Small and mid-sized teams don’t always have the budget for heavyweight SIEM/XDR, but they still need real-time visibility and response. This project shows how far you can push Wazuh with custom rules and smart integrations to build an affordable, open-source detection stack for an SME-style lab. We focus on practical, defender-first outcomes—catching brute-force attempts, container abuse, file tampering, and vulnerable software as they happen.
What’s inside: we engineered a set of custom Wazuh rules, wired in VirusTotal for CTI lookups, enabled File Integrity Monitoring and Vulnerability Detection, and added Active Response to automatically block or mitigate high-confidence threats. We also monitored Docker lifecycle events and MySQL activity, validating everything with repeatable attack simulations in a multi-host lab.
Highlights
- Brute-force detection for SSH/FTP with rule correlation and alerting.
- CTI-enriched alerts via VirusTotal to lift signal quality.
- FIM + Vulnerability Detection to catch unauthorized changes and known-bad software.
- Container and database monitoring for Docker and MySQL activity.
- Tested end-to-end in a manager-plus-agents lab environment.
If you’re exploring open-source detection or want a blueprint for a hands-on homelab SOC, this paper is a step-by-step look at what’s possible with Wazuh plus a bit of rule-crafting and automation.
