You cannot learn blue team work by reading about it. You learn it by collecting real telemetry, attacking your own boxes, and watching whether your detections fire. A home SOC lab is the cheapest, safest way to do exactly that. Here is the blueprint I used to practice detection engineering with Wazuh and the Elastic Stack.
Why Build One
Interviews and certifications test whether you can think like a defender: ingest logs, write rules, and investigate. A lab lets you break things on purpose and see the evidence land in a SIEM. It is also the best portfolio piece a student can show, because it proves you can operate the tools, not just name them.
Lab Architecture
The setup is deliberately small and reproducible:
- Wazuh manager and indexer: the SIEM core, collecting and analyzing agent data.
- Wazuh dashboard (or Kibana): visualization and alert triage.
- A Windows endpoint with the Wazuh agent and Sysmon for rich process telemetry.
- A Linux endpoint with the agent and auditd.
- An attacker VM running Kali, used to generate malicious activity.
Sixteen gigabytes of RAM is comfortable. Run everything in virtual machines or containers so you can snapshot and reset.
Standing Up Wazuh
The quickest path is the official all in one Docker deployment:
git clone https://github.com/wazuh/wazuh-docker.git -b v4.x
cd wazuh-docker/single-node
docker compose -f generate-indexer-certs.yml run --rm generator
docker compose up -d
Once the stack is healthy, browse to the dashboard, then deploy agents to your endpoints from the management view. On Windows, install Sysmon with a solid configuration so process creation, network connections, and image loads are all captured.
Generating Real Telemetry
An empty SIEM teaches nothing. I drive activity with Atomic Red Team, a library of small tests mapped to MITRE ATT&CK. For example, to simulate encoded PowerShell execution (T1059.001):
Invoke-AtomicTest T1059.001 -TestNumbers 1
Each atomic produces the exact log events a real technique would, so you can confirm whether your pipeline captures them end to end.
Writing Your First Detection Rule
Wazuh rules are XML and chain off decoders. A minimal rule to flag encoded PowerShell from Sysmon process creation looks like this:
<group name="windows,sysmon,">
<rule id="100200" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.commandLine">-enc|-EncodedCommand</field>
<description>Encoded PowerShell command executed</description>
<mitre><id>T1059.001</id></mitre>
</rule>
</group>
Reload the rules, run the atomic test again, and watch the alert appear in near real time. That feedback loop, attack then detect, is the whole point of the lab.
Building Dashboards
Once alerts flow, build a few focused dashboards rather than one cluttered board:
- Authentication: failed and successful logons, new accounts, brute force spikes.
- Process execution: top parent and child process pairs, encoded commands, LOLBins.
- File integrity: changes to sensitive paths flagged by Wazuh FIM.
Dashboards turn raw events into the situational awareness an analyst actually uses during triage.
Key Takeaways
- A lab is a feedback loop: generate telemetry, detect it, tune, repeat.
- Sysmon on Windows is non negotiable for useful process visibility.
- Map detections to ATT&CK so your coverage is measurable from day one.
- Atomic Red Team gives you safe, repeatable adversary behavior to test against.
- Document each detection you build. That document becomes your portfolio.
Snapshot the clean state before each session so you can attack freely and reset in seconds. Then start working through ATT&CK techniques one by one.
// Discussion