Author: info@goodiswp.com

KhushdeepFollow

5 min read

·

Oct 3, 2025

Setting Up the Environment

In Part 1, we covered the architecture, requirements, and workflow of our SOAR lab. Now it’s time to get our hands dirty and start building the environment. In this section, we’ll:

• Install and configure a Windows 10 client VM (using VirtualBox).
• Install and configure Sysmon for enhanced logging.
• Deploy Wazuh and TheHive in the cloud.

This will give us a solid working infrastructure to later connect and orchestrate with Shuffle.

Installing Windows 10 on VirtualBox

We’ll begin by setting up our Windows client VM.

1. Download the ISO Creator

• Go to Microsoft’s official site: Download Windows 10.
• Click “Download Now” under Create Windows 10 installation media.
• Follow the default steps in the tool and choose ISO file as the installation media.

2. Create a Virtual Machine

• Open VirtualBox → click New → select Windows 10.
• Provide a suitable name, installation path, and attach the ISO you just created.
• Check the option “Proceed with Unattended Installation”.

3. Allocate Resources

• Base Memory: 4 GB (minimum)
• CPU Cores: 2
• Disk Size: 50 GB (or more, depending on available space).

4. Configure Installation

• Set a password for your VM.
• Enable “Install Guest Additions”.
• Finish the setup and start the VM.

💡Error Fix - Product Key Issue
   If you see: "Windows cannot read product key from unattend answer file", do this:

  1. Power off the VM.
  2. Settings → System → Boot Order → Uncheck Floppy.
  3. Go to your VM folder (default: VirtualBox VMs).
  4. Delete all files starting with Unattended.
  5. Start the VM again → Click OK on the warning.

5. Finish Installation

• Follow the Windows setup wizard.
• You may need a Microsoft account, this is a good time to create a test email account that you can also reuse for testing later in the lab.

Installing Sysmon

With the Windows client ready, let’s install Sysmon to capture detailed logs.

What is Sysmon?
Sysmon (System Monitor) is part of Microsoft’s Sysinternals suite. It runs as a background service and logs detailed system events (process creation, network connections, file changes, etc.) into the Windows Event Log. These logs will later be forwarded to Wazuh for detection and correlation.

Steps:

1. Start the Windows VM.

2. Download Sysmon: Sysmon Download Link.

3. Extract the files, but do not run the .exe directly.

4. Download a pre-made Sysmon config file:

• Go to sysmon-modular config.
• Click RAW → right-click → Save As → save it as sysmonconfig.xml in the same folder as the Sysmon files.

5. Open PowerShell as Administrator.

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

6. Navigate to the Sysmon folder:

cd "C:\path\to\sysmon"

7. Install Sysmon with the config file:

.\sysmon64.exe -i .\sysmonconfig.xml

• Accept the license agreement.

⚠️ Note:
If you're on a 32-bit Windows VM, replace sysmon64.exe with sysmon.exe.
Ensure the config file name matches exactly.

Installing Wazuh

Now that our Windows client is ready, let’s set up Wazuh in the cloud. In this guide, we’ll use DigitalOcean droplets.

Step 1. Create a Droplet

• Register and log in to DigitalOcean.
• On the dashboard, click Create → Droplets.
• Configure the VM:

Region: Closest to you.
OS: Ubuntu (LTS 24.04 in our case).
Droplet type: Basic.
CPU option: Premium Intel (~$48/month → 8 GB RAM, 160 GB SSD).
Minimum requirements: 8 GB RAM, 50 GB SSD.
Authentication: Password (choose a strong one).
Hostname: wazuh.

• Click Create Droplet.

Step 2. Configure Firewall

• Go to Networking (Left Sidebar) → Firewalls → Create Firewall.

• Name: Firewall
• Inbound rules:

TCP: Allow only your IP.
UDP: Allow only your IP.

• Outbound rules: Keep defaults.
• Save and attach firewall to your Wazuh droplet by going to the droplet and then to the networking tab inside droplet dashboard.

Step 3. Access the Droplet

SSH from your terminal/PowerShell:

ssh root@<wazuh_droplet_ip>

Step 4. Update System

apt-get update && apt-get upgrade -y

Step 5. Install Wazuh

curl -sO https://packages.wazuh.com/4.13/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once installation is complete, note down the login username and password displayed.

