Wazuh PoC - Capability Validation Scenarios
Wazuh PoC - Capability Validation Scenarios
The Proof of Concept section provides hands-on scenarios for demonstrating and validating Wazuh 4.14 capabilities. Each scenario describes a specific threat, provides a trigger command, and lists the expected alert with its rule ID. These scenarios are designed for use in test environments during platform evaluation, SOC analyst training, and detection rule validation.
Purpose of PoC Scenarios
Proof of Concept scenarios serve several objectives:
- Platform evaluation - demonstrate Wazuh capabilities to prospective users and management
- Deployment validation - verify correct configuration after installation
- Analyst training - hands-on exercises for SOC teams
- Rule testing - validate built-in and custom rule behavior
- Coverage auditing - assess detection completeness against the MITRE ATT&CK matrix
Contents
PoC Scenarios
15 ready-to-run scenarios covering the major threat classes:
- Brute-force attacks (SSH)
- Malware detection (EICAR)
- File integrity monitoring (FIM)
- Vulnerability detection
- Configuration assessment (SCA)
- Web attacks (SQL injection)
- Rootkit detection
- Trojan detection
- Docker monitoring
- Windows and Linux auditing
- Active Directory monitoring
- Suspicious binary detection
- Network scan detection
- Ransomware behavior detection
Test Environment Requirements
Running all scenarios requires the following:
| Component | Requirