Step-by-Step Guide to Building an Automated SOC Lab for Security Alerts

In the world of cybersecurity, theory can only take you so far. True understanding and skill come from hands-on experience—getting your hands dirty in a controlled environment where you can safely detonate malware, analyze attack patterns, and test your defenses. This article is a detailed, step-by-step guide to building your very own Security Operations Center (SOC) lab from the ground up.

We will go beyond simply setting up individual tools. The ultimate goal is to create a fully automated pipeline that mimics a real-world security environment. We'll construct a workflow where a security event on a monitored endpoint triggers a SIEM alert, which then kicks off an automated enrichment and response playbook, creates a case for tracking, and notifies an analyst.

Our core technology stack will include:

• Wazuh: A powerful, open-source Security Information and Event Management (SIEM) and eXtended Detection and Response (XDR) platform.

  The Hive: A best-in-class Security Incident Response Platform (SIRP) for case management.

  Shuffle: An open-source Security Orchestration, Automation, and Response (SOAR) platform to connect our tools and automate our workflows.

  Sysmon: A critical Windows utility for deep system-level telemetry.

• Let's begin.

Part 1: Designing the Battlefield - Lab Architecture

Before we install a single package, we need a blueprint. A clear infrastructure diagram helps us understand the components, their relationships, and the logical flow of data between systems. For this, we'll use the free and versatile online tool,

draw.io (now diagrams.net).

Remember, the goal of a diagram isn't to be a work of art; it's to provide a clear, functional overview.

Our architecture will consist of a Windows 10 "victim" machine, where events are generated. These events are sent to a Wazuh manager for analysis. When Wazuh triggers an alert, it forwards it to Shuffle, our SOAR platform. Shuffle then performs several actions: it enriches the alert with external intelligence (OSINT), creates a formal case in The Hive, and emails a SOC analyst with the details to request a response action. That response is sent back through the chain to the Wazuh agent on the Windows client to be executed.

Part 2: Laying the Foundation - The Virtual Environment and Victim Host

Every lab needs a sandbox—a safe, isolated environment to work in. We'll use Oracle VirtualBox, a free and powerful virtualization tool, to host our machines.

Step 2.1: Installing VirtualBox

First, head over to the official

VirtualBox downloads page and grab the installer for your host operating system.

During installation, especially on a fresh system, you might encounter an error stating that the "Microsoft Visual C++ 2019 Redistributable Package" is required.

To resolve this, simply download and install the package from the official Microsoft website, reboot your machine, and restart the VirtualBox installation.

Step 2.2: Creating the Windows 10 "Target" VM

With VirtualBox installed, we need an operating system for our target machine. We will install Windows 10. You can get a Windows 10 ISO from various sources, including the official Windows Media Creation Tool or trusted repositories.

Now, let's create the virtual machine in VirtualBox:

1. Click the "New" button in the VirtualBox Manager.

2. In the "Create Virtual Machine" wizard, provide a descriptive name (e.g., "windows-10-target"), select the folder for the VM files, and most importantly, select the Windows 10 ISO image you just downloaded. Be sure to check the box for "Skip Unattended Installation" to have full manual control over the setup process.

3. Next, allocate hardware resources. Give the VM a reasonable amount of RAM (e.g., 4048 MB), keeping in mind you'll need resources for other VMs later.

4. Allocate at least 45 GB of virtual hard disk space. We will create a new virtual hard disk now.

5. Review the summary of your settings and click "Finish" to create the VM.

Step 2.3: Installing Windows 10

With the VM created, it's time to start it up and install the OS.

1. The initial Windows Setup screen will appear. Confirm your language preferences and click "Next".

2. When prompted to activate Windows, click "I don't have a product key".

3. Choose the "Windows 10 Pro" edition. This is important for certain advanced features we may use later.

4. Accept the license terms.

5. Select "Custom: Install Windows only (advanced)" to have full control over partitioning.

6. Select the unallocated drive space, click "New", and then "Apply" to create the necessary partitions.

7. Let the installation run. This is a good time for a coffee break.

8. During the final setup phase (the "OOBE" or Out-of-Box Experience), be sure to select the option to set up for personal use and choose an

   offline account. Turn off all privacy-related options for diagnostics, tailored experiences, and advertising ID to minimize chatter from the VM.

   

Step 2.4: Installing VirtualBox Guest Additions

After the installation is complete and you've logged into the Windows desktop, the screen will likely be small. To enable full-screen resolution and better integration, we need to install VirtualBox Guest Additions.

1. From the VirtualBox menu bar, go to

   Devices -> Insert Guest Additions CD image...

