Kingisline/SIEM-Monitoring-ML-Anomaly-Detection-Lab

# Enterprise SIEM Monitoring & ML Anomaly Detection Lab A robust, self-hosted security operations center (SOC) lab environment integrating **Wazuh SIEM** for comprehensive endpoint telemetry alongside a custom **Machine Learning Network Anomaly Detector**. This project demonstrates end-to-end log aggregation, behavioral analysis, and automated incident response. ## 🏗️ Architecture Overview Pro-Tip: Draw a quick, clean architecture block diagram using Lucidchart or Excalidraw showing: Endpoints (Windows/Linux + Wazuh Agents) ──> Wazuh Manager (Ubuntu) ──> Custom ML Detection Script ──> Dashboard/Alerts ## 🚀 Key Features * **Multi-OS Telemetry Ingestion:** Centralized monitoring of Windows (via Sysmon/Event Logs) and Linux (via Auditd/Syslog) endpoints. * **Intelligent Network Anomaly Detection:** Python-based detection engine that processes network data to catch behavioral anomalies that signature-based tools miss. * **Active Response Profiles:** Automated defensive triggers configured to drop malicious connections and contain threats at the host level upon policy violations. * **Custom Rulesets & Decoders:** Fine-tuned alerting logic to minimize false positives and elevate actionable security events. ## 🛠️ Tech Stack & Tools * **SIEM Platform:** Wazuh (Open-source Security Platform) * **Host OS:** Ubuntu Server (Manager), Windows 10/11 & Linux (Agents) * **Analysis & ML:** Python, Scikit-Learn, Pandas * **Automation:** Bash, PowerShell ## 📦 Deployment & Setup ### Prerequisites * Ubuntu Server instance (Min. 4GB RAM recommended for Wazuh Manager) * Target endpoints with network connectivity to the manager ### Phase 1: Wazuh Manager & Agent Setup 1. Deploy the native Wazuh manager on your Ubuntu instance using the installation guide provided in `/docs/wazuh-install.md`. 2. Generate, download, and deploy agent certificates to your targeted Windows and Linux nodes. 3. Verify connection parity via the Wazuh Kibana/Dashboard index. ### Phase 2: Integrating the Anomaly Detection Engine 1. Clone this repository onto your monitoring node. 2. Install the necessary data-science and detection packages: pip install -r requirements.txt 3. Run the live ingestion script to begin behavioral parsing: python src/anomaly_detector.py --interface eth0 ## 📊 Proof of Concept / Attack Simulations Include brief descriptions or screenshots showing the system in action: 1. **Brute Force Detection:** Simulating an SSH brute-force attack and showing the custom Wazuh alert triggering. 2. **Anomaly Catch:** Showing the ML engine flagging an unexpected spike in data exfiltration or a non-standard port interaction.