Build Log

Wazuh SIEM Lab with Custom Detection Rules

A self-hosted SIEM lab focused on monitoring SSH access, privileged command execution, and account activity through layered detection logic.

Walkthrough video

Overview

This project documents the build and tuning of my self-hosted Wazuh SIEM lab. The goal was not just to deploy the platform, but to understand how log data is transformed into meaningful security detections in a real environment.

I used this lab to monitor SSH login activity, privileged sudo command execution, and account management behaviour across my systems. Instead of relying only on default rules, I created custom detection logic to better highlight the behaviours I considered most important from a security perspective.

A key focus of this project was understanding how rule inheritance and conditional logic work in Wazuh. By building on top of existing rule IDs, I was able to contextualise raw log events and assign more meaningful severity based on actual behaviour rather than generic alerts.

Role Design, log analysis, rule creation, validation

Type SIEM / detection engineering homelab project

Focus Wazuh, SSH logs, sudo activity, custom rules

Key implementation points

Deployed a self-hosted Wazuh SIEM environment
Monitored SSH login events to track remote access activity
Created custom rules for privileged sudo command execution
Detected account and group creation events using rule 5901
Layered custom rules on top of default rule IDs (5402, 5403, 5901)
Validated detections using real command-line activity and log testing

Lessons learned

This project helped me understand the difference between collecting logs and building meaningful detections. I learned how important context is when working with SIEM tools, especially when extending default rules with custom logic. It also reinforced how infrastructure knowledge directly impacts detection quality, since understanding how systems behave is key to identifying what actually matters from a security perspective.