Build Your SOC Analyst Skills with This Free Home Lab

InfoSec Pat

29 Nov 202523:41

Summary

TLDRIn this video, the host walks viewers through setting up WAZA, an open-source security platform, on Ubuntu for a home cybersecurity lab. Covering installation of the indexer, server, and dashboard, the tutorial provides step-by-step instructions, hardware requirements, and configuration tips. The video also demonstrates deploying a Windows agent, enabling file integrity monitoring, and tracking system events. Viewers gain practical insights into endpoint protection, threat intelligence, and monitoring tools, making it a comprehensive guide for aspiring cybersecurity enthusiasts looking to build and explore a personal lab environment. The tutorial emphasizes hands-on experimentation and learning.

Takeaways

😀 WAZA is a free, open-source security platform that combines XDR and SIEM capabilities under a single interface.
😀 The video demonstrates setting up a cybersecurity lab using WAZA on an Ubuntu server.
😀 Hardware requirements for a lab setup include 4 CPUs, 8 GB RAM, and 50 GB storage for roughly 90 days of logs.
😀 The installation process on Ubuntu involves running a single command to install the WAZA indexer, server, and dashboard.
😀 Admin credentials and backup of internal users should be saved immediately after installation.
😀 Windows Server 2022 can be used as an agent to collect data from endpoints by deploying WAZA agents.
😀 File Integrity Monitoring (FIM) can be enabled on specific directories to track creation, modification, or deletion of files.
😀 Test files and folders can be created to generate events and verify that FIM is correctly reporting changes to the dashboard.
😀 The WAZA dashboard provides insights into endpoints, threat intelligence, security operations, and logs from monitored systems.
😀 Expanding the lab with Linux or Kali machines allows simulating attacks for blue team monitoring and threat hunting practice.
😀 Patience is required during setup; dashboard updates and event reporting may take a few moments to appear after changes.
😀 The video emphasizes exploration and experimentation to fully understand WAZA's capabilities and strengthen cybersecurity skills.

Q & A

What is WAZA and what are its main features?
-WAZA is an open-source security platform that combines XDR (Extended Detection and Response) and SIEM (Security Information and Event Management). Its main features include endpoint security, threat intelligence, security operations, and cloud security, all accessible from a unified dashboard.
Which operating systems are supported for installing WAZA?
-WAZA can be installed on Ubuntu, Amazon Linux, CentOS Stream 10, Red Hat, and other Linux distributions. Agents can also be deployed on Windows servers.
What are the hardware requirements for a WAZA lab with up to 25 agents?
-For 1–25 agents, the recommended hardware is 4 CPUs or virtual CPUs, 8GB of RAM, and 50GB of storage, which covers roughly 90 days of data retention.
What are the main components installed when running the WAZA Quick Start command on Ubuntu?
-The Quick Start installation command sets up three components: the WAZA indexer, the WAZA server, and the WAZA dashboard, allowing for management and monitoring from a single interface.
How do you access the WAZA dashboard after installation?
-You can access the dashboard by navigating to your server's IP address using HTTPS on port 443. Since WAZA uses a self-signed certificate by default, you may need to accept the security warning in your browser.
How is a Windows agent deployed in WAZA?
-On the WAZA dashboard, select the Windows operating system, input the server IP address and agent name, copy the installation command, then run it in PowerShell as an Administrator on the Windows server.
What steps are necessary if the Windows agent does not immediately appear in the dashboard?
-You may need to manually start the WAZA service in Windows Services. Once the service is running, refresh the dashboard, and the agent should appear.
What is File Integrity Monitoring in WAZA, and why is it useful?
-File Integrity Monitoring (FIM) tracks changes to files and directories on a monitored system. It is useful for detecting unauthorized modifications or deletions, helping security teams maintain compliance and investigate incidents.
How do you configure a directory for File Integrity Monitoring?
-Edit the WAZA agent configuration file on the monitored system, locate the FIM section, and add the directory path you want to monitor. Save the changes and restart the WAZA service for the configuration to take effect.
How can you verify that File Integrity Monitoring is working?
-Create or modify a file within the monitored directory. Then, check the WAZA dashboard under the File Integrity Monitoring section. The dashboard should display an event showing the file change, including timestamps and user activity.
What are some recommended ways to explore WAZA once it’s installed?
-Users should explore dashboards for endpoint protection, threat intelligence, security operations, and reporting. Tinkering with Linux or Kali machines can simulate attacks, allowing the security team to monitor and respond, improving lab experience.
Why is WAZA suitable for home labs and learning environments?
-WAZA is free, open-source, and provides a unified platform for monitoring and analyzing security events. Its flexibility with Windows and Linux agents makes it ideal for learning, experimentation, and building cybersecurity skills in a controlled environment.