2. Open File Explorer inside the Windows VM, navigate to "This PC", and you will see a new CD Drive for the Guest Additions.

3. Open the drive and run the

   VBoxWindowsAdditions.exe application.

4. Follow the on-screen prompts (next, next, install) and reboot the VM when finished. Your VM should now support full-screen resolution.

VBoxWindowsAdditions application highlighted.]

Part 3: Gaining Deep Visibility with Sysmon

Standard Windows event logs are good, but to truly catch sophisticated threats, we need deeper insight.

Sysmon (System Monitor), a free tool from the Microsoft Sysinternals suite, provides invaluable telemetry data. It monitors for a wide range of events that are critical for threat hunting, including:

• Process Creation (Event ID 1)

• Network Connections (Event ID 3)

• Process Termination (Event ID 5)

• Driver and Image Loading (Event IDs 6, 7)

• Remote Thread Creation (Event ID 8)

• File Creation and Registry Events

Step 3.1: Acquiring Sysmon and Configuration

1. Download Sysmon: Get the latest version directly from the Microsoft Sysinternals page.

2. Download a Configuration File: A default Sysmon installation can be noisy. We'll use a pre-built, robust configuration file to filter out benign activity and focus on suspicious events. A great starting point is Olaf Hartong's

   sysmon-modular project on GitHub.

Step 3.2: Installation and Verification

1. Extract theSysmon.zip file.

2. Place theSysmon64.exe executable and the downloaded sysmonconfig.xml file in the same directory on your Windows 10 VM.

3. Open PowerShell as an Administrator, navigate to the directory containing the files.

4. Run the following command to install Sysmon with our custom configuration:

    .\Sysmon64.exe -i .\sysmonconfig.xml
   

   

You can verify the installation in two ways:

• Services: Open services.msc and look for the "Sysmon64" service. It should be running and set to an "Automatic" startup type.

• Event Viewer: Open Event Viewer, and navigate to Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational. You should see a stream of events being logged.

Microsoft-Windows-Sysmon/Operational channel, confirming that Sysmon is collecting telemetry.]

Part 4: Building the Core - The Wazuh SIEM/XDR Platform

Now we need a brain to collect, analyze, and alert on the data from our endpoint. This is the role of our SIEM, Wazuh.

Step 4.1: Deploying the Wazuh Server

For this project, we'll host our server on a cloud platform like DigitalOcean to mimic an internet-facing service.

1. In your DigitalOcean account, create a new "Droplet" (Virtual Machine).

2. Choose an Image: Select Ubuntu 22.04 (LTS) x64.

3. Choose a Plan: A plan with at least 8 GB of RAM and 2 CPUs is recommended for a smooth experience. The "$48/mo" plan is a suitable choice.

4. Authentication: For security, do not use a password. Instead, create an SSH key pair and add your public SSH key to the droplet for secure authentication.

5. Finalize: Give your droplet a memorable hostname, like wazuhserver, and click "Create Droplet".

   

   

Step 4.2: Securing the Server with a Firewall

Since this server is exposed to the internet, a firewall is non-negotiable.

1. In the DigitalOcean dashboard, navigate to "Networking" -> "Firewalls".

2. Create a new firewall. Give it a name likewazuhwall.

3. Configure Inbound Rules: By default, SSH is open to the world, which is dangerous. Modify the SSH rule to only allow traffic from

4. your specific public IP address. This prevents scanners and bots from trying to access your server. You will also need to allow traffic for the Wazuh services, but we will add our droplet to the firewall first.

5. Apply to Droplet: In the firewall settings, add your wazuhserver droplet to apply the rules.

Step 4.3: Installing Wazuh

Wazuh provides a simple, all-in-one installation script.

1. SSH into yourwazuhserver droplet.

2. Run the following command to download and execute the installation script:

    curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
   

The script will install all necessary components: the Wazuh indexer, server, and dashboard. This process will take some time. Once it completes, it will display the defaultadmin username and a randomly generated password.

Save these credentials in a secure location! You can now access the Wazuh web interface by navigating tohttps://<your-droplet-ip>.

Step 4.4: Connecting the Endpoint - Deploying the Wazuh Agent

Now we connect our Windows 10 VM to the Wazuh server.

1. In the Wazuh dashboard, navigate toAgents and click "Deploy new agent".

2. Select "WINDOWS" as the operating system.

3. The interface will provide a PowerShell command. This command downloads the agent installer and runs it with the correct configuration to point to your Wazuh manager.

4. Copy this command, and on your Windows 10 VM, open PowerShell as an Administrator and paste/run the command.

5. Once the installation is complete, start the service with the command:

    NET START WazuhSvc
   

After a few moments, your agent will appear as "Active" in the Wazuh dashboard, and you will start to see security event data populating.

Part 5: Managing the Chaos - Setting Up The Hive

Alerts are just noise without a system to manage the resulting investigations. The Hive is our case management system. We will deploy it on a separate DigitalOcean droplet, following a similar process as the Wazuh server (create an Ubuntu 22.04 droplet, secure it with an SSH key and a firewall).

Step 5.1: Installing Dependencies.

The Hive has several dependencies that must be installed first. SSH into your Hive server and run the following commands.

1. Update System:

    sudo apt update && sudo apt upgrade -y
   

2. Install Essential Packages:

    sudo apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release -y
   

3. Install Java (Amazon Corretto):

    wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg
    echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.sources.list
    sudo apt update
    sudo apt install java-11-amazon-corretto-jdk -y
   

4. Install Cassandra (Database):

    wget -qO- https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg
    echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list
    sudo apt update
    sudo apt install cassandra -y
   

5. Install Elasticsearch:

    wget -qO- https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
    echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
    sudo apt update
    sudo apt install elasticsearch -y
   

Step 5.2: Configuring Services

Now we configure the services to work with The Hive.

1. Configure Cassandra:

   Edit /etc/cassandra/cassandra.yaml.

   • Setcluster_name to something memorable (e.g., 'clgproject').

   • Set bothlisten_address and rpc_address to your Hive server's private IP address.

   • Inseed_provider, change the seeds address from 127.0.0.1 to your Hive IP.

   • Finally, stop the service, clear the old data, and restart it:

       sudo systemctl stop cassandra
       sudo rm -rf /var/lib/cassandra/*
       sudo systemctl start cassandra
     

2. Configure Elasticsearch:

   Edit /etc/elasticsearch/elasticsearch.yml.

   • Uncomment and set cluster.name (e.g., thehive).

   • Uncomment and set node.name (e.g., node-1).

   • Uncomment network.host and set it to your Hive server's IP.

   • Uncomment cluster.initial_master_nodes and set it to ["node-1"].

   • Enable and restart the service: sudo systemctl enable --now elasticsearch.

3. Configure The Hive:

   Edit /etc/thehive/application.conf.

   • Under db.janusgraph, set hostname to your Hive IP.

   • Under index.search, set hostname to your Hive IP.

   • Set application.baseUrl to "http://<YOUR_HIVE_IP>:9000".

   • Enable and start the service: sudo systemctl enable --now thehive.

You should now be able to access The Hive at http://<YOUR_HIVE_IP>:9000. The default credentials are

admin@thehive.local with the password secret.

Part 6: Crafting Custom Detections

A SIEM is only as good as its rules. By default, Wazuh might not generate an alert for every single log, only for those that meet a certain severity or match a pre-defined rule. To hunt for specific threats like Mimikatz, we need to tune our configuration.

Step 6.1: Enabling Full Log Archival

To create rules, we first need to see all the logs. We'll configure the Wazuh manager to archive everything.

1. SSH into your wazuhserver.

2. Edit /var/ossec/etc/ossec.conf.

3. Within the <global> block, add or change the following lines to yes:

    <logall>yes</logall>
    <logall_json>yes</logall_json>
   

4. Next, edit /etc/filebeat/filebeat.yml and set the archives module to enabled: true

    archives:
      enabled: true
   

5. Restart the services:

    systemctl restart wazuh-manager
    systemctl restart filebeat
   

   

Step 6.2: Making Logs Visible in the Dashboard

Now we need to tell the dashboard how to find and display these new archive logs.

1. In the Wazuh dashboard, go to the main menu ->Dashboard management -> Index Patterns.

2. Click "Create index pattern".

3. For the name, enterwazuh-archives-* and click "Next step".

4. For the "Time field", select@timestamp and click "Create index pattern".

   

Step 6.3: Building the Custom Rule

Now, run Mimikatz on your Windows 10 VM. Go to the "Discover" tab in Wazuh, select the new

wazuh-archives-* index pattern, and search for "mimikatz". You will see the raw log generated by Sysmon.

[IMAGE CAPTION: The Discover tab in Wazuh showing a search for "mimikatz" within the wazuh-archives-* index. The log details are visible in the main panel.]

We can see a field called data.win.eventdata.originalFileName with the value mimikatz.exe. This is a perfect indicator to build a rule on. (Note: In the real world, attackers rename tools, so relying on hashes is more robust).