Step 6. Access Wazuh Dashboard

In your browser, go to:

https://<your_wazuh_droplet_ip>

Login with the credentials provided.

Installing TheHive

We’ll now set up TheHive in the same way we did for Wazuh — on a separate droplet.

Step 1. Create Droplet

• Same configuration as Wazuh (Ubuntu 24.04, 8 GB RAM, 50 GB SSD).
• Hostname: thehive.
• Apply a similar firewall.

Step 2. Connect to Droplet

SSH from your terminal/PowerShell:

ssh root@<thehive_droplet_ip>

Step 3. Install Dependencies

Follow this guide to install the necessary dependencies for theHive.

From the TheHive docs, install:

• Java Virtual Machine

💡 Error Fix - Java not installed
apt update
apt upgrade
apt install java-common java-11-amazon-corretto-jdk

• Apache Cassandra

• Elasticsearch

• theHive itself

Follow the order as outlined in the documentation.

✅ By the end of this part, you now have:

• A Windows client VM with Sysmon installed.
• A cloud-hosted Wazuh server.
• A cloud-hosted TheHive server.

In Part 3, we’ll configure Wazuh and TheHive, and start wiring them together with n8n.

KhushdeepFollow

3 min read

·

Aug 27, 2025

Introduction

Security Orchestration, Automation, and Response (SOAR) is a critical piece of modern SOC operations, enabling faster detection, analysis, and response to threats. In this lab, we’ll walk through setting up a practical SOAR environment using three core components:

• Wazuh — an open-source SIEM and endpoint security solution.
• TheHive — an open-source Security Incident Response Platform (SIRP).
• n8n — an open-source automation platform.

The goal is to build a functional mini-SOC where n8n manages alerts from Wazuh and flows into TheHive for case management, sending alerts to SOC and also automated response workflows.

Since this is a hands-on implementation, this guide will be divided into several parts to keep things clear and manageable. Each part will cover a major step in the setup process, from preparing the environment to deploying integrations and running playbooks.

Lab Roadmap

The series will be broken into several parts:

Part 1 — Introduction

Part 2 — Setup

Part 3 — Configuration & Testing

Part 4— Configuration customer alerts and telemetries

Part 5 — Bringing everything together and wrapping up

Lab Requirements

Before we start, here’s what you’ll need:

Hardware / System Requirements

• Host PC: Windows x64 (recommended)
• Minimum: 16 GB RAM (to comfortably run multiple VMs)
• At least 100 GB disk space

Virtualization Setup

We’ll run a combination of on-prem VMs and cloud-hosted services:

On the Host (Windows PC):

• Virtualization tool: VirtualBox, VMware, or Hyper-V
• VM1: A Windows client (ISO will be created and used in the lab)

Cloud Environment:

• Deploy Wazuh Manager (SIEM)
• Deploy TheHive (SIRP)
• Cloud provider options: Will be using AWS for this lab, but you can use your own cloud provider

If you want to know how to set up AWS for the labs for free, you can refer to my previous medium article.

Setting up Honeypot at home using T-Pot

Introduction

medium.com

Architecture and Workflow

Here’s the architecture of the lab we will implement:

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

Windows Client

• Generates security events (logs, suspicious activities, etc.).
• Sends events to Wazuh Manager for analysis.

Wazuh Manager (SIEM)

• Receives events from the Windows client.
• Triggers alerts when suspicious activity is detected.
• Forwards alerts to Shuffle.

n8n (mini-SOAR)

• Receives alerts from Wazuh.
• Performs enrichment of IOCs (e.g., IP reputation, domain checks, file hash lookups).
• Sends enriched alerts to theHive for case management.
• Sends telegram message to the SOC Analyst.

theHive (Case Management)

• Receives enriched alerts as cases.
• Allows SOC Analyst to review, investigate and decide on response actions.

SOC Analyst

• Receives email notification from Shuffle.
• Reviews the case in TheHive.
• Sends response actions back to Shuffle (e.g., block IP, isolate host).

Summary

In this first part, we laid the foundation for our SOAR lab. We introduced the core components Wazuh, Shuffle, TheHive, and a Windows client, and defined how they will interact in a real-world SOC workflow. We also outlined the hardware and software requirements, the lab roadmap and walked through the architecture design to give you a clear picture of the end-to-end flow.

