raghv.dev
Back to Blog
Lab
12 min read
June 7, 2026

Building My Home SOC Lab: Wazuh SIEM from Scratch

How I built a fully functional SOC environment at home using Wazuh as the SIEM, with custom detection rules, dashboards, and alert pipelines.

TABLE OF CONTENTS

Overview

This lab documents how I deployed Wazuh in my home lab to simulate a real SOC environment. The goal: build detection pipelines I could break and fix myself.

Architecture

My home lab runs on a mini PC with 32GB RAM hosting multiple VMs via VMware Workstation:

  • DC-01: Windows Server 2022 — Active Directory domain controller
  • WEB01: Ubuntu 22.04 — Simulated web server
  • KALI01: Kali Linux — Attacker machine
  • WAZUH01: Ubuntu 22.04 — Wazuh Manager + Kibana

Wazuh is an open-source SIEM combining log analysis, intrusion detection, vulnerability detection, and compliance monitoring in one platform.

Wazuh Installation

bash
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a

Deploying Agents

On Windows endpoints:

powershell
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec /i wazuh-agent.msi WAZUH_MANAGER='192.168.1.100'

Custom Detection Rule: SSH Brute Force

xml
<rule id="100001" level="10" frequency="5" timeframe="60">
  <if_matched_sid>5716</if_matched_sid>
  <description>SSH brute force attack detected</description>
  <mitre><id>T1110.001</id></mitre>
</rule>

Always test rules in a staging environment first. A misconfigured level 15 rule will flood your alert queue and drown real threats.

Key Takeaways

  • Wazuh decoder pipeline and writing custom decoders
  • Alert tuning to reduce Windows event log noise
  • Mapping detections to MITRE ATT&CK
  • Building Kibana dashboards for SOC reporting

Next Steps

Currently integrating Suricata as a network IDS and feeding its alerts into Wazuh for correlated host + network detections.

wazuhsiemhomelabdetectionlinux
← All Posts
[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·