It was discovered today that @fpoulain laptop was compromised earlier this month. He requested that his ssh key is removed from all servers and I did that. There has been no Enough Wazuh alert this month and there is no indication that the attacker used the privileges gained on his laptop to do something. I will keep investigating and update this topic if anything suspicious is discovered.
To be continued