Wazuh Deployment, Integration, and Security Monitoring Project

Course Project Specification

Course: Threat Detection and Analysis / Security Monitoring
Project Type: Group Project
Duration: Midterms to Finals
Platform: Wazuh SIEM, pfSense, Snort IDS
Deployment Options: On-Premises or Cloud-Based

Project Overview

Modern Security Operations Centers (SOCs) rely on centralized monitoring and log analysis platforms to collect, correlate, and analyze security events from endpoints, servers, and network security devices.

This project requires each group to design, deploy, integrate, and test a Security Information and Event Management (SIEM) environment using Wazuh. Throughout the semester, students will progressively build their monitoring infrastructure and validate its effectiveness through simulated cyberattack scenarios.

The final outcome is a functioning security monitoring environment capable of collecting logs from multiple sources, detecting suspicious activities, and supporting incident analysis.

Learning Objectives

Upon completion of this project, students should be able to:

  1. Deploy a Wazuh SIEM environment.
  2. Configure and manage Wazuh agents.
  3. Integrate network security devices into a centralized monitoring platform.
  4. Understand log collection and normalization.
  5. Generate and analyze security alerts.
  6. Simulate attacks in a controlled environment.
  7. Perform basic incident investigation using SIEM data.
  8. Demonstrate understanding of SOC operations and monitoring workflows.

Team Composition

  • 3–5 students per group
  • Each group must assign the following roles:

Suggested Roles

Project Lead

  • Overall project coordination
  • Consolidation of deliverables

Infrastructure Engineer

  • Wazuh deployment and maintenance

Network Security Engineer

  • pfSense and Snort deployment

SOC Analyst

  • Monitoring and alert analysis

Documentation Lead

  • Report writing and video preparation

Midterm Project

Phase 1: Wazuh Deployment and Agent Registration

Objective

Deploy a functioning Wazuh environment and successfully connect at least one monitored endpoint.

Minimum Requirements

Wazuh Server

Students may deploy Wazuh using:

  • Local Virtual Machine
  • Physical Machine
  • Cloud VPS
  • Cloud Free Tier
  • Docker Deployment

Endpoint Agent

At least one Wazuh agent must report to the Wazuh server.

The agent may be:

  • Windows workstation
  • Linux workstation
  • Virtual machine
  • Same machine hosting Wazuh (for demonstration purposes)

Midterm Deliverables

Deliverable 1: Technical Report (PDF)

The report must contain:

Section 1 – Project Overview

  • Group Name
  • Members and Roles
  • Deployment Architecture Diagram

Section 2 – Wazuh Installation

Include screenshots of:

  • Server specifications
  • Installation process
  • Dashboard access
  • Wazuh services running

Section 3 – Agent Registration

Include screenshots showing:

  • Agent installation
  • Agent enrollment
  • Active agent status

Section 4 – Verification

Demonstrate:

  • Logs being received
  • Events appearing in Wazuh
  • Agent heartbeat status

Section 5 – Challenges Encountered

  • Problems encountered
  • Troubleshooting performed
  • Lessons learned

Deliverable 2: Video Demonstration

Duration:
10–15 minutes

The video should include:

  1. Introduction of team members
  2. Architecture overview
  3. Wazuh installation demonstration
  4. Agent registration process
  5. Verification that logs are reaching Wazuh
  6. Brief discussion of challenges encountered

All members must participate in the presentation.

Milestone 1

Network Security Integration

Objective

Deploy pfSense and integrate its logs into Wazuh.

Required Tasks

  1. Install pfSense.
  2. Configure network interfaces.
  3. Enable Syslog.
  4. Forward logs to Wazuh.
  5. Verify log ingestion.

Evidence Required

  • pfSense configuration screenshots
  • Syslog configuration screenshots
  • Wazuh screenshots showing pfSense logs

Milestone 2

IDS Integration

Objective

Deploy Snort and integrate IDS alerts into Wazuh.

Required Tasks

  1. Install Snort.
  2. Enable detection rules.
  3. Generate test alerts.
  4. Forward alerts to Wazuh.
  5. Validate alert visibility.

Evidence Required

  • Snort configuration screenshots
  • Detection rules used
  • Sample IDS alerts
  • Wazuh screenshots showing IDS events

Milestone 3

Endpoint Monitoring and Log Correlation

Objective

Expand monitoring visibility by collecting additional endpoint logs.

Required Tasks

Configure at least ONE of the following:

  • Windows Event Logs
  • Linux Syslog
  • File Integrity Monitoring
  • Vulnerability Detection
  • Audit Logs

Evidence Required

  • Configuration screenshots
  • Logs collected
  • Relevant alerts generated

Final Project

Security Monitoring and Attack Simulation

Objective

Demonstrate end-to-end visibility and detection capabilities of the monitoring environment.

Students will perform a controlled attack simulation against their lab environment and determine whether the activity can be observed within Wazuh.

Example Attack Simulations

Groups may choose one or more:

Network Reconnaissance

  • Nmap scanning

Brute Force Simulation

  • SSH login attempts
  • RDP login attempts

Web Attack Simulation

  • Directory enumeration
  • Vulnerability scanning

Malware Simulation

  • EICAR test file

Privilege Escalation Demonstration

  • Controlled administrative actions

Custom Detection Scenario

  • Approved by instructor

Final Demonstration Requirements

Students must show:

Before Attack

  • Monitoring environment operational
  • Devices reporting to Wazuh

During Attack

  • Attack execution
  • Relevant logs generated

After Attack

  • Alerts triggered
  • Logs collected
  • Event investigation performed

Final Deliverables

Deliverable 1 – Final Technical Report (PDF)

Include:

Executive Summary

Updated Architecture Diagram

Wazuh Configuration

pfSense Integration

Snort Integration

Endpoint Monitoring

Attack Scenario Description

Screenshots of Detection

Incident Analysis

Discuss:

  • What happened
  • How it was detected
  • Relevant indicators
  • Recommendations

Lessons Learned

Deliverable 2 – Final Demonstration Video

Duration:
15–20 minutes

The video must include:

  1. Environment overview
  2. Wazuh dashboard
  3. Connected endpoints
  4. pfSense logs
  5. Snort alerts
  6. Attack simulation
  7. Alert analysis
  8. Incident investigation walkthrough
  9. Lessons learned

Evaluation Criteria

Criteria Weight
Wazuh Deployment 20%
Agent Integration 10%
pfSense Integration 15%
Snort Integration 15%
Attack Simulation 15%
Log Analysis and Investigation 15%
Documentation Quality 5%
Video Presentation 5%
TOTAL 100%

Academic Integrity

Students must:

  • Use only authorized lab environments.
  • Conduct attacks only within their own controlled setup.
  • Not target public systems or third-party environments.
  • Properly cite external references and resources used.

Any activity conducted outside the approved lab environment will result in disciplinary action and project disqualification.

Expected Final Architecture

Endpoint(s)

pfSense Firewall

Snort IDS

Wazuh SIEM

Security Monitoring & Incident Analysis

The goal is not merely to install tools, but to demonstrate the ability to collect, correlate, detect, investigate, and explain security events using a centralized monitoring platform.

Leave a Reply