Skip to content

yigit006/detection-engineering-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 

Repository files navigation

Detection Engineering Lab

Hands-on detection engineering work built on a home SOC lab: Wazuh 4.14.5 (manager, Ubuntu) + Windows 11 endpoint with Sysmon (SwiftOnSecurity config).

Each detection follows a five-step loop: behavior → data source → rule → testing (positive + negative + regression) → lessons learned.

Detections

# Name Technique Status
001 Account Discovery via net.exe T1087 ✅ Tested
002 User Identity Discovery via whoami T1033 ✅ Tested
003 User Identity Discovery via Environment Variable T1033 ✅ Tested

Lab Setup

  • SIEM: Wazuh 4.14.5 all-in-one (Ubuntu VM, VMware)
  • Endpoint: Windows 11 VM, Sysmon with SwiftOnSecurity configuration, Wazuh agent
  • Telemetry: Sysmon Event ID 1 (process creation) and PowerShell Script Block Logging (Event ID 4104)
  • Method: Custom rules in local_rules.xml, validated with positive, negative, and regression tests before being marked as tested

About

Detection engineering writeups: custom Wazuh + Sysmon rules with positive/negative testing and debugging notes

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors