A complete, production-grade SIEM deployment using Wazuh — covering multi-platform agent deployment, real-time log collection, MITRE ATT&CK threat simulation, and security event analysis.
- Overview
- Architecture
- Prerequisites
- Installation
- Environment Setup
- Log Collection
- Threat Simulation
- Event Monitoring & Analysis
- Results Summary
- Screenshots
- Tech Stack
- Author
This project demonstrates a full-lifecycle SIEM (Security Information and Event Management) deployment using Wazuh — a free, open-source security platform. The lab environment simulates real-world threat scenarios using the Atomic Red Team framework mapped to MITRE ATT&CK techniques.
| Objective | Status |
|---|---|
| Deploy Wazuh SIEM (All-in-One) | ✅ Complete |
| Multi-Platform Agent Deployment (Linux + Windows) | ✅ Complete |
| Real-Time Log Collection | ✅ Complete |
| MITRE ATT&CK Threat Simulation | ✅ Complete |
| Security Event Monitoring & Analysis | ✅ Complete |
| Compliance Mapping (PCI DSS, GDPR) | ✅ Complete |
┌─────────────────────────────────────────────────────────────┐
│ WAZUH SIEM ARCHITECTURE │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────┐ │
│ │ WAZUH MANAGER SERVER │ │
│ │ 192.168.134.129 │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────────────┐ │ │
│ │ │ Wazuh │ │ Wazuh Indexer │ │ │
│ │ │ Manager │ │ (OpenSearch) │ │ │
│ │ └──────────┘ └──────────────────┘ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ Wazuh Dashboard │ │ │
│ │ │ (Web UI) │ │ │
│ │ └──────────────────┘ │ │
│ └──────────────────────────────────────┘ │
│ ↑ Port 1514 (Encrypted) │
│ ┌──────────────────┬──────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌────────┐ ┌────────────┐ ┌─────────────┐ │
│ │ Ubuntu │ │ Ubuntu │ │ Windows 10 │ │
│ │ Server │ │ Clone │ │ (FlareVM) │ │
│ │ Agent │ │ (linux) │ │ Agent │ │
│ └────────┘ └────────────┘ └─────────────┘ │
│ 192.168.x.x 192.168.134.163 192.168.134.159 │
└─────────────────────────────────────────────────────────────┘
| Requirement | Details |
|---|---|
| Hypervisor | VMware Workstation / VirtualBox |
| OS (Manager) | Ubuntu 22.04 LTS (64-bit) |
| RAM | Minimum 8 GB (16 GB recommended) |
| Storage | Minimum 50 GB free |
| Network | NAT or Host-Only adapter |
| Internet | Required for package downloads |
Boot your Ubuntu 22.04 VM in VirtualBox or VMware.
Open a terminal and execute the following command:
curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && \
sudo bash ./wazuh-install.sh --aNote: The
--aflag triggers an all-in-one installation, deploying:
wazuh-manager— Core threat analysis enginewazuh-indexer— Elasticsearch-compatible search & storagewazuh-dashboard— Web-based visualization interface
ip aNote the IP (e.g., 192.168.134.129) — you'll use this to access the dashboard.
Navigate to https://<YOUR_IP> in your browser. Accept the self-signed SSL warning and log in with the auto-generated credentials printed in the terminal output.
