Turning my Home Lab into a SOC
In my previous project entry, I detailed what I did to establish a home lab (which includes a Kali Linux host, a Windows 11 host, and a Windows Server 2022 machine). In this project, I will bundle those virtual machines into a virtual SOC so that I can monitor security events and get some real-world analysis experience!
The first tool I will be implementing into my lab environment is Wazuh. Wazuh is an open-source security suite that provides a SIEM dashboard, log analysis, endpoint detection, file integrity monitoring and even more! Therefore, it is a must-have for home lab implementation. This is a great alternative to enterprise solutions since it provides much of the same functionality that a SOC Analyst will engage with on the job, without licensing or budgeting concerns.
I started by downloading the Wazuh virtual appliance and imported it into my VirtualBox lab.
The Wazuh OVA runs on CentOS, which is a Linux distro that I am familiar with from my Linux Foundations and Linux for SysAdmins classes in school! After the OVA started up I logged in with the provided credentials, and ran a quick command to find out the IP address that the OVA assigned to itself within my virtual environment.
This is the IP address that I will connect to within the virtual environment to administer the Wazuh tools, similarly to how one would administer their home gateway’s settings or configure firewall rules.
Make sure and change those default credentials once you login for the first time, we all know those security best practices, right?
And here we can see, the dashboard of a newly established Wazuh server! We can see that there are no agents, so let’s change that.
My Kali VM is the agent that I would like to add first since I will be doing the majority of my security-related tasks on it. So, clicking on Add Agent brings me to this screen:
Kali is a flavor of the Debian distro, so I have selected that. After assigning a name to the Kali agent for Wazuh to use in reference to the machine, it provides us with an installation command to run right from the Kali machine’s terminal.
This agent installation was easy enough to run. Now, we have to start the agent process on the Kali machine to enable Wazuh to monitor it.
The three commands necessary for starting the Wazuh agent can be seen in my terminal screenshot above, and now all we have to do is visit the Wazuh agent dashboard to ensure that Kali is displayed.
Perfect, we can see that KaliV is listed as a Wazuh agent, and is active, which means that it’s being monitored even as I type this. Shortly thereafter, I followed similar steps to add my Windows 11 host as an Agent. Merely select Windows as the OS, copy and execute the provided script in PowerShell, and start the Wazuh service on the host.
Now I have a Kali agent and a Windows agent! They currently share an IP address because my VMs are configured to use NAT through my host machine, however, I will be configuring this environment with static IPs under a dedicated subnet so that the lab will be more realistic.
In later labs, I will be delving into the actual functionality of Wazuh, and performing tasks such as vulnerability remediation and log analysis, so stay tuned for updates!