By now, you should have a solid understanding of the overall design and objectives of the lab:

• Windows Client generates events → Wazuh triggers alerts → Shuffle enriches and orchestrates → TheHive manages cases → SOC Analyst reviews/responds.
• Responses loop back through Shuffle and Wazuh to the Windows Client.

With the blueprint in place, we’re ready to roll up our sleeves and start building.

In Part 2, we’ll set up the environment:

• Install and configure the virtual machines.
• Prepare the Windows client.
• Deploy Wazuh and TheHive on a cloud server.

This will give us the working infrastructure needed to start wiring everything together in later parts of the series.

KhushdeepFollow

5 min read

·

Oct 9, 2025

51

In this final part of my SOAR Home Lab series, we’ll bring everything together, Wazuh, n8n and TheHive to build a fully automated detection and response workflow.

By the end of this part, you’ll have a working automation pipeline that detects Mimikatz execution, extracts file hashes, checks them with VirusTotal and automatically creates a case in TheHive for analyst triage.

Step 1: Boot Up and Prepare

1. Start your Wazuh droplet and Windows VM.

2. We’ll use n8n for automation, which we’ll install locally.

Step 2: Installing n8n

1. Download and install Node.js → https://nodejs.org/en/download

2. Open CMD and verify the installation:

node --version

3. Install n8n globally:

npm install n8n -g

4. Launch n8n and visit the dashboard:

n8n

Visit http://localhost:5678

Step 3: Making n8n Public with ngrok

Because Wazuh and TheHive can’t access localhost, we’ll use ngrok to expose n8n to the internet.

1. Install ngrok from the Microsoft Store:
https://apps.microsoft.com/detail/9MVS1J51GMK6

2. In another CMD window (keep n8n running)

3. Making auth token for ngrok, you can copy that from their website https://dashboard.ngrok.com/get-started/setup/windows

ngrok config add-authtoken <your_auth_token>

4. Run ngrok for port 5678(n8n default port)

ngrok http 5678

5. This creates a secure public tunnel for n8n.
Copy the generated HTTPS forwarding URL, we’ll use it later.

Step 4: Creating the Webhook in n8n

1. In n8n, click the ➕ button and choose “On Webhook Call.”

2. Change HTTP method to POST and copy the generated URL.

3. Replace localhost with your ngrok URL, e.g.:

https://<ngrok-url>/webhook-test/181fb61c-b2b6-4f5a-bb77-861b3e991065

4. Paste this inside Wazuh’s config /var/ossec/etc/ossec.conf:

  <integration>
    <name>shuffle</name>
    <hook_url>https://<ngrok_url>/181fb61c-b2b6-4f5a-bb77-861b3e991065</hook_url>
    <rule_id>100002</rule_id>
    <alert_format>json</alert_format>
  </integration>

5. Save and restart Wazuh:

sudo systemctl restart wazuh-manager.service

Step 5: Testing the Webhook

1. In n8n, click “Listen for test event.”

2. On your Windows VM, run Mimikatz from PowerShell, the same way we ran in Part 4.

3. You should now see the alert arrive in n8n, your webhook is working!

Step 6: Extracting Hashes from Alerts

Add a new node → Data Transformation → Code →Code in Javascript
Paste this:

const items = $input.all();
const sha256Values = items.map((item) => {
  const hashes = item?.json?.body?.all_fields?.data?.win?.eventdata?.hashes;
  const sha256 = hashes?.split(",").find((hash) => hash.startsWith("SHA256="));
  return { sha256: sha256?.split("=")[1] };
});
return sha256Values;

This script extracts the SHA256 hash from Wazuh’s alert.

Step 7: Integrate VirusTotal

Before proceeding, create a VirusTotal account and get your API key.

Add an HTTP Request node with the following configuration:

Field: Value

Method: GET

URL: https://www.virustotal.com/api/v3/files/{{$json["sha256"]}}

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

Send Headers: x-apikey: <your_virustotal_api_key>

Click Test Connection → then Execute Step to verify it works.

Step 8: Integrate TheHive for Case Creation

Before connecting, generate a TheHive API key.

