KhushdeepFollow
5 min read
·
Oct 8, 2025
In the previous parts of this SOAR lab series, we built the foundational infrastructure:
- Part 1 → Architecture and roadmap
- Part 2 → Core components and integrations
- Part 3 → Configured TheHive, Cassandra, and Elasticsearch
In this part, we move to the Windows endpoint side of things, feeding Sysmon telemetry into Wazuh and creating a custom alert rule to detect Mimikatz execution.
Inputting Sysmon Telemetry into Wazuh
Step 1: Boot up your environments
- Start your Windows virtual machine.
- Power on your Wazuh droplet.
We’ll begin by configuring the Windows agent to send Sysmon logs to Wazuh.
Step 2: Modify ossec.conf
Navigate to the Wazuh agent directory on your Windows VM:
C:\Program Files (x86)\ossec-agent
Since this is under
C:\Program Files, open Notepad as Administrator to editossec.conf.
- Open
ossec.confin Notepad (Administrator mode). - Scroll down to the section labeled Log Analysis.
- Delete the three
<localfile>entries that are already there (refer to your screenshot if needed).
Step 3: Identify Sysmon log source
Open Event Viewer and open Applications and Services Logs → Microsoft → Windows → Sysmon → Operational
- Right-click Operational, select Properties and copy the Full Name of the log. It should look like:
Microsoft-Windows-Sysmon/Operational
Step 4: Add Sysmon as the new log source
Back in ossec.conf, locate the section:
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
Change <location> to:
<location>Microsoft-Windows-Sysmon/Operational</location>
Save and close the file.
Step 5: Restart Wazuh agent
Press Win + R, type services.msc, and restart the Wazuh Agent service.
Step 6: Verify Sysmon logs in Wazuh
Go to your Wazuh dashboard → Explore → Discover.
You should now start seeing Sysmon event telemetry streaming from your Windows VM.
Feeding Mimikatz Telemetry into Wazuh
Now that Sysmon logs are flowing, let’s test detection visibility with a Mimikatz execution.
️ Warning: Use this only in a lab environment. Mimikatz is a legitimate post-exploitation tool used by attackers — do not run it on production systems.
Step 1: Disable Microsoft Defender
- Search Windows Security → Open Virus & threat protection.
- Click Manage settings under “Virus & threat protection settings.”
- Disable the following:
- Real-time protection
- Cloud-delivered protection
- Automatic sample submission
- Tamper protection
Step 2: Download and run Mimikatz
1. In your Windows VM browser, go to the official Mimikatz GitHub (gentilkiwi).
2. Scroll down in README and you can see the option to download precompiled binaries under “trunk.zip.”
3. Extract the ZIP and navigate to x64/ folder.
4. Open a PowerShell window in that directory (Shift + Right Click → Open PowerShell window here).
Get Khushdeep’s stories in your inbox
Join Medium for free to get updates from this writer.Subscribe
5. Run:
.\mimikatz.exe
Switch back to Wazuh and search for “mimikatz”, you won’t find anything yet. That’s expected! Let’s configure a custom alert rule next.
Configuring Wazuh for Custom Alerts
We’ll now modify Wazuh configurations to capture all logs and build a rule that triggers when Mimikatz executes.
Step 1: Enable full log capture
SSH into your Wazuh droplet and open:
sudo nano /var/ossec/etc/ossec.conf
Change:
<logall>no</logall>
<logall_json>no</logall_json>
to:
<logall>yes</logall>
<logall_json>yes</logall_json>
Save and exit.
Restart Wazuh manager:
sudo systemctl restart wazuh-manager.service
Step 2: Configure Filebeat to include archived logs
Open Filebeat config:
sudo nano /etc/filebeat/filebeat.yml
Under the filebeat.modules section, change:
archives: false
to:
archives: true
Restart Filebeat:
sudo systemctl restart filebeat.service
Step 3: Create new index for archive logs
1. Go to your Wazuh dashboard.
2. From the left menu: Dashboard Management → Index Patterns.
3. Click Create New Index Pattern.
4. Fill in:
- Name:
wazuh-archives - Time field:
timestamp
5. Click Create Index Pattern.
Now, return to Explore → Discover, and you should see the new index wazuh-archives.
Step 4: Rerun Mimikatz and verify
Run Mimikatz again on your Windows VM and then search for mimikatz under the wazuh-archives index, this time you should see results!
Creating a Custom Rule to Detect Mimikatz Execution
- In the Wazuh dashboard, go to:
Server Management → Rules → Manage Rules Files → Custom Rules - Edit
local_rules.xmland add your custom detection logic (snippet):
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100002" level="15">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)mimikatz\.exe</field>
<description>Mimikatz execution detected</description>
<mitre>
<id>T1003</id>
</mitre>
</rule>
</group>
3. Save the rule file.
4. Restart Wazuh manager:
sudo systemctl restart wazuh-manager.service
5. Re-run Mimikatz on your Windows VM. Now, search for “mimikatz” under the wazuh-alerts index, you should see a triggered detection with your custom rule ID.
Congratulations, you’ve successfully built your first custom detection rule in Wazuh!
Summary
In this part, we:
- Integrated Sysmon telemetry from Windows into Wazuh
- Tested detection visibility using Mimikatz
- Configured Filebeat and custom indices for archive logs
- Created a custom Wazuh rule to detect malicious execution
You’ve now turned your lab into a mini detection engineering playground, where raw telemetry meets meaningful detection.
Coming Up Next (Part 5)
In Part 5, we’ll:
- Build n8n playbooks to automatically triage Mimikatz alerts
- Create TheHive cases directly from Wazuh detections
- Explore how automation helps analysts respond faster in a SOC workflow
Leave a Reply