Module 2: SIEM Mastery — Eyes on Everything
The SIEM is your command center. Master it.
You'll see the full kill chain unfold in Wazuh — from phishing delivery to credential theft across 12 log sources.
Lessons & Labs
Lesson 2.1 — Wazuh Architecture: How Your SIEM Works
Manager, Indexer, Dashboard — understand every component, how agents connect, and how data flows through your SIEM
Lab 2.1 — Alert Anatomy
Open 10 alerts of varying severity. Extract the 8 critical fields from each. Build an Alert Anatomy Reference Card for fast triage.
Log Sources That Matter
The 8 log source categories every SOC monitors: Windows Event Logs, Linux/Syslog, firewall, DNS, web proxy, email gateway, cloud audit trails, and application logs
Lab 2.2 — Log Source Deep Dive
Deep-dive into 7 key events across a multi-stage attack: decode subStatus codes, enrich IPs on AbuseIPDB, decode base64 reverse shells, trace crontab persistence, and write analyst notes that connect events into an attack narrative.
From Raw Log to Alert: The Detection Pipeline
Trace a log from agent to alert — pre-decoder, decoder, rule engine, indexer, dashboard
Lab 2.3 — Trace the Pipeline
Trace 3 real alerts from raw log to structured alert — SSH, Windows, and firewall — documenting every pipeline stage.
Decoders: How Logs Become Fields
Pre-decoder, parent, and child decoders — how Wazuh extracts structured fields from raw logs
Rules: How Alerts Are Born
Rule types, levels, groups, MITRE mapping, and how to read Wazuh rule XML
Lab 2.4 — Read the Rule
Read and analyze 5 Wazuh rule XML definitions — understand detection logic, thresholds, parent-child chains, and evasion techniques for each rule.
Lesson 2.6 — Anatomy of a SIEM Alert
Rule ID, severity, source fields
Lesson 2.7 — Search & Correlation
Query syntax, filtering, correlation
Lab 2.5 — Hunt by Query
Write 6 targeted threat-hunting queries using DQL (Dashboard Query Language) — brute force detection, success indicators, SQL injection, privilege escalation, and encoded payloads.
CDB Lists and Threat Intelligence Enrichment
How Wazuh enriches alerts with external IOCs from MISP via Constant Database lists
Lab 2.6 — Observe Enriched Alerts
Find CDB-enriched alerts, compare them to non-enriched alerts, and understand how MISP threat intelligence transforms triage decisions.
Lesson 2.9 — Dashboards & Visualizations
Building security dashboards
Lab 2.7 — Build a SOC Dashboard
Build 4 operational dashboard panels — severity distribution, agent heatmap, top attackers, and attack timeline — and assemble them into a SOC Morning Standup Dashboard.
Lesson 2.10 — Sysmon: The Endpoint Telemetry Goldmine
Deploy Sysmon, understand its 29 event types, and close the detection gaps identified in Module 1
Lab 2.8 — Sysmon Visibility Boost
Compare standard Windows logging with Sysmon-enriched telemetry. Analyze process creation, network connections, file creation, and registry events to build a visibility assessment.