From Lab to Analyst: How I Built a Complete SOC Home Lab Using Wazuh and Kali Linux + Video

Listen to this Post

Featured Image

Introduction:

In the evolving landscape of cybersecurity, theoretical knowledge alone is insufficient to combat sophisticated threats. Security Operations Center (SOC) analysts must understand how attackers operate and how defensive tools detect anomalies in real-time. This article provides a comprehensive guide to building a SOC home lab using Wazuh as the SIEM, Ubuntu as the monitored endpoint, and Kali Linux as the attacker machine. By simulating real attack scenarios, you will gain hands-on experience in log analysis, threat detection, and incident response, bridging the gap between certification and实战.

Learning Objectives:

  • Deploy and configure a fully functional Wazuh SIEM stack for centralized log management and threat detection.
  • Simulate real-world attack techniques, including privilege escalation and credential dumping, on a Ubuntu target.
  • Analyze security alerts and map detected behaviors to the MITRE ATT&CK framework to understand adversary tactics.

You Should Know:

1. Setting Up the Wazuh SIEM Infrastructure

To begin, you need a robust SIEM platform to collect, index, and analyze security data. Wazuh, an open-source fork of OSSEC, provides comprehensive capabilities including file integrity monitoring, vulnerability detection, and regulatory compliance.

Step‑by‑step guide to install Wazuh on an Ubuntu 22.04 server (minimum 4GB RAM, 2 vCPUs):

1. Update the system and install dependencies:

sudo apt update && sudo apt upgrade -y

sudo apt install curl apt-transport-https unzip wget -y

  1. Download and run the Wazuh installation assistant (which installs the Wazuh indexer, server, and dashboard):
    curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh

sudo bash wazuh-install.sh –generate-config-files

  1. After configuration files are generated, run the installation:

sudo bash wazuh-install.sh –wazuh-indexer node-1

(Follow the prompts to set up certificates and cluster)

  1. Once the indexer is ready, install the Wazuh server:

sudo bash wazuh-install.sh –wazuh-server wazuh-1

5. Finally, install the Wazuh dashboard for visualization:

sudo bash wazuh-install.sh –wazuh-dashboard dashboard

  1. Access the dashboard via https:// and use the credentials provided at the end of the installation script.

This deployment centralizes logs from endpoints and provides a web interface for investigation.

2. Configuring the Ubuntu Endpoint (Wazuh Agent)

The monitored machine (Ubuntu 22.04) will send telemetry data to the Wazuh server. Install and register the agent:

  1. On the Ubuntu endpoint, add the Wazuh repository:
    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add –
    echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list

2. Install the agent:

sudo apt update

sudo apt install wazuh-agent

  1. Configure the agent to communicate with the manager. Edit `/var/ossec/etc/ossec.conf` and set the manager IP:

WAZUH_MANAGER_IP

1514

tcp

4. Start and enable the agent:

sudo systemctl start wazuh-agent

sudo systemctl enable wazuh-agent

  1. On the Wazuh dashboard, verify agent enrollment by navigating to Agents → Overview. A green dot indicates successful connection.

3. Simulating an Attack with Kali Linux

Now that monitoring is active, use Kali Linux to perform a controlled attack on the Ubuntu endpoint. This demonstrates how Wazuh detects suspicious activities.

  1. From Kali, perform a port scan to identify open services on the Ubuntu machine:

nmap -sS -sV 192.168.1.100 (replace with Ubuntu IP)

2. Attempt a brute-force SSH attack using Hydra:

hydra -l ubuntu_user -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

  1. For privilege escalation simulation (post-exploitation), once you have access, run commands like `sudo -l` or attempt to read /etc/shadow:

sudo cat /etc/shadow

(This should trigger alerts as Wazuh monitors authentication and file access.)

  1. Simulate malware execution by downloading a benign test file (e.g., EICAR test string) or running a reverse shell script:

echo ‘IyEvYmluL2Jhc2gK…’ | base64 -d | bash

(Use actual base64 of a test script. Wazuh will detect anomalous process creation.)

4. Investigating Alerts and MITRE Mapping

After launching the attacks, return to the Wazuh dashboard. Navigate to the Security Events module to view alerts.

  1. Filter alerts by agent and time range. Observe alerts like “PAM: User login failed” or “File integrity monitoring: syslog changed.”
  2. Click on a specific alert to expand details. Wazuh automatically maps these events to MITRE ATT&CK tactics. For example, an SSH brute force is tagged with TA0006 (Credential Access) and T1110 (Brute Force).
  3. Use the dashboard’s built-in tools to create visualizations. For instance, create a pie chart of the top 10 MITRE techniques detected.
  4. Practice incident response by investigating the alert timeline: correlate the failed SSH logins with the IP address from Kali.

5. Custom Detection Rules and Active Response

Wazuh allows you to write custom rules to detect specific behaviors not covered by default. This section shows how to create a rule for detecting the use of Nmap.

1. On the Wazuh server, navigate to `/var/ossec/etc/rules/local_rules.xml`.

  1. Add a custom rule to detect Nmap scans based on port scanning behavior:

syslog

nmap

Nmap network scanner detected on the network

  1. Restart the Wazuh manager: sudo systemctl restart wazuh-manager.
  2. From Kali, run another Nmap scan and verify that a new alert with ID 100002 appears in the dashboard.

For active response, configure the agent to block the attacking IP automatically:
1. Edit `/var/ossec/etc/ossec.conf` on the agent and uncomment the active-response block.
2. Add a command to insert an iptables drop rule:

firewall-drop

firewall-drop.sh

srcip

  1. Restart the agent and test by performing a scan; the source IP should be blocked after a threshold.

What Undercode Say:

  • Key Takeaway 1: A SOC home lab is not merely about tool installation; it is a simulation environment that forces you to think like an adversary while building defender reflexes. The combination of Wazuh and Kali provides a complete cycle of attack, detection, and response.
  • Key Takeaway 2: MITRE ATT&CK mapping transforms raw logs into tactical intelligence. By understanding that a failed login is not just an error but a potential credential access technique (T1110), you start prioritizing alerts based on the kill chain phase.

Building this lab teaches the invaluable lesson that security operations are a blend of technology, process, and human analysis. The alerts generated are not just noise; they are narratives of an attacker’s journey. As you progress, you will learn to tune rules, reduce false positives, and eventually contribute to detection engineering. The GitHub repository shared provides the blueprint, but the true learning happens when you break things and fix them under pressure.

Prediction:

As cyber threats become more automated with AI, the role of the SOC analyst will shift from monitoring screens to fine-tuning detection pipelines. Home labs will evolve into miniature enterprise environments incorporating SOAR (Security Orchestration, Automation, and Response) and threat intelligence feeds. Analysts who master these home labs today will be the architects of autonomous defense systems tomorrow, where human intuition guides machine-speed response. The future SOC will be a hybrid of human creativity and AI efficiency, and hands-on labs are the training ground for this new era.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nikhil Sai – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky