Module 2: SIEM Mastery — Eyes on Everything
The SIEM is your command center. Master it.
Lessons
Log Sources That Matter
The 8 log source categories every SOC monitors: Windows Event Logs, Linux/Syslog, firewall, DNS, web proxy, email gateway, cloud audit trails, and application logs
Anatomy of a SIEM Alert
Rule ID, severity, source fields
Dashboards & Visualizations
Building security dashboards
Search & Correlation
Query syntax, filtering, correlation
Wazuh Rules & Decoders
How Wazuh turns logs into alerts
Sysmon: The Endpoint Telemetry Goldmine
Deploy Sysmon, understand its 29 event types, and close the detection gaps identified in Module 1
Labs
Lab 2.1 — Log Source Deep Dive
Deep-dive into 5 critical events: decode subStatus codes, enrich IPs on AbuseIPDB, decode base64 reverse shells, and write analyst notes that connect events into a multi-stage attack narrative.
Lab 2.2 — Alert Anatomy
Open 10 alerts of varying severity. Extract the 8 critical fields from each. Build an Alert Anatomy Reference Card for fast triage.
Lab 2.3 — Build a SOC Dashboard
Build 4 operational dashboard panels — severity distribution, agent heatmap, top attackers, and attack timeline — and assemble them into a SOC Morning Standup Dashboard.
Lab 2.4 — Hunt by Query
Write 5 targeted threat-hunting queries using Lucene syntax — brute force detection, success indicators, SQL injection, privilege escalation, and encoded payloads.
Lab 2.5 — Read the Rule
Read and analyze 5 Wazuh rule XML definitions — understand detection logic, thresholds, parent-child chains, and evasion techniques for each rule.
Lab 2.6 — Sysmon Visibility Boost
Compare standard Windows logging with Sysmon-enriched telemetry. Analyze process creation, network connections, file creation, and registry events to build a visibility assessment.