SIEM-Based Endpoint Detection Lab –
Wazuh & Sysmon
SIEM-Based Endpoint Detection Lab –
Wazuh & Sysmon
SIEM-Based Endpoint Detection Lab –
Wazuh & Sysmon
This project involved building a host based security monitoring lab using Wazuh SIEM and Sysmon to simulate how SOC analysts detect suspicious endpoint activity through telemetry collection, log analysis, and alerting.
This project involved building a host based security monitoring lab using Wazuh SIEM and Sysmon to simulate how SOC analysts detect suspicious endpoint activity through telemetry collection, log analysis, and alerting.
CHALLENGES
CHALLENGES
A key challenge was configuring a reliable pipeline for collecting and forwarding detailed endpoint telemetry from a Windows system to the Wazuh manager on Ubuntu. Ensuring proper integration between Sysmon, the Wazuh agent, and the SIEM required careful setup and validation of log ingestion. Additionally, simulating realistic attack scenarios and mapping the generated alerts to relevant MITRE ATT&CK techniques required precise execution and analysis.
A key challenge was configuring a reliable pipeline for collecting and forwarding detailed endpoint telemetry from a Windows system to the Wazuh manager on Ubuntu. Ensuring proper integration between Sysmon, the Wazuh agent, and the SIEM required careful setup and validation of log ingestion. Additionally, simulating realistic attack scenarios and mapping the generated alerts to relevant MITRE ATT&CK techniques required precise execution and analysis.
RESULTS
RESULTS
The lab successfully captured and analysed endpoint activity, including process execution, registry changes, and file creation events. Simulated attacks such as encoded PowerShell execution, registry persistence, and suspicious file drops were detected, with alerts generated and mapped to MITRE ATT&CK techniques. Log ingestion was validated, and a custom detection rule was implemented to identify suspicious file activity. The final setup provided a functional endpoint monitoring environment that supports detection, alerting, and investigation workflows typical of a Security Operations Centre.
Project Repository: https://github.com/Enowon/wazuh-sysmon-endpoint-detection-lab.git
The lab successfully captured and analysed endpoint activity, including process execution, registry changes, and file creation events. Simulated attacks such as encoded PowerShell execution, registry persistence, and suspicious file drops were detected, with alerts generated and mapped to MITRE ATT&CK techniques. Log ingestion was validated, and a custom detection rule was implemented to identify suspicious file activity. The final setup provided a functional endpoint monitoring environment that supports detection, alerting, and investigation workflows typical of a Security Operations Centre.
Project Repository: https://github.com/Enowon/wazuh-sysmon-endpoint-detection-lab.git
CONTACT
Reach out to discuss entry-level SOC roles, Internships, or cybersecurity collaborations
Reach out to discuss entry-level SOC roles, Internships, or cybersecurity collaborations
ceceenowon@gmail.com
ceceenowon@gmail.com
+44 7823 742289
+44 7823 742289
www.linkedin.com/in/faith-okonoboh
www.linkedin.com/in/faith-okonoboh
OKONOBOH
OKONOBOH
OKONOBOH