library

SOAR home lab (Part 2)

Written by

info@goodiswp.com

in

Khushdeep

KhushdeepFollow

5 min read

·

Oct 3, 2025

Setting Up the Environment

In Part 1, we covered the architecture, requirements, and workflow of our SOAR lab. Now it’s time to get our hands dirty and start building the environment. In this section, we’ll:

  • Install and configure a Windows 10 client VM (using VirtualBox).
  • Install and configure Sysmon for enhanced logging.
  • Deploy Wazuh and TheHive in the cloud.

This will give us a solid working infrastructure to later connect and orchestrate with Shuffle.

Installing Windows 10 on VirtualBox

We’ll begin by setting up our Windows client VM.

1. Download the ISO Creator

  • Go to Microsoft’s official site: Download Windows 10.
  • Click “Download Now” under Create Windows 10 installation media.
  • Follow the default steps in the tool and choose ISO file as the installation media.
Windows 10 iso

2. Create a Virtual Machine

  • Open VirtualBox → click New → select Windows 10.
  • Provide a suitable name, installation path, and attach the ISO you just created.
  • Check the option “Proceed with Unattended Installation”.
Creating Window VM

3. Allocate Resources

  • Base Memory: 4 GB (minimum)
  • CPU Cores: 2
  • Disk Size: 50 GB (or more, depending on available space).
Resources Allocation

4. Configure Installation

  • Set a password for your VM.
  • Enable “Install Guest Additions”.
  • Finish the setup and start the VM.
💡Error Fix - Product Key Issue
   If you see: "Windows cannot read product key from unattend answer file", do this:

  1. Power off the VM.
  2. Settings → System → Boot Order → Uncheck Floppy.
  3. Go to your VM folder (default: VirtualBox VMs).
  4. Delete all files starting with Unattended.
  5. Start the VM again → Click OK on the warning.

5. Finish Installation

  • Follow the Windows setup wizard.
  • You may need a Microsoft account, this is a good time to create a test email account that you can also reuse for testing later in the lab.

Installing Sysmon

With the Windows client ready, let’s install Sysmon to capture detailed logs.

What is Sysmon?
Sysmon (System Monitor) is part of Microsoft’s Sysinternals suite. It runs as a background service and logs detailed system events (process creation, network connections, file changes, etc.) into the Windows Event Log. These logs will later be forwarded to Wazuh for detection and correlation.

Steps:

1. Start the Windows VM.

2. Download Sysmon: Sysmon Download Link.

Sysmon Downlading

3. Extract the files, but do not run the .exe directly.

4. Download a pre-made Sysmon config file:

  • Go to sysmon-modular config.
  • Click RAW → right-click → Save As → save it as sysmonconfig.xml in the same folder as the Sysmon files.

5. Open PowerShell as Administrator.

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

6. Navigate to the Sysmon folder:

cd "C:\path\to\sysmon"

7. Install Sysmon with the config file:

.\sysmon64.exe -i .\sysmonconfig.xml
  • Accept the license agreement.
⚠️ Note:
If you're on a 32-bit Windows VM, replace sysmon64.exe with sysmon.exe.
Ensure the config file name matches exactly.

Installing Wazuh

Now that our Windows client is ready, let’s set up Wazuh in the cloud. In this guide, we’ll use DigitalOcean droplets.

Step 1. Create a Droplet

  • Register and log in to DigitalOcean.
  • On the dashboard, click Create → Droplets.
  • Configure the VM:
Region: Closest to you.
OS: Ubuntu (LTS 24.04 in our case).
Droplet type: Basic.
CPU option: Premium Intel (~$48/month → 8 GB RAM, 160 GB SSD).
Minimum requirements: 8 GB RAM, 50 GB SSD.
Authentication: Password (choose a strong one).
Hostname: wazuh.
  • Click Create Droplet.

Step 2. Configure Firewall

  • Go to Networking (Left Sidebar) → Firewalls → Create Firewall.
Firewall setup
  • Name: Firewall
  • Inbound rules:
TCP: Allow only your IP.
UDP: Allow only your IP.
  • Outbound rules: Keep defaults.
  • Save and attach firewall to your Wazuh droplet by going to the droplet and then to the networking tab inside droplet dashboard.
Adding Firewall to Droplet

Step 3. Access the Droplet

SSH from your terminal/PowerShell:

ssh root@<wazuh_droplet_ip>

Step 4. Update System

apt-get update && apt-get upgrade -y

Step 5. Install Wazuh

curl -sO https://packages.wazuh.com/4.13/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once installation is complete, note down the login username and password displayed.

Step 6. Access Wazuh Dashboard

In your browser, go to:

https://<your_wazuh_droplet_ip>

Login with the credentials provided.

Wazuh Login

Installing TheHive

We’ll now set up TheHive in the same way we did for Wazuh — on a separate droplet.

Step 1. Create Droplet

  • Same configuration as Wazuh (Ubuntu 24.04, 8 GB RAM, 50 GB SSD).
  • Hostname: thehive.
  • Apply a similar firewall.
Droplets

Step 2. Connect to Droplet

SSH from your terminal/PowerShell:

ssh root@<thehive_droplet_ip>

Step 3. Install Dependencies

Follow this guide to install the necessary dependencies for theHive.

Required dependencies for theHive

From the TheHive docs, install:

  • Java Virtual Machine
💡 Error Fix - Java not installed
apt update
apt upgrade
apt install java-common java-11-amazon-corretto-jdk
JVM installation
  • Apache Cassandra
Cassandra installation
  • Elasticsearch
ElasticSearch installation
  • theHive itself
theHive installation

Follow the order as outlined in the documentation.

✅ By the end of this part, you now have:

  • Windows client VM with Sysmon installed.
  • A cloud-hosted Wazuh server.
  • A cloud-hosted TheHive server.

In Part 3, we’ll configure Wazuh and TheHive, and start wiring them together with n8n.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts