One of the most valuable things you can build in a home lab is a working SIEM. Wazuh is free, open source, and genuinely enterprise-grade — the same platform used in real SOC environments. This walkthrough takes you from a blank VM to your first real security alert. 💻 WHAT YOU’LL NEED - A hypervisor (Proxmox, VirtualBox, or VMware) - Wazuh Server VM: Ubuntu 22.04 LTS, minimum 4GB RAM, 2 vCPUs, 50GB disk - Windows 10 VM: your monitored endpoint (agent machine) - Both VMs on the same internal network 🛠️ PART 1: INSTALL THE WAZUH SERVER Step 1 — Boot your Ubuntu VM and run updates: sudo apt update && sudo apt upgrade -y Step 2 — Download and run the Wazuh installer: curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh sudo bash wazuh-install.sh -a The -a flag installs the full stack: Wazuh Manager, Indexer, and Dashboard. This takes 10–15 minutes. Step 3 — Once complete, the installer will display your admin credentials. SAVE THESE. They won’t be shown again. Step 4 — Access the Wazuh Dashboard by opening a browser and navigating to: https://[your-ubuntu-vm-ip] Log in with the admin credentials from Step 3. You should see the Wazuh dashboard — empty for now, but that’s about to change. 📲 PART 2: ENROL YOUR WINDOWS VM AS AN AGENT Step 1 — In the Wazuh Dashboard, click “Agents” then “Deploy new agent” Step 2 — Select Windows as the OS, enter your Wazuh server IP, give the agent a name (e.g. “WIN10-LAB”) Step 3 — Copy the generated PowerShell command and run it on your Windows VM as Administrator. It will download and install the Wazuh agent, then register it back to your server automatically. Step 4 — Start the agent service on Windows: Net start WazuhSvc Step 5 — Back in the dashboard, refresh the Agents page. Your Windows VM should now show as Active. 🎉 🚨 PART 3: TRIGGER YOUR FIRST REAL ALERT Now for the fun part. Let’s make something happen.

Let me tell you about the alert that changed the way I approach triage. It was a Tuesday night shift. The queue had 47 open alerts and this one kept getting pushed to the bottom. It looked boring. Severity: Low. Rule: "Repeated failed login attempts — internal host." Same thing that fires a hundred times a week across the environment. Most of them are users who forget their passwords after a long weekend. So it sat there. For six hours. When I finally opened it, something felt off. The failed logins weren’t from a user workstation. They were coming from a server in the DMZ — a web application server that had no business authenticating against internal Active Directory accounts. And the account it was hammering? A service account. Not a user. Service accounts don’t forget their passwords. I pulled the raw logs. 847 failed attempts in 40 minutes against 12 different service accounts. Methodical. Sequential. Not random. This wasn’t a lockout. This was credential stuffing — someone had foothold on that web server and was quietly trying to move laterally into the domain. We isolated the server within the hour. Forensics found a PHP webshell that had been sitting there for 11 days. ELEVEN DAYS. The initial access had flown completely under the radar. What tipped us off wasn’t a flashy alert — it was a boring, low-severity, easy-to-skip log that one tired analyst almost ignored for an entire shift. 💡 THE LESSONS I TOOK FROM THIS: ✅ Low severity ≠ low importance. Context is everything. Always ask: does this behaviour make sense for this asset? ✅ Know your environment. That alert only stood out because I knew DMZ servers shouldn’t be touching AD auth. Asset knowledge is a superpower. ✅ Service accounts behaving like users is always suspicious. They don’t fat-finger passwords. ✅ Alert fatigue is a real threat. If your queue is so full that low-severity alerts sit for 6 hours, your detection strategy needs review — not just your analysts. ✅ The attacker’s best friend is the alert nobody investigates. Don’t give them that gift.

G'day legends! Sunday's here — and the question is, are you going out with a bang or leaving reps on the table? 💪 Before the week fires back up, it's worth taking five to reflect on what you've learned, what you've built, and what's waiting for you Monday morning. I'll go first: Wrapping up the weekend with a focus on threat actor attribution — specifically mapping TTPs from the SAP RCE CVE we've been dissecting back to known APT behaviours in MITRE ATT&CK. It's one thing to patch a vuln, it's another to understand who might be exploiting it and why. Your turn — drop below: 🏁 What did you actually get done this weekend? 🧠 What's one thing that clicked for you this week? 🔭 What's your focus heading into next week? ⚡ Any wins — big or small — worth shouting out? Sunday reps count double. Finish strong 🔐 — @Aussie Mr Cyber