Configure TheHive:

1. Log into TheHive dashboard

2. Create a new Organization and two users:

• Normal User: soar@test.com (Analyst profile)
• Service User: shuffle@test.com (Analyst profile)

3. Generate an API key for the normal user and also password (so that we can access this user dashboard later)

Configure n8n:

1. Add a new node → TheHive 5

2. Connection settings:

• URL: http://<theHive_IP>:9000
• API Key: (Your user’s key)
• Ignore SSL Issues: ✅

3. TheHive node configuration:

Resource: Case

Operation: Create

Title: Mimikatz Execution Detected

Description: {{ $json.data.links.self }}

SeverityHighTags: Wazuh Event ID: {{ $('Webhook').item.json.body.id }}

Summary:{{ $('Webhook').item.json.body.all_fields.data.win.eventdata.user }}

TLP: Amber

PAP: Amber

Status: New

Click Execute Step to test.

Step 9: Full Workflow Test

1. Save your workflow.

2. Click Execute Workflow in n8n.

3. Run Mimikatz again on your Windows VM.

You should see:

• Wazuh generates an alert ⚠️
• n8n webhook captures it
• Extracted hash sent to VirusTotal
• TheHive case automatically created 🐝

Step 10: Optional Add-ons

You can extend this workflow:

• Add Telegram or Email nodes for real-time alerts

• Add enrichment sources (Shodan, AbuseIPDB, etc.)
• Build additional automation playbooks

Project Complete!

Congratulations! You’ve successfully built a fully automated SOAR workflow integrating:

• Wazuh (Detection & Alerting)
• n8n (Automation & Orchestration)
• TheHive (Case Management)

This concludes the SOAR Home Lab Project, from architecture to full automation. The entire series walks through the real-world lifecycle of a modern SOC workflow: detect, enrich, respond, and automate.

Previous Parts:

• Part 1 — Architecture & Setup
• Part 2 — Wazuh & TheHive Deployment
• Part 3 — Configuration & Integration
• Part 4 — https://medium.com/@khushdeepdhir24/soar-home-lab-part-4-0383e68e6914

KhushdeepFollow

5 min read

·

Oct 8, 2025

In the previous parts of this SOAR lab series, we built the foundational infrastructure:

• Part 1 → Architecture and roadmap
• Part 2 → Core components and integrations
• Part 3 → Configured TheHive, Cassandra, and Elasticsearch

In this part, we move to the Windows endpoint side of things, feeding Sysmon telemetry into Wazuh and creating a custom alert rule to detect Mimikatz execution.

Inputting Sysmon Telemetry into Wazuh

Step 1: Boot up your environments

1. Start your Windows virtual machine.
2. Power on your Wazuh droplet.

We’ll begin by configuring the Windows agent to send Sysmon logs to Wazuh.

Step 2: Modify ossec.conf

Navigate to the Wazuh agent directory on your Windows VM:

C:\Program Files (x86)\ossec-agent

Since this is under C:\Program Files, open Notepad as Administrator to edit ossec.conf.

1. Open ossec.conf in Notepad (Administrator mode).
2. Scroll down to the section labeled Log Analysis.
3. Delete the three <localfile> entries that are already there (refer to your screenshot if needed).

Step 3: Identify Sysmon log source

Open Event Viewer and open Applications and Services Logs → Microsoft → Windows → Sysmon → Operational

• Right-click Operational, select Properties and copy the Full Name of the log. It should look like:

Microsoft-Windows-Sysmon/Operational

Step 4: Add Sysmon as the new log source

Back in ossec.conf, locate the section:

<localfile>
  <location>Application</location>
  <log_format>eventchannel</log_format>
</localfile>

Change <location> to:

<location>Microsoft-Windows-Sysmon/Operational</location>

Save and close the file.

Step 5: Restart Wazuh agent

Press Win + R, type services.msc, and restart the Wazuh Agent service.

Step 6: Verify Sysmon logs in Wazuh

Go to your Wazuh dashboard → Explore → Discover.
You should now start seeing Sysmon event telemetry streaming from your Windows VM.

Feeding Mimikatz Telemetry into Wazuh

Now that Sysmon logs are flowing, let’s test detection visibility with a Mimikatz execution.

️ Warning: Use this only in a lab environment. Mimikatz is a legitimate post-exploitation tool used by attackers — do not run it on production systems.

