SIEM Implementation: Wazuh Threat Detection Lab

Project Overview

In this project, I deployed the Wazuh Security Information and Event Management (SIEM) platform to engineer a localized Security Operations Center (SOC). The primary objective was to establish centralized log aggregation, gain deep visibility into endpoint activities, and validate the system’s ability to detect and correlate common attack vectors in real-time.

1. Infrastructure Architecture

I hosted the Wazuh Manager on a Linux-based virtual machine to serve as the central correlation engine and log aggregator.

Manager Node: Linux (VirtualBox) hosting the analysis engine and Filebeat.
Interface: Accessed the Wazuh Dashboard (Kibana) via the host browser to visualize security events.

2. Endpoint Agent Configuration

I deployed the Wazuh Agent on a Windows 11 endpoint to capture system telemetry (Event Logs, File Integrity Monitoring). I utilized PowerShell automation to download the MSI installer and configure the agent to forward logs to the Manager’s IP address.

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='<IP ADDRESS>

NET START Wazuh

3. Service Verification & Handshake

Post-installation, I verified the Active status of the agent to ensure the encrypted channel between the Endpoint and the Manager was successfully established.

4. Attack Simulation

To validate the detection rules, I executed a manual brute-force attack against the Windows endpoint, generating multiple consecutive login failures.

Telemetry Analysis: Navigating to the “Security Events” dashboard, I observed an immediate spike in the “Authentication failures” metric. This confirmed that the endpoint was correctly parsing local Windows Event Logs and forwarding them to the SIEM in near real-time.

5. Forensic Event Drill-Down

A deep dive into the specific security alerts revealed the granularity of the data captured.

Key Outcomes

SOC Implementation: Successfully established a functional threat detection pipeline, confirming active agent status and secure log ingestion.
Incident Response: Validated the alert threshold logic by detecting a brute-force attempt immediately, triggering a high-severity notification.
Threat Visualization: Demonstrated the ability to use SIEM dashboards to reconstruct an attack timeline and identify specific threat vectors.

Forensics

Authors

Moustapha Antoine Mindaoudou

MSc Cybersecurity Student · Blue Team, GRC & eDiscovery

MSc Cybersecurity student. Translating technical threats into business resilience through Risk Management and Digital Forensics.

← Enron Dataset Processing Apr 5, 2025

No results found