July 17, 2026
Beyond Installation: Engineering a SIEM Lab for Real-World Threat Detection
Cybersecurity is one of those fields where documentation can only take you so far. Eventually, you need to build things, break them…

By Sarthak Dewanda
3 min read
Cybersecurity is one of those fields where documentation can only take you so far. Eventually, you need to build things, break them, troubleshoot them, and understand how they behave in real environments.
To deepen my understanding of Security Information and Event Management (SIEM), I built a Wazuh Home Lab that simulates the workflow of a Security Operations Center (SOC). The objective wasn't simply to deploy Wazuh. It was to understand how telemetry is collected, how detections are generated, how alerts are investigated, and how incidents are documented.
Wazuh stood out because it combines SIEM, XDR, endpoint monitoring, vulnerability detection, file integrity monitoring, and compliance capabilities into a single open source platform. It provides enough flexibility to recreate workflows that closely resemble those found in production environments while remaining accessible for hands-on experimentation.
The lab consists of a Wazuh Manager running on Ubuntu, a Windows endpoint configured with the Wazuh Agent and Sysmon, and Atomic Red Team for attack simulation. This setup generates realistic telemetry instead of relying on static sample logs, allowing detections to be validated against simulated adversary techniques.
After deploying the Wazuh Manager and Dashboard, I enrolled a Windows endpoint and configured Sysmon to provide richer telemetry. While the deployment itself was straightforward, the real learning began once everything started communicating.
Understanding how logs moved through the platform, how rules were evaluated, and how alerts were generated gave me a much better appreciation for how a SIEM functions beyond simply displaying dashboards.
Sysmon significantly expands endpoint visibility by recording process creation, network connections, registry modifications, driver loading, image loads, and several other events that are invaluable during investigations. The additional telemetry makes detections more meaningful by providing context that standard Windows Event Logs alone often cannot.
One of the first capabilities I configured was File Integrity Monitoring. Wazuh continuously monitors critical files and immediately generates alerts whenever monitored files are created, modified, or deleted. Although simple in concept, File Integrity Monitoring remains an effective way to detect unauthorized changes and common persistence techniques.
A monitoring platform is only as useful as the detections it produces, so I used Atomic Red Team to simulate attacker behavior mapped to the MITRE ATT&CK framework. Running these simulations allowed me to validate detection rules, verify alert generation, and better understand how individual events are correlated during investigations.
Testing detections in a controlled environment provides significantly more value than simply assuming that default rules are working as expected.
One feature I particularly appreciated was Wazuh's integration with the MITRE ATT&CK framework. Instead of viewing alerts as isolated events, they are automatically associated with attacker tactics and techniques, making investigations more structured and helping analysts understand the broader context of suspicious activity
The lab also incorporates Wazuh's built-in vulnerability detection. Rather than treating vulnerabilities as separate reports, they become part of the investigation workflow. Correlating active detections with vulnerable assets provides additional context and helps prioritize remediation efforts based on actual exposure rather than severity scores alone.
Finally, I documented incidents using the NIST Cybersecurity Framework. Creating structured incident reports reinforced that technical analysis is only one part of security operations. Clear communication and actionable reporting are equally important when responding to security events.
Building this project reinforced several important lessons. Detection quality depends on visibility. Context is often more valuable than individual alerts. Validating detections is just as important as writing them. Most importantly, building and troubleshooting real environments teaches lessons that documentation alone rarely can.
The complete project, including the installation guide, architecture, configurations, screenshots, MITRE ATT&CK mappings, and incident reports, is available on GitHub:
[https://github.com/sarthakdewanda/wazuh-siem-lab](http://Building this project reinforced several important lessons. Detection quality depends on visibility. Context is often more valuable than individual alerts. Validating detections is just as important as writing them. Most importantly, building and troubleshooting real environments teaches lessons that documentation alone rarely can. The complete project, including the installation guide, architecture, configurations, screenshots, MITRE ATT&CK mappings, and incident reports, is available on GitHub: https://github.com/sarthakdewanda/wazuh-siem-lab)
This project is one step in my ongoing journey of building practical security engineering experience. My goal is to continue expanding the lab with additional detection rules, attack simulations, and automation to better reflect real-world SOC operations.