Step 1: Disable Microsoft Defender

1. Search Windows Security → Open Virus & threat protection.

1. Click Manage settings under “Virus & threat protection settings.”

1. Disable the following:

• Real-time protection
• Cloud-delivered protection
• Automatic sample submission
• Tamper protection

Step 2: Download and run Mimikatz

1. In your Windows VM browser, go to the official Mimikatz GitHub (gentilkiwi).

2. Scroll down in README and you can see the option to download precompiled binaries under “trunk.zip.”

3. Extract the ZIP and navigate to x64/ folder.

4. Open a PowerShell window in that directory (Shift + Right Click → Open PowerShell window here).

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

5. Run:

.\mimikatz.exe

Switch back to Wazuh and search for “mimikatz”, you won’t find anything yet. That’s expected! Let’s configure a custom alert rule next.

Configuring Wazuh for Custom Alerts

We’ll now modify Wazuh configurations to capture all logs and build a rule that triggers when Mimikatz executes.

Step 1: Enable full log capture

SSH into your Wazuh droplet and open:

sudo nano /var/ossec/etc/ossec.conf

Change:

<logall>no</logall>
<logall_json>no</logall_json>

to:

<logall>yes</logall>
<logall_json>yes</logall_json>

Save and exit.

Restart Wazuh manager:

sudo systemctl restart wazuh-manager.service

Step 2: Configure Filebeat to include archived logs

Open Filebeat config:

sudo nano /etc/filebeat/filebeat.yml

Under the filebeat.modules section, change:

archives: false

to:

archives: true

Restart Filebeat:

sudo systemctl restart filebeat.service

Step 3: Create new index for archive logs

1. Go to your Wazuh dashboard.

2. From the left menu: Dashboard Management → Index Patterns.

3. Click Create New Index Pattern.

4. Fill in:

• Name: wazuh-archives
• Time field: timestamp

5. Click Create Index Pattern.

Now, return to Explore → Discover, and you should see the new index wazuh-archives.

Step 4: Rerun Mimikatz and verify

Run Mimikatz again on your Windows VM and then search for mimikatz under the wazuh-archives index, this time you should see results!

Creating a Custom Rule to Detect Mimikatz Execution

1. In the Wazuh dashboard, go to:
   Server Management → Rules → Manage Rules Files → Custom Rules
2. Edit local_rules.xml and add your custom detection logic (snippet):

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<!-- Example -->
<group name="local,syslog,sshd,">

  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>
  
  <rule id="100002" level="15">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.originalFileName" type="pcre2">(?i)mimikatz\.exe</field>
    <description>Mimikatz execution detected</description>
    <mitre>
        <id>T1003</id>
    </mitre>
  </rule>


</group>

3. Save the rule file.

4. Restart Wazuh manager:

sudo systemctl restart wazuh-manager.service

5. Re-run Mimikatz on your Windows VM. Now, search for “mimikatz” under the wazuh-alerts index, you should see a triggered detection with your custom rule ID.

Congratulations, you’ve successfully built your first custom detection rule in Wazuh!

Summary

In this part, we:

• Integrated Sysmon telemetry from Windows into Wazuh
• Tested detection visibility using Mimikatz
• Configured Filebeat and custom indices for archive logs
• Created a custom Wazuh rule to detect malicious execution

You’ve now turned your lab into a mini detection engineering playground, where raw telemetry meets meaningful detection.

Coming Up Next (Part 5)

In Part 5, we’ll:

• Build n8n playbooks to automatically triage Mimikatz alerts
• Create TheHive cases directly from Wazuh detections
• Explore how automation helps analysts respond faster in a SOC workflow

What is the Wazuh Agent?

The Wazuh agent is a lightweight software component, multi-platform, that runs on the endpoints that users want to monitor. It communicates with the Wazuh server, sending data in real-time through an encrypted and authenticated channel.

Get Enes Ismaili’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

It requires 35 MB of RAM on average and is supported on the most popular operating systems.

Wazuh Agent Capabilities

Wazuh agent modules offer various security tasks that can be enabled or disabled based on your needs:

• Log Collector: Collects OS and application logs, supports multi-line formats, and enriches JSON events
• Command Execution: Runs authorized commands periodically (e.g., disk space, last logged-in users) and reports output
• File Integrity Monitoring (FIM): Tracks changes in files (created, deleted, modified) and stores metadata on file state
• Security Configuration Assessment (SCA): Assesses system configurations based on CIS benchmarks, with customizable checks
• System Inventory: Scans and collects data on OS, processes, applications, and open ports, stored in local databases
• Malware Detection: Detects anomalies, rootkits, hidden processes, files, and ports using non-signature-based methods
• Active Response: Executes automated actions (e.g., block connections, stop processes) when threats are detected
• Container Security Monitoring: Monitors Docker containers for changes to images, configurations, and privileged modes
• Cloud Security Monitoring: Monitors cloud environments (AWS, Azure, GCP) for infrastructure changes and collects cloud logs

