diff --git a/.env b/.env
index 988071e5d9bca06c7cab9099c61d216038486bb2..6a2efd0732e3a9ca6ef2afbe9bca1b48fb8fef76 100644
--- a/.env
+++ b/.env
@@ -20,4 +20,5 @@ clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
 
-wazuh_check_interval=300
\ No newline at end of file
+wazuh_check_interval=3600
+wazuh_rule_level=10
\ No newline at end of file
diff --git a/MANIFEST b/MANIFEST
index cfffdeccddecd56ab65f231a90eee39933e933e2..792acf171542f4b3cc3f7d6b38e6f51a2eb2b553 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1,2 +1,2 @@
-VERSION=v0.0.14
+VERSION=v0.0.15
 SERVICE=evidence-collector
diff --git a/README.md b/README.md
index 64ca89423c72f9880ade97c564d695e47c713260..5e0a791edebb49d683ea5f1036b47ced1d1c3537 100644
--- a/README.md
+++ b/README.md
@@ -103,7 +103,8 @@ All of the following environment variables have to be set (or passed to containe
 | `clouditor_oauth2_port` | Clouditor port used for authentication services. Default value `8080`. |
 | `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. |
 | `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. |
-| `wazuh_check_interval` | Interval in seconds; how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_check_interval` | Interval in seconds (rounded to a minute/60 second intervals); how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_rule_level` | Min. Wazuh rule severity level that is required for an event to be counted as a threat. |
 
 ### Medina resource ID mapping
 
diff --git a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
index 4814a24e472b524628ae6fa8a4298220092ffc7b..76b4c16853329f75bfc7dda710a9a2161ac0f186 100644
--- a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
+++ b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
@@ -22,4 +22,5 @@ data:
     clouditor_host: 'security-assessment-svc'
     clouditor_port: '9090'
 
-    wazuh_check_interval: '300'
\ No newline at end of file
+    wazuh_check_interval: '3600'
+    wazuh_rule_level: '10'
\ No newline at end of file
diff --git a/wazuh_evidence_collector/checker.py b/wazuh_evidence_collector/checker.py
index 6480d231bcd9a44a955c21a9e14af9aeba8cf070..13d4eef56372e113fb08c7be243a25d1de26772c 100644
--- a/wazuh_evidence_collector/checker.py
+++ b/wazuh_evidence_collector/checker.py
@@ -1,7 +1,11 @@
-from wazuh_evidence_collector.wazuh_client import WazuhClient
 import elasticsearch
 import urllib3
 from elasticsearch_dsl import Search
+import os
+from forward_evidence.resource_id_mapper import map_resource_id
+
+WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval")
+WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level"))
 
 class Checker:
     def __init__(self, wc, es, logger):
@@ -106,3 +110,46 @@ class Checker:
         measurement_result = len(body['hits']['hits']) > 0
         
         return body, measurement_result
+
+
+    def check_security_events(self, agent):
+        query = {
+            "query": {
+                "bool": {
+                    "must": [
+                        {
+                            "match": {
+                                "agent.id": agent[0]
+                            }
+                        },
+                        {
+                            "range" : {
+                                "rule.level" : {
+                                    "gte" : WAZUH_RULE_LEVEL
+                                }
+                            }
+                        },
+                        {
+                            "range" : {
+                                "@timestamp" : { 
+                                    "gte" : "now-" + WAZUH_CHECK_INTERVAL + "s"
+                                }
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+        
+        try:
+            body = self.es.search(index="wazuh-alerts-*", body=query)
+        except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError, 
+        		urllib3.exceptions.MaxRetryError) as err:
+            self.logger.error(err)
+            self.logger.error("Elasticsearch not available")
+
+            return None
+
+        self.logger.debug(map_resource_id(agent[1]) + " security events count: "  + str(len(body['hits']['hits'])))
+
+        return len(body['hits']['hits'])
diff --git a/wazuh_evidence_collector/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py
index 4278cb1e02ea483b60afa190262f263dcaedcd28..37564e015985d41358c30dfbac100fb838401ac6 100644
--- a/wazuh_evidence_collector/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector/wazuh_evidence_collector.py
@@ -1,4 +1,3 @@
-import json
 import os
 from wazuh_evidence_collector.wazuh_client import WazuhClient
 from elasticsearch import Elasticsearch
@@ -115,6 +114,8 @@ def generate_evidence(agent, checker):
     evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent)
     raw_evidence.append(evidence)
 
+    security_events_count = checker.check_security_events(agent)
+
     if result_syscheck and result_rootcheck and \
         (result_virus_total or (result_clamd_process and result_clamd_logs)):
         malware_protection = { "malwareProtection": { "enabled": True }}
@@ -122,7 +123,7 @@ def generate_evidence(agent, checker):
         malware_protection = { "malwareProtection": { "enabled": False }}
 
     # TODO: implement metrics
-    malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": None})
+    malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": security_events_count})
 
     # MalwareProtectionOutput
     evidence, result_alert_integration = checker.check_alert_integrations()