1. Navigate to Server management -> Rules -> Manage rules files.

2. Click on the local_rules.xml file to edit it. This is where user-defined rules are stored.

3. We will add a new rule. Custom rule IDs must be between 100000 and 120000. We'll set the severity level to 15, the highest priority. The rule will look for events from Sysmon Event ID 1 (if_group) that contain our target filename (field name).

Here is the final rule for Mimikatz detection:

<group name="local,sysmon,">
  <rule id="100002" level="15">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.originalFileName" type="pcre2">(?i)mimikatz\.exe</field>
    <description>Mimikatz Usage Detected PLZ STOP IT !</description>
    <mitre>
      <id>T1003</id>
    </mitre>
  </rule>
</group>

4. Add this rule to local_rules.xml, save it, and restart the Wazuh manager when prompted.

Now, when you run Mimikatz again, a high-severity alert will appear on the main Security Events dashboard!

Part 7: Full-Circle Automation with Shuffle

This is where everything comes together. We will use

Shuffle, our SOAR platform, to automate the response to our custom alert.

Our automation workflow will be:

1. Wazuh sends our custom alert to a Shuffle webhook.

2. Shuffle receives the alert and extracts the file's SHA256 hash.

3. Shuffle sends the hash to VirusTotal to check its reputation.

4. Shuffle creates a new alert in The Hive, populated with data from both Wazuh and VirusTotal.

5. Shuffle sends a detailed email notification to a SOC analyst.

Step 7.1: Setting up the Shuffle Workflow

1. Log into your shuffler.io account and go to "Workflows".

2. Create a new workflow, giving it a name like soc-project.

3. Drag a "Webhook" trigger onto the canvas. Name it "SIEM Alert" and copy the generated Webhook URI.

Step 7.2: Integrating Wazuh with Shuffle

1. SSH into your wazuhserver and edit /var/ossec/etc/ossec.conf.

2. Add an <integration> block to forward alerts that match our custom rule ID (100002) to the Shuffle webhook. Paste the URI you just copied.

    <integration>
      <name>shuffle</name>
      <hook_url>https://shuffler.io/api/v1/hooks/webhook_...</hook_url>
      <rule_id>100002</rule_id>
      <alert_format>json</alert_format>
    </integration>
   

   

3. Restart the Wazuh manager.

Step 7.3: Building the Automation Logic

Now, build out the workflow in Shuffle.

1. Extract the Hash: Add a "Shuffle Tools" app and choose the "Regex Capture Group" action.

   • Input Data: $.exec.text.win.eventdata.hashes

   • Regex: SHA256=([0-9A-Fa-f]{64}) This will find and extract the SHA256 hash from the incoming alert JSON.

2. Enrich with VirusTotal: Add the "Virustotal" app.

   • Authenticate by creating new credentials and providing your VirusTotal API key.

   • Choose the "Get a hash report" action.

   • For the "Id" field, use the output from the previous step:

     $grab-sha256.group_0.#

3. Create an Alert in The Hive: Add "TheHive" app.

   • Authenticate using your Hive server's URL (e.g.,

     http://<IP>:9000) and an API key generated from a user account within The Hive.

   • Choose the "Create alert" action.

   • Map the fields using data from the previous steps. For example:

     • Title: $exec.title

     • Description: Use a combination of text and variables to describe the event.

     • Severity: Map this from a VirusTotal field, like $.Virustotal.#.body.data.attributes.last_analysis_stats.malicious.

     • Tags: Add relevant tags like T1003.

4. Notify the Analyst: Add the "Email" app and configure it to send an alert. Populate the subject and body with dynamic data from the webhook to give the analyst immediate context.

After running the workflow by triggering the Mimikatz alert one last time, you will see a new, beautifully detailed alert pop up in The Hive, and an email will land in the analyst's inbox.

Conclusion and Final Thoughts

This project, while challenging, successfully creates a powerful, automated SOC and incident response lab. We have built a complete pipeline that takes a raw security event, enriches it, creates a manageable case, and alerts the necessary personnel, all with minimal human intervention.

The journey from a simple Sysmon event to a fully-fledged case in The Hive demonstrates the power of integrating modern SIEM, SOAR, and SIRP solutions. The process involved significant configuration and troubleshooting—a realistic reflection of a security engineer's work. The nearly 10 hours spent perfecting the final automation workflow is a testament to the complexity and rewarding nature of this field.

You now have a blueprint and a working lab environment. Use it. Experiment with different malware, test new detection rules, and expand your automation playbooks. This is how real-world cybersecurity skills are forged.

DONE I really learned a lot while making this and a lot of troubleshoot u have to do , but in the end all worth it.

#keeplearning #cybersecurity #neverGiveup.