Prerequisites

Before deploying the Wazuh agent, ensure you have:

• A running Wazuh server/manager (covered in our previous installation guide)
• Administrator privileges on the Windows Server 2022 machine
• Network connectivity between the endpoint and Wazuh server
• PowerShell 3.0 or greater
• Ports 1514 and 1515 accessible from the endpoint to the Wazuh server

Deployment Methods

We will deploy the Wazuh Agent on Windows Server 2022 through the Wazuh Dashboard. If you are deploying to a high number of endpoints, it might be easier using automation tools such as Puppet, Chef, SCCM, or Ansible.

Step-by-Step Deployment Process

Step 1: Access the Wazuh Dashboard

First, open your Wazuh Dashboard and log in. You can access the agent deployment in two ways:

1. Direct method: Click on “Deploy new agent” from the main dashboard
2. Menu method: Navigate through the main menu → Agents management → Summary → Deploy new agent

Step 2: Configure Agent Settings

You’ll now see the agent deployment configuration page with several options:

Select the Package

Choose Windows as the operating system and select MSI 32/64 bits as the package type.

Server Address

Enter the IP address of your Wazuh server (in this example: 192.168.132.143).

• Check “Remember server address” if you want to use this for future deployments

Agent Name (Optional)

You can assign a custom agent name or leave it blank. If left blank, Wazuh will use the hostname as the agent name.

Agent Groups

Select “Default” or create a custom group based on your organizational needs.

Step 3: Copy the Installation Command

After configuring the settings, you’ll see a PowerShell command generated based on your configuration:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.12.0-1.msi -OutFile $env:tmp\wazuh-agent.msi&&exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER="192.168.132.143"

Important Requirements:

• You need administrator privileges to perform this installation
• PowerShell 3.0 or greater is required
• Run this command in a Windows PowerShell terminal

Step 4: Execute the Installation

On your Windows Server 2022 machine:

1. Open PowerShell as Administrator: Search for “PowerShell” in the Start menu, right-click, and select “Run as administrator”

2. Paste and Execute: Copy the command from the Wazuh dashboard and paste it into the PowerShell window

3. Wait for Download and Installation: The command will download the Wazuh agent MSI file and install it automatically. This process may take a few minutes.

Step 5: Start the Wazuh Service

After installation, start the Wazuh service using:

NET START WazuhSvc

You should see confirmation that the Wazuh service has started successfully.

Step 6: Verify Agent Registration

Return to the Wazuh Dashboard and navigate to Agents management → Summary. You should now see your Windows Server endpoint listed as an active agent.

The dashboard will show:

• Agent Status: Active
• Operating System: Microsoft Windows Server 2022
• Agent Name: The hostname or custom name you specified
• IP Address: The endpoint’s IP address
• Version: Wazuh agent version (4.12.0)

Verification Steps

To ensure the agent is working correctly:

1. Check Service Status: Verify the Wazuh service is running:

Get-Service WazuhSvc

2. Review Agent Logs: Check the agent log file at:

C:\Program Files (x86)\ossec-agent\logs\ossec.log

3. Test Connectivity: The dashboard should show the agent as “Active” with a green status indicator

Troubleshooting Common Issues

Agent Not Connecting

• Verify network connectivity between the endpoint and Wazuh server
• Check firewall rules (ports 1514 and 1515)
• Ensure the server IP address is correct in the configuration

Service Won’t Start

• Run PowerShell as Administrator
• Check Windows Event Logs for service-related errors
• Verify the installation completed successfully

Installation Fails

• Ensure you have administrator privileges
• Check internet connectivity for downloading the MSI file
• Verify PowerShell version (3.0 or greater required)

Next Steps

Now that your Windows Server 2022 agent is successfully deployed and active, you can:

• Configure specific monitoring rules for your Windows environment
• Enable File Integrity Monitoring for critical system files
• Set up custom log collection for Windows Event Logs
• Configure active response for automated threat mitigation
• Create custom dashboards for Windows-specific security metrics

Best Practices

• Regular Updates: Keep agents updated to the latest version
• Resource Monitoring: Monitor agent resource usage, especially in production environments
• Group Management: Use agent groups to apply specific configurations to different server types
• Backup Configuration: Maintain backups of agent configurations for disaster recovery

Conclusion

You have successfully deployed and configured a Wazuh agent on Windows Server 2022. The agent is now actively monitoring your endpoint and sending security data to your Wazuh server in real-time, providing comprehensive visibility into your Windows infrastructure.

