This project demonstrates the design and implementation of a multi-endpoint Security Operations Center (SOC) home lab using Wazuh SIEM. The lab simulates a real-world enterprise environment where multiple systems are centrally monitored for security events, vulnerabilities, and system activity.
The primary objective of this project is to gain hands-on experience in SIEM operations, vulnerability management, and Blue Team practices.
- Gain centralized visibility across multiple endpoints
- Detect vulnerabilities using CVE-based analysis
- Monitor system and security events in real time
- Perform risk analysis and remediation
- Understand real-world SOC workflows
- System: Personal Computer
- Operating System: Ubuntu
- Components Installed:
- Wazuh Manager
- Wazuh Dashboard
- Role: Centralized log collection, analysis, and alerting
| Endpoint | Type | Purpose |
|---|---|---|
| Kali Linux (Primary Laptop) | Physical | Security learning and testing |
| Windows 11 Laptop | Physical | Real-world user activity monitoring |
| Kali Linux (Virtual Machine) | Virtual | Isolated testing environment |
All endpoints are configured with Wazuh agents to send logs and security events to the central server.
sudo apt update && sudo apt upgrade -ycurl -sO https://packages.wazuh.com/4.14/wazuh-install.sh
sudo bash ./wazuh-install.sh -aAfter installation, access the dashboard:
https://<WAZUH_SERVER_IP>:443
Username: admin
Password: <generated>
Note: Self-signed certificate warnings are expected in local environments.
Steps:
- Open Wazuh Dashboard
- Navigate to Deploy New Agent
- Select endpoint operating system
- Enter Wazuh server IP
- Provide agent name
- Copy and run the generated command on the endpoint
- Start or restart the agent service
After a few moments, the agent status should appear as Active.
Once agents are connected, Wazuh provides:
- Vulnerability Detection (CVE-based)
- System Information and Inventory
- MITRE ATT&CK Mapping
- Compliance Monitoring
- Security Alerts and Event Logs
- File Integrity Monitoring (FIM)
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
Insight: Regular system updates significantly reduce the attack surface.
Initial Vulnerabilities
| Severity | Count |
|---|---|
| Critical | 50 |
| High | 25 |
| Medium | 10 |
| Low | 0 |
Root Cause: Outdated Mozilla Firefox
Remediation: Updated Firefox to the latest version
Result: Vulnerability count significantly reduced
Insight: Outdated applications are a major security risk and require regular patch management.
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 1 |
| Medium | 0 |
| Low | 0 |
Cause: Vulnerable weasyprint package
Remediation: Package updated
Insight: Even isolated lab environments must be regularly patched.
- Centralized monitoring improves endpoint visibility
- CVE-based detection helps prioritize risks
- Regular patching reduces the attack surface
- User endpoints typically carry the highest risk
- Virtual environments also require continuous security maintenance
- Wazuh SIEM Deployment and Configuration
- Vulnerability Management
- CVE Analysis and Remediation
- Endpoint Monitoring and Log Analysis
- Linux System Administration
- Security Operations (SOC)
- Blue Team Practices
Medium Article:
wazuh-soc-home-lab/
│
├── README.md
├── architecture/
├── screenshots/
└── docs/
- Add Active Response use cases
- Integrate additional endpoints
- Simulate attack scenarios (Brute force, Malware, etc.)
- Deploy Wazuh in cloud environment
- Create automated incident response workflows
Santhoshkumar
Cybersecurity Enthusiast | Red & Blue Team Learner | SOC & Security Analyst Aspirant
wazuh siem soc blueteam cybersecurity homelab vulnerability-management