Endpoint Detection Coverage
Security monitoring implementation for an assurance services client. Covers endpoint telemetry integration across Linux and Windows servers using Wazuh as the central SIEM, with Falco, auditd, and Sysmon as telemetry sources. Custom detection rules were written and validated before production handover.
Endpoint Detection Coverage
Project Description
This project was delivered as part of a two month security engineering engagement under PT. Visionet Data Internasional. The implementation covers centralized log management, multi source telemetry collection, detection engineering, and dashboard development for an assurance services client.
The deployment integrates three telemetry sources into a single Wazuh instance: Falco for Linux runtime threat detection via eBPF, auditd with a MITRE ATT&CK-mapped syscall ruleset, and Sysmon for Windows process, network, and file activity monitoring.
Custom Wazuh detection rules were developed to surface auditd events that are suppressed by default (rule 80700), covering 15 detection categories mapped to MITRE ATT&CK techniques. A custom security monitoring dashboard was built in Wazuh Dashboard as the primary deliverable for the POC presentation phase.
The environment was validated against real external attack traffic during the testing phase, providing authentic detection data including SSH brute-force attempts, Falco Critical alerts for XZ backdoor behavioral patterns, and PowerShell abuse detections on the Windows endpoint.
Goals & Objectives
Centralized SIEM Deployment
Deploy Wazuh all-in-one as the central SIEM receiving telemetry from Linux and Windows endpoints within the client environment.
Multi-Source Telemetry Integration
Integrate Falco (Linux runtime), auditd (syscall auditing), and Sysmon (Windows activity) into a single monitoring pipeline.
Detection Engineering
Write 19 custom Wazuh detection rules covering 15 MITRE ATT&CK techniques across credential access, privilege escalation, persistence, lateral movement, and exfiltration.
POC Dashboard Delivery
Build a custom security monitoring dashboard consolidating all telemetry sources as the primary POC deliverable for the client.
Production Validation
Conduct full validation testing across 10 detection scenarios and confirm all test cases pass before production handover.
Architecture & Workflow
graph TB subgraph AIO["Wazuh All-in-One - Central SIEM"] WM[Wazuh Manager] WI[Wazuh Indexer / OpenSearch] WD[Wazuh Dashboard] WM --> WI --> WD end
subgraph LINUX["Linux Server Endpoint"]
LA[Wazuh Agent v4.14.5]
Falco[Falco 0.43.1]
Auditd[auditd]
Falco -->|JSON alerts| LA
Auditd -->|audit.log| LA
end
subgraph WIN["Windows Server 2019 Endpoint"]
WA[Wazuh Agent v4.14.5]
Sysmon[Sysmon v15.20]
Sysmon -->|Event Log| WA
end
LA -->|port 1514 TLS| WM
WA -->|port 1514 TLS| WM
Implementation
Deployed Wazuh v4.14.5 all-in-one on a cloned pre-production environment. Configured Falco with JSON output and integrated it with the Wazuh Agent via localfile collection. Deployed an MITRE ATT&CK-mapped auditd ruleset on the Linux endpoint and wrote 15 custom Wazuh child rules (210100-210114) to surface auditd events that are suppressed by the built-in rule 80700. Configured Sysmon v15.20 on the Windows endpoint with eventchannel log collection and added the PowerShell Operational channel. Built a custom security monitoring dashboard consolidating all telemetry sources. Conducted full validation testing across 10 detection scenarios before production handover.
Tech Stack Used
Central SIEM Manager, Indexer, and Dashboard deployed in all-in-one mode.
Linux runtime threat detection via eBPF. Outputs JSON alerts collected by Wazuh Agent.
Linux kernel syscall auditing with MITRE ATT&CK-mapped ruleset. 200+ rules loaded.
Windows process, network, file, and registry telemetry. MD5/SHA256/IMPHASH hashing enabled.
Alert storage and search backend. Index pattern: wazuh-alerts-*.
Linux endpoint OS. Kernel 5.15.0-179-generic.
Windows endpoint OS. Build 10.0.17763.
Key Features & Deliverables
Custom auditd Detection Rules
15 Wazuh rules (210100-210114) written to match MITRE ATT&CK-mapped audit keys suppressed by default in Wazuh. Verified with wazuh-logtest before deployment.
Falco Wazuh Integration
4 custom rules (117000-117003) integrating Falco JSON output into Wazuh alert pipeline without custom decoders. Priority-based level assignment: Critical=10, Warning=7, Notice=5.
Security Monitoring Dashboard
Custom Wazuh dashboard with alert count widgets, 30-minute timeline, Falco/Sysmon/auditd tables, top triggered rules chart, and per-agent alert breakdown.
Validation Test Report
10 detection scenarios tested and documented with expected telemetry, rule fired, MITRE technique, and pass/fail result before production handover.
Production Alert Coverage
55,498 alerts in 24-hour sample. 12,080 Falco, 7,912 Sysmon, 128 auditd, 8,622 high severity. Real external attack traffic validated the full detection pipeline.
Detection Engineering Documentation
Full documentation of rule design, audit key mapping, false positive analysis, and known issues including FP from Falco eBPF socket creation and XZ backdoor pattern triage.
Key Metrics
Results & Outcome
Fully operational security monitoring deployment with confirmed detection coverage across Linux and Windows endpoints. 55,498 total alerts recorded in a 24-hour sample including 12,080 Falco alerts, 7,912 Sysmon alerts, and 128+ auditd alerts. All 10 validation test cases passed. Custom detection rules cover 15 MITRE ATT&CK techniques across credential access, privilege escalation, persistence, defense evasion, lateral movement, and exfiltration categories. Security monitoring dashboard delivered as POC output.
Screenshots & Demo
Wazuh Agent Inventory Overview
Overview of active Wazuh agents connected to the lab environment, showing Linux and Windows endpoints with their operating system, group assignment, agent version, and connection status.
Custom Wazuh Security Monitoring Dashboard
Visualizes endpoint security alerts from Linux and Windows telemetry, including Sysmon events, Falco alerts, auditd logs, and recent triggered detection rules.
Auditd Event Discovery in Wazuh
Shows auditd events collected from the Linux endpoint and indexed in Wazuh, including syscall activity, executed commands, agent details, and audit related fields for investigation.
Falco Runtime Alert Analysis
Wazuh Discover view showing Falco runtime security alerts collected from the Linux endpoint, including suspicious SSH activity, rule metadata, source IP, agent details, and alert frequency over time.
Windows Sysmon Event Analysis
Wazuh Discover view showing Sysmon events collected from the Windows Server 2019 endpoint, including process activity, executable paths, event metadata, and agent details for Windows security monitoring.
Wazuh Rule Validation with Logtest
Shows custom Wazuh rule validation using wazuh-logtest for an auditd event related to sensitive credential file access, successfully triggering rule 210100 with MITRE ATT&CK mapping to Credential Access.
Interested in This Project?
Discuss your security needs or explore collaboration opportunities.