This guide covers Wazuh agent version 4.12. Always check the official Wazuh documentation for the latest version and features.

Overview

Wazuh is an open-source security platform that provides XDR and SIEM protection for endpoints and cloud workloads.

In this tutorial, we will install the Wazuh central components (Manager, Indexer, and Dashboard) on Ubuntu 22.04 using installation assistant, which is the easier method. The installation assistant is a bash script that automates the process of setting up Wazuh, making the installation process faster and less error-prone.

Prerequisites

Before starting the installation, ensure you have:

• Root or sudo privileges on your Ubuntu system
• Minimum 4GB RAM (8GB recommended)
• Stable internet connectivity
• At least 50GB of available disk space
• Ports 443, 1514, 1515, and 55000 available

System Requirements

Hardware Requirements

Note: These specifications are sufficient for monitoring up to 100 endpoints and storing 90 days of queryable/indexed alert data.

Supported Operating Systems

Wazuh recommends any of the following operating system versions:

Installation Steps

Step 1: Update the System

First, update your Ubuntu system to ensure all packages are current:

sudo apt update && sudo apt upgrade -y

Step 2: Download and Run the Installation Assistant

Download and execute the Wazuh installation script:

curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Important Notes:

• The -a flag performs an All-in-One installation (Manager + Indexer + Dashboard)
• Wait for installation completion (this can take 10–15 minutes)
• Do not interrupt the installation process

Step 3: Note the Generated Credentials

After the installation finishes, the output will display the credentials and confirm that the installation was successful. Important: Note down the generated passwords displayed at the end — you’ll need these to access the dashboard.

Step 4: Access the Wazuh Dashboard

1. Open your web browser
2. Navigate to: https://<server-ip-address>

• Replace <server-ip-address> with your actual server IP
• Example: https://192.168.132.143/

3. You may see a security warning about the certificate (this is normal for self-signed certificates)

4. Click “Advanced” and proceed to the site

Get Enes Ismaili’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

5. Log in using the admin credentials provided in Step 3

You should now see the Wazuh Dashboard.

Step 5: Verify Installation

Navigate to Agents in the dashboard — you’ll see no agents yet (we’ll cover adding agents in the next tutorial).

Post-Installation Verification

Verify that all Wazuh services are running properly:

sudo systemctl status wazuh-manager wazuh-indexer wazuh-dashboard

All services should show “active (running)” status.

Security Recommendations

• Change the default admin password immediately after first login
• Configure proper firewall rules for your environment
• The installation uses self-signed certificates (browser security warnings are expected)
• Consider implementing proper SSL certificates for production use

Troubleshooting

Dashboard Won’t Load

If the dashboard doesn’t load, check if all services are running:

sudo systemctl status wazuh-manager
sudo systemctl status wazuh-indexer  
sudo systemctl status wazuh-dashboard

If any service is not running, restart it:

sudo systemctl restart wazuh-manager
sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-dashboard

Port 443 Blocked

If port 443 is blocked, open the firewall:

sudo ufw allow 443/tcp

Certificate Errors

Browser certificate warnings are normal with self-signed certificates. You can safely proceed by clicking “Advanced” and “Proceed to site.”

Memory Issues

If you experience performance issues, ensure your system meets the minimum RAM requirements (8GB recommended).

Conclusion

You now have Wazuh successfully installed and running on Ubuntu 22.04! The platform is ready to monitor your infrastructure and provide comprehensive security insights.

Next Steps

• Add agents (Linux, Windows, or macOS endpoints)
• Explore alerts and rules in the dashboard
• Enable security modules such as:
• File Integrity Monitoring (FIM)
• Vulnerability detection
• Compliance monitoring
• Threat hunting capabilities

Additional Resources

• Official Wazuh Documentation: https://documentation.wazuh.com/
• Wazuh Community: https://wazuh.com/community/
• Latest Version Check: https://wazuh.com/

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!