Wazuh can help strengthen your infrastructure’s security—or if you need guidance on implementing it in your environment—don’t hesitate to contact us.