Monitoring an Information System using a SIEM
Implementation of a SIEM solution within an information system along with its management and configuration.
Project Overview: Defensive Cybersecurity and Wazuh Monitoring
DISCLAIMER: Images are not yet available due to pending authorizations
This project was part of the company’s defensive cybersecurity initiatives. The main objective was to secure the entire internal and production infrastructure while providing centralized monitoring of critical events. Implementing a complete detection and alerting solution was essential to meet increasing security requirements.
Diagram of Wazuh architecture + agents on internal and production servers, centralized log flows.
Goals and Scope
The objectives were multiple: deploy and maintain Wazuh across all internal and production servers, ensure comprehensive log collection and detection of critical anomalies, and provide centralized monitoring for operational teams. The scope also included VPN configuration and coverage of both internal and client environments.
Role and Responsibilities
My main role was to install Wazuh from scratch and maintain the entire infrastructure. I also monitored anomalies, fine-tuned existing rules, and documented all detected events. While primarily focused on blue team activities internally, I applied purple team methodologies to prepare test scenarios based on real anomalies.
Architecture and Security Tools
The infrastructure integrates Wazuh with agents on each server, Auditd to maximize system log collection, and Suricata for network detection. All data is centralized on a dedicated server and accessible via a unified dashboard for monitoring and analysis.
Each component was configured to work harmoniously, enabling precise event tracking and the implementation of rules tailored to the production environment and internal security requirements.
Initial configuration steps of Wazuh agents
Monitoring, Detection, and Fine-Tuning
Collected events were analyzed daily to reduce false positives and refine detection rules. Fine-tuning increased alert relevance, prioritized critical incidents, and ensured a rapid response to real threats.
Purple Team Approach and Attack Scenarios
While most of my work internally focused on blue team operations, I applied a purple team methodology to document and analyze real anomalies. These observations were used to create test scenarios and automated scripts, executed in a controlled manner to evaluate the infrastructure’s resilience.
Screenshot of a simulated attack scenario with triggered alerts.
Contributions and Skills Developed
This project allowed me to strengthen my scripting and automation skills, deepen my cybersecurity knowledge, and improve my monitoring and fine-tuning methodology. I also developed communication and documentation skills, essential for sharing cybersecurity knowledge with the team and preparing realistic security scenarios.
| Category | Technologies / Tools | Notes / Usage |
|---|---|---|
| SIEM / Monitoring | Wazuh | From-scratch installation, centralized log collection, alerting, and dashboard monitoring |
| Log Collection | Auditd | Comprehensive system event collection via Wazuh agents |
| Network Detection | Suricata | Network traffic analysis and correlation with Wazuh logs |
| Fine-Tuning & Analysis | Wazuh Rules / Custom Scripts | False positive reduction, alert adjustment, and automated security tests |
| Documentation & Communication | Markdown / Internal Guides | Recording anomalies, vulnerabilities, and procedures for internal teams and clients |
| Skills Developed | Scripting, cybersecurity methodology, security culture | Controlled attack scenarios creation, automation, and strengthening overall cyber culture |