You’ll need the Active Directory deployment from the previous labs in this lab.
In the Network+ class, we discussed SIEM (Security Information and Event Management.) In this class, we’ll learn to work with several and utilize SIEM the same way a security analyst would in a Tier 1 analyst role.
For this lab, you will need:
- Domain Controller
- Domain Client
Lab Objective:
- Learn to identify SIEM capabilities.
- Learn to deploy Wazuh as a SIEM solution.
SIEM can be deployed in two different ways:
- Agent-Based:
- Each endpoint in the environment will have an agent running.
- This agent continuously scans the local machine and sends data to a central dashboard server.
- Network-Based:
- The SIEM will be attached to a SPAN (Mirror) port and have an interface placed into promiscuous mode for monitoring.
- This type of SIEM will most often look for suspicious signatures in the packets flowing through the network.
Wazuh is a host-based SIEM and will require an agent running on each endpoint.
We’ll run our Wazuh server for this lab on a machine that isn’t joined to the domain we are configuring. It will be a standalone monitoring device running Linux.
Wazuh is an open-source SIEM solution. They provide a virtual machine that is ready to go, which is nice. Download it to your host operating system and open it in VMware Player.
- The .ova file can be found here.
Place this VM in Virtual_Machines_SSD please.
- Although we’ve been placing our or VM’s in the Documents folder for this
- When you click on the .ova above, you will be asked where you want the storage for the VM.
- Please put it in the Virtual_Machines_SSD folder on your computer. (This will allow me to delete it later in the year if the hard drive fills up.) —If you drop VMs in your user folder, I have difficulty finding them.
