ND

Project | SOC / Security Monitoring

Wazuh SIEM / XDR

Wazuh deployed as a self-hosted SIEM and XDR platform in an LXC container on the Proxmox cluster — collecting endpoint events, correlating Suricata network alerts, and providing a real alert triage environment for SOC-style investigation practice.

Wazuh SIEM XDR Suricata Integration Endpoint Agents Alert Triage
Wazuh SIEM data flow diagram

What I Built

  • Deployed Wazuh as a self-hosted SIEM/XDR in an LXC container on the Proxmox cluster, running as a persistent production service.
  • Configured Wazuh agents on Linux LXC containers and Windows hosts to forward security events — authentication, process activity, file integrity, and system calls.
  • Integrated Suricata IDS alerts from OPNsense's WAN interface into Wazuh via syslog so network-layer and host-layer events land in the same dashboard for correlation.
  • Used the Wazuh dashboard for alert browsing, rule inspection, and investigation workflows across multiple endpoint types.
  • Practiced SOC-style triage: identify the alert → review surrounding context → classify → document findings and next steps.

Skills Demonstrated

  • SIEM/XDR deployment and agent configuration
  • Endpoint visibility across Linux and Windows systems
  • Network and host event correlation (Suricata + Wazuh)
  • Alert triage and classification workflow
  • File integrity monitoring and compliance concepts
  • SOC-style investigation documentation
Integration

Suricata + Wazuh Correlation

Suricata runs on OPNsense's WAN interface in netmap mode and forwards IDS alerts to Wazuh via syslog. Network-layer detections and host-layer events appear in the same platform — a detection on the wire can be cross-referenced with what the endpoint was doing at the same time.

Visibility

Agent-Based Endpoint Coverage

Wazuh agents on Linux containers and Windows hosts collect authentication events, process creation, file integrity changes, and system-level activity. The manager correlates these against built-in and custom rules to surface meaningful alerts rather than raw log noise.

Workflow

Triage Practice Environment

Real alerts from the homelab infrastructure — failed logins, config changes, unexpected processes — create a low-stakes environment to practice the analyst triage loop: identify, contextualize, classify, and document. The same workflow scales directly to production SOC work.

What This Shows Employers

Wazuh is used in production SOC environments. I deployed it, wired it to real endpoints, and connected it to a live IDS feed — not a classroom simulation. I understand how alerts are generated, why correlation between network and host events matters, and what the triage workflow looks like from inside the tool. That's day-one relevant for SOC analyst and junior security operations roles.

Explore More Projects

Project pages covering the infrastructure being monitored.

Architecture

Enterprise Homelab Architecture

A production-grade virtualization lab: Proxmox cluster, Cisco switching, and Synology storage.

View project ->
Firewall

OPNsense Edge Firewall

Hardened gateway implementation: VLAN segmentation, AdGuard DNS, and Suricata IDS.

View project ->
Virtualization

Proxmox Cluster Management

Multi-node compute environment running 20+ VMs/LXCs with focus on high-availability.

View project ->
IAM

Centralized Identity & Auth

Authentik implementation for SSO, OIDC, and LDAP across the lab infrastructure.

View project ->

Get In Touch

Open to Junior Network Administrator, SOC Analyst, NOC, MSP, Help Desk, IT Support, and Cybersecurity Internship opportunities.

Email Me LinkedIn GitHub

Email: NazeemDickey@gmail.com | Boynton Beach, FL

<- Back to projects