Blog
Building a Wazuh SIEM detection lab from scratch — agent setup, log pipeline, custom correlation rules, Sysmon enrichment, CI/CD deployment, and attack simulation. Documented session by session.
Post 01
Installing the Windows agent, configuring Security Group ports, resolving the TCP/UDP connection issue, and understanding what the agent starts doing immediately on connect.
June 3, 2026
Post 02
How a raw Windows Event XML blob becomes a decoded, structured alert. The four stages, key field names, DQL search syntax, and the gap correlation rules are built to fill.
June 3, 2026
Post 03
The rule writing workflow, parent-child rule structure, same_field vs same_srcuser, and why the data. prefix in dashboard fields doesn't exist in rule XML.
June 3–5, 2026
Post 04
Chaining brute force detection with successful login confirmation into a level 13 critical alert. LogonType values, regex anchors, and the first-match-wins rule ordering problem.
June 5, 2026
Post 05
Why Sysmon changes everything, SwiftOnSecurity config, Wazuh agent configuration, the group tag naming inconsistency, and writing the first pcre2 PowerShell download detection rule.
June 5–6, 2026
Post 06
Moving from manual SSH deploys to a Git-based workflow. GitHub Actions pipeline, SCP + SSH deploy, secrets management, and deploying rule updates in under 60 seconds.
June 8, 2026
Post 07
Mapping default MITRE coverage, Atomic Red Team for attack simulation, and writing password spray detection using different_srcuser to distinguish spraying from brute force.
June 11, 2026
Post 08
Three-rule escalating detection for AnyDesk — downloaded, executed, and confirmed deployment. Group tag as accumulator pattern, Event ID 11 group tag mismatch, and the diagnostic approach.
June 12, 2026
Post 09
Enabling Sysmon Event ID 7 for DLL load monitoring, writing location and signature-based detection rules, fixing a Windows Calculator false positive with negate, and what tuning actually looks like.
June 14, 2026