Project Case Study

SOC Lab Setup – Version 2: Endpoint Monitoring & Detection Testing

In Version 2 of my SOC lab, I expanded the original Proxmox and Wazuh setup by adding monitored Linux and Windows endpoints. The goal was to move beyond simply installing Wazuh and begin proving that the lab can collect endpoint telemetry, detect controlled test events, and support basic SOC-style investigation work.

View Version 1 Back to Projects

Project Progression

SOC lab versions

This page documents the second stage of the SOC lab. Version 1 focused on infrastructure. Version 2 focuses on monitored endpoints, controlled test events, and Wazuh alert validation.

Version 1: Foundation

Proxmox installation, segmented bridges, Ubuntu Server deployment, Wazuh installation, dashboard access, and infrastructure troubleshooting.

View Version 1

Version 2: Endpoint Monitoring

Ubuntu and Windows 10 endpoints connected to Wazuh, controlled test events generated, and alerts reviewed in the Wazuh dashboard.

Current Page

Objective

The objective of Version 2 was to turn the SOC lab from a working Wazuh installation into a basic monitoring environment with real endpoints. I used existing virtual machines from my Proxmox pentesting lab where possible, then added Wazuh agent communication over a dedicated SOC network.

Core stack

  • Proxmox VE on a dedicated server
  • Wazuh manager, indexer, and dashboard
  • Ubuntu 14.04 / Metasploitable-style target as a Linux endpoint
  • Windows 10 Pro as a Windows endpoint
  • Kali Linux and vulnerable lab systems kept on a separate pentesting bridge
  • vmbr0 for management and home network access
  • vmbr1 for Wazuh SOC monitoring traffic
  • vmbr2 for isolated pentesting lab traffic

What I built

  • Added SOC-side network adapters to existing Ubuntu and Windows 10 VMs.
  • Kept pentesting traffic on vmbr2 while Wazuh agent traffic used vmbr1.
  • Assigned static SOC IP addresses to endpoints on the 10.10.10.0/24 network.
  • Installed and started the Wazuh agent on an Ubuntu endpoint.
  • Installed and started the Wazuh agent on a Windows 10 endpoint.
  • Verified both endpoints appeared in the Wazuh dashboard.
  • Generated a Linux file integrity event and confirmed it appeared in Wazuh.
  • Generated Windows failed logon events and confirmed they appeared in Wazuh.

Network design

The lab uses three separate Proxmox bridges. This keeps the management network, SOC monitoring path, and pentesting network separated. The Windows and Ubuntu endpoints have both a pentesting address and a SOC monitoring address. 

vmbr0: Proxmox management / home network

vmbr1: Wazuh SOC lab

vmbr2: Pentesting lab

Wazuh manager SOC IP: 10.10.10.10

Ubuntu:

  vmbr2 pentest IP: 192.168.56.20

  vmbr1 SOC IP:     10.10.10.20

Windows 10:

  vmbr2 pentest IP: 192.168.56.30

  vmbr1 SOC IP:     10.10.10.30

Issues I had to solve

This stage involved real troubleshooting. The setup did not work automatically, which made the project more valuable as a learning exercise.

  • Recovered access to the Wazuh dashboard after resetting the forgotten dashboard password.
  • Configured Wazuh VM networking so the SOC-side interface used 10.10.10.10.
  • Added a temporary internet adapter to the Ubuntu VM so it could download the Wazuh agent.
  • Worked around the older Ubuntu target not using systemctl by using legacy service commands.
  • Verified the Ubuntu agent through the Wazuh dashboard and generated a file integrity event.
  • Fixed the Windows Wazuh MSI installation by reviewing the installer log and resolving MSI rollback folder issues.
  • Confirmed Windows 10 failed logon events appeared in Wazuh after correcting the dashboard time range.

Why this project matters

Version 1 proved that I could install and access Wazuh. Version 2 proves that I can connect actual endpoints, separate monitoring and testing networks, generate controlled activity, and review resulting alerts. That is much closer to the kind of workflow used in blue-team and SOC environments.

Build Breakdown

Version 2 architecture and process

Version 2 focused on using the existing lab more intelligently: one network for testing, one network for monitoring, and Wazuh as the central point for endpoint visibility.

Step 1

Network separation

Kept vmbr0 for management, vmbr1 for Wazuh SOC traffic, and vmbr2 for the isolated pentesting lab.

Step 2

Linux endpoint

Added a SOC-side adapter to the Ubuntu VM, assigned 10.10.10.20, installed the Wazuh agent, and confirmed the endpoint became active in the dashboard.

Step 3

Windows endpoint

Added a SOC-side adapter to the Windows 10 VM, assigned 10.10.10.30, installed the Wazuh agent, and confirmed Windows telemetry appeared in Wazuh.

Step 4

Detection testing

Generated controlled Linux and Windows events, then verified that Wazuh recorded the file integrity and failed logon activity.

Evidence

Proof snapshots

These screenshots show the SOC v2 network design, endpoint agent status, snapshots, Linux file integrity detection, and Windows failed logon detection.

Proxmox network page showing vmbr0, vmbr1, and vmbr2 bridges for management, SOC, and pentesting traffic
Proxmox bridges separated into management, Wazuh SOC lab, and pentesting lab networks.
Proxmox snapshots showing rollback points before SOC version 2 expansion and testing
Snapshots created before expanding the SOC lab and installing agents.
Wazuh dashboard showing Ubuntu agent active with IP address 10.10.10.20
Ubuntu endpoint active in Wazuh after agent installation.
Wazuh dashboard showing an Ubuntu file integrity event for /etc/soc-lab-test.conf
Linux file integrity event detected after modifying a test file under /etc.
Windows 10 PowerShell showing both 192.168.56.30 and 10.10.10.30 IP addresses and successful ping to Wazuh
Windows 10 connected to both the pentesting network and the Wazuh SOC network.
Wazuh dashboard showing Windows 10 failed logon events from the active Windows endpoint
Windows 10 endpoint active in Wazuh after agent installation.
Wazuh event table showing logon failure events for the Windows 10 endpoint
Wazuh rule triggered for Windows logon failure caused by a controlled bad password test.

Detection Results

Events confirmed in Wazuh

Ubuntu file integrity

Modified /etc/soc-lab-test.conf and confirmed Wazuh detected an integrity checksum change.

Windows failed logon

Generated a controlled failed logon attempt and confirmed Wazuh recorded a logon failure event.

Endpoint visibility

Confirmed both Linux and Windows endpoint telemetry reached the Wazuh dashboard.

Next Stage

What comes next

Controlled Kali activity

Generate controlled scans from Kali against lab targets and compare what appears in Wazuh.

Incident notes

Write short SOC-style incident notes for each test event, including source, target, alert, and response.

Detection tuning

Adjust Wazuh rules, monitored paths, and event views to make useful alerts easier to find.