Best Practices

Building a SOC with Wazuh: Complete Setup Guide

December 15, 2024 15 min read ThinSky Team

Building a Security Operations Center (SOC) doesn't require a million-dollar budget. With Wazuh as your foundation, you can create an enterprise-grade security monitoring capability that rivals commercial alternatives. This guide walks you through the complete setup process.

Architecture Overview

A Wazuh-based SOC consists of several components:

  • Wazuh Server - Central management and analysis engine
  • Wazuh Indexer - Stores and indexes security events (based on OpenSearch)
  • Wazuh Dashboard - Web interface for visualization and management
  • Wazuh Agents - Installed on endpoints for data collection

Prerequisites

Before starting, ensure you have:

  • A dedicated server (minimum 4 CPU, 8GB RAM for small deployments)
  • Ubuntu 22.04 LTS or CentOS 8+ / Rocky Linux 8+
  • Root access to the server
  • Firewall access for required ports (1514, 1515, 443, 9200)

Step 1: Install Wazuh Server

The quickest way to get started is using Wazuh's installation script:

# Download and run the installation assistant
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a

This script installs all components (server, indexer, and dashboard) on a single node. For production environments with more than 100 agents, consider a distributed deployment.

Post-Installation

After installation, note the credentials displayed:

INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-server-ip>
    User: admin
    Password: <generated-password>

Step 2: Deploy Agents

Agents collect data from your endpoints. Install them on all systems you want to monitor.

Linux Agent Installation

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

# Install agent
apt-get install wazuh-agent

# Configure the agent
sed -i "s/MANAGER_IP/YOUR_WAZUH_SERVER_IP/" /var/ossec/etc/ossec.conf

# Start the agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Windows Agent Installation

# Download and install via PowerShell
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_WAZUH_SERVER_IP"

# Start the service
NET START WazuhSvc

Step 3: Configure Detection Rules

Wazuh comes with thousands of built-in rules, but custom rules are often needed for your environment.

Creating Custom Rules

Add custom rules to /var/ossec/etc/rules/local_rules.xml:

<group name="local,custom,">
  <!-- Detect multiple failed SSH logins -->
  <rule id="100001" level="10">
    <if_matched_sid>5710</if_matched_sid>
    <same_source_ip />
    <options>no_full_log</options>
    <description>Multiple SSH authentication failures from same source</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>

  <!-- Detect PowerShell execution with encoded commands -->
  <rule id="100002" level="12">
    <if_sid>60009</if_sid>
    <match>-enc|-EncodedCommand</match>
    <description>PowerShell encoded command execution detected</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>
</group>

Step 4: Enable Key Capabilities

File Integrity Monitoring (FIM)

Configure FIM to monitor critical files. Edit /var/ossec/etc/ossec.conf on agents:

<syscheck>
  <directories check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes" realtime="yes">/bin,/sbin,/boot</directories>
  <!-- Windows critical paths -->
  <directories check_all="yes" realtime="yes">C:\Windows\System32</directories>
</syscheck>

Vulnerability Detection

Enable the vulnerability detector module:

<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <provider name="canonical">
    <enabled>yes</enabled>
    <os>bionic</os>
    <os>focal</os>
    <os>jammy</os>
  </provider>
</vulnerability-detector>

Step 5: Configure Alerting

Set up email notifications for critical alerts. Add to /var/ossec/etc/ossec.conf:

<global>
  <email_notification>yes</email_notification>
  <smtp_server>smtp.yourcompany.com</smtp_server>
  <email_from>wazuh@yourcompany.com</email_from>
  <email_to>soc@yourcompany.com</email_to>
  <email_maxperhour>12</email_maxperhour>
</global>

<alerts>
  <email_alert_level>10</email_alert_level>
</alerts>

Step 6: Create SOC Dashboards

The Wazuh dashboard comes with pre-built visualizations. Create custom dashboards for:

  • Executive Summary - High-level security posture
  • Threat Detection - Active alerts and incidents
  • Compliance - PCI DSS, HIPAA, GDPR status
  • Vulnerability Management - CVE tracking

Operational Best Practices

Daily Analyst Workflow

  1. Review high-severity alerts (level 10+)
  2. Check for new vulnerability findings
  3. Review file integrity changes
  4. Investigate anomalies in authentication logs
  5. Update documentation for any incidents

Regular Maintenance

  • Weekly: Review and tune noisy rules
  • Monthly: Update Wazuh components
  • Quarterly: Review detection coverage against MITRE ATT&CK

Scaling Your SOC

As your deployment grows, consider:

  • Distributed architecture for 500+ agents
  • Dedicated indexer cluster for high-volume environments
  • Integration with ticketing systems (TheHive, Jira)
  • SOAR integration for automated response

Skip the Setup - Get Managed Wazuh

Let ThinSky handle the deployment, maintenance, and 24/7 monitoring while you focus on your business.

Learn About Managed Wazuh