sudo systemctl start wazuh-manager
sudo systemctl start wazuh-indexer
sudo systemctl start wazuh-dashboardOn the cloned Ubuntu machine, run:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.4-1_amd64.deb && \
sudo WAZUH_MANAGER='192.168.134.129' \
WAZUH_AGENT_NAME='linux' \
dpkg -i ./wazuh-agent_4.14.4-1_amd64.debThen start the agent:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentOpen PowerShell as Administrator on the Windows machine:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.4-1.msi `
-OutFile $env:tmp\wazuh-agent
msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.134.129'
NET START Wazuh[Endpoint Agent] ──(encrypted, port 1514)──► [Wazuh Manager]
│
▼
[Wazuh Indexer]
│
▼
[Dashboard / Alerts]
Log sources monitored by default:
- Linux:
/var/log/auth.log,/var/log/syslog, journald - Windows: Windows Event Log (System, Security, Application)
Edit /var/ossec/etc/ossec.conf on the manager:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/custom-app.log</location>
</localfile>Restart Wazuh Manager after changes:
sudo systemctl restart wazuh-manager# Install PowerShell Core
sudo snap install powershell --classic
# Launch PowerShell
pwshInside PowerShell:
# Install the Atomic Red Team framework
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics# OS Credential Dumping — /etc/passwd & /etc/shadow
Invoke-AtomicTest T1003.008# T1003.007 — Proc filesystem memory dump
Invoke-AtomicTest T1003.007
# T1003.006 — Additional credential tests
Invoke-AtomicTest T1003.006| Tactic | Alert Count |
|---|---|
| Defense Evasion | 19 |
| Privilege Escalation | 19 |
| Initial Access | 11 |
| Persistence | 11 |
| Credential Access | 2 |
| Standard | Controls Mapped |
|---|---|
| PCI DSS 2.2 | 209 events |
| PCI DSS 10.2.5 | 30 events |
| PCI DSS 10.2.2 | 7 events |
| GDPR IV_35.7.d | Mapped |
| GDPR IV_32.2 | Mapped |
| Capability | Result |
|---|---|
| Log Collection | ✅ Successfully collected from Linux & Windows agents |
| Agent Deployment | ✅ Ubuntu Clone + Windows 10 (FlareVM) |
| Threat Detection | ✅ MITRE ATT&CK T1003.008, T1003.007 detected |
| Alert Generation | ✅ 280+ alerts generated & visible in dashboard |
| Failed Login Detection | ✅ Multiple failed auth attempts captured |
| MITRE ATT&CK Mapping | ✅ Events mapped to ATT&CK techniques |
| File Integrity Monitoring | ✅ FIM events captured on Linux endpoint |
| Vulnerability Assessment | ✅ CVE detection active |
| Compliance (PCI DSS) | ✅ 42% score on CIS Ubuntu 22.04 Benchmark |
All screenshots are organized in the /screenshots directory.
| # | Description |
|---|---|
| 01 | Ubuntu VM launched in VirtualBox |
| 02 | Wazuh website accessed |
| 03 | Installation documentation |
| 04 | Quickstart method selected |
| 05 | Installation command executed |
| 06 | Installation in progress |
| 07 | IP address retrieval |
| 08 | Dashboard login page |
| 09 | Installation credentials |
| 10 | IP address terminal output |
| 11 | VM cloning wizard |
| 12 | Wazuh services restarted |
| 13 | Linux agent installation |
| 14 | Clone of Ubuntu 64-bit created |
| 15 | Linux agent active in dashboard |
| 16 | Windows PowerShell agent install |
| 17 | Windows agent service started |
| 18 | Multi-platform agents confirmed |
| 19 | Activity generation on clone |
| 20 | Security events in dashboard |
| 21 | ossec.conf file location |
| 22 | Rules section in dashboard |
| 23 | Atomic Red Team website |
| 24 | PowerShell installed on Linux |
| 25 | Invoke-AtomicRedTeam installed |
| 26 | MITRE ATT&CK technique search |
| 27 | T1003.008 test prepared |
| 28 | T1003.008 test executed |
| 29 | Additional atomic tests run |
| 30 | MITRE ATT&CK alert count increase |
| 31 | Security events — new alerts |
| 32 | Authentication failure events |
| 33 | Event analysis summary |
| 34 | Detailed alert view |
| 35 | Compliance section (PCI DSS/GDPR) |
| 36 | Windows agent security events |
| 37 | Windows agent active status |
| 38 | MITRE ATT&CK heatmap |
| 39 | Vulnerability assessment module |
| 40 | File Integrity Monitoring (FIM) |
| 41 | Dashboard summary panel |
| 42 | Wazuh Manager logs |
| 43 | JSON event payload expanded |
| 44 | Discover view — event filtering |
| 45 | Final agents status — all active |
| 46 | Reporting section accessed |
| 47 | Security report preview |
| 48 | Final SIEM operational state |
| 49 | Concluding dashboard view |
Muhammad Ahmad MS Cybersecurity — NUCES Islamabad
Advanced Network Security — Assignment No. 3 Submitted to: Dr. Zafar Iqbal Student ID: 25I-7705
⭐ If this project helped you, give it a star! ⭐
Made with 🔒 for the cybersecurity community