Harshil-2004/SOC-Wazuh-Threat-Detection-Lab

# 使用 Wazuh 的 SOC 运营与威胁检测实验室 ## 项目概述 本项目展示了使用 Wazuh SIEM/XDR 构建 SOC（安全运营中心）实验室的实施过程。该实验室旨在监控端点、收集日志、分析安全事件、模拟攻击场景，并创建专业的 SOC 仪表板。 本项目是作为 CFSS 全球实习计划 2026 的一部分，在 SOC 分析师与蓝队（Blue Teaming）领域下完成的。 ## 实习详情 **计划：** CFSS 全球实习计划 2026 **领域：** SOC 分析师与蓝队（Blue Teaming） **项目名称：** SOC 运营与威胁检测精通 **持续时间：** 4 周 **提交人：** Harshil Miteshkumar Barot ## 使用的工具和技术 - Wazuh SIEM/XDR - Wazuh Manager - Wazuh Agent - Wazuh Dashboard / OpenSearch Dashboards - Windows 11 - Kali Linux - VirtualBox - Hydra - EICAR 测试文件 ## 实验室架构 该 SOC 实验室是使用部署在虚拟化环境中的 Wazuh Manager 构建的。Windows 和 Kali Linux 端点作为 Wazuh Agent 连接。这些 agent 将日志和安全事件转发到 Wazuh Manager，随后通过仪表板对事件进行分析和可视化。 ``` Windows 11 Agent ─────┐ │ v Wazuh Manager │ v Wazuh Dashboard ^ │ Kali Linux Agent ─────┘ ## 每周项目总结 ### 第 1 周：Lab 架构与部署 **Objective:** Build a basic Security Operations Center lab environment. **Work Completed:** - Installed and configured Oracle VirtualBox for virtualization. - Deployed Wazuh Manager using the Wazuh OVA image. - Accessed the Wazuh Dashboard through the manager IP address. - Installed Wazuh Agent on the Windows endpoint. - Installed Wazuh Agent on Kali Linux. - Verified that both agents appeared as active in the Wazuh Dashboard. **Deliverable:** - Wazuh Dashboard screenshot showing active agents. --- ### 第 2 周：Log 分析与 Event 监控 **Objective:** Understand normal and suspicious log activity. **Work Completed:** - Monitored Windows Event Logs using Wazuh. - Filtered Windows successful logon events using Event ID 4624. - Filtered Windows failed logon events using Event ID 4625. - Monitored Kali Linux authentication logs. - Created a custom Wazuh group named `Windows-lab`. - Collected the top security events triggered during the monitoring period. **Deliverable:** - Top 10 security events table. - Screenshots of successful and failed logon events. --- ### 第 3 周：攻击模拟与检测 **Objective:** Simulate attacker-like activity and observe Wazuh detection. **Work Completed:** - Performed a controlled SSH brute-force simulation using Hydra in a local lab environment. - Verified brute-force detection in Wazuh with a Level 10 alert. - Used the EICAR test string for safe malware simulation. - Monitored privileged command execution such as sudo/root activity. - Reviewed Wazuh alerts generated during the simulations. **Deliverable:** - Screenshots of brute-force detection, EICAR simulation, and command monitoring alerts. --- ### 第 4 周：Dashboarding 与最终报告 **Objective:** Present SOC monitoring data in a professional format. **Work Completed:** - Created custom visualizations in Wazuh/OpenSearch Dashboards. - Built a custom dashboard named `Harshil's Dashboard`. - Added a bar chart for Total Alerts per Day. - Added a donut chart for Top 5 Security Rules Triggered. - Added a data table for Agent Status Overview. - Prepared the final internship project report in PDF format. **Deliverable:** - Final PDF report. - GitHub repository with configuration notes and project documentation. Key Detection Areas Windows successful logon detection Windows failed logon detection Linux SSH authentication failure SSH brute-force detection Compliance/SCA monitoring EICAR malware simulation Privileged command monitoring Agent status monitoring ```

标签：AMSI绕过, Wazuh, 威胁检测, 安全实验室, 安全运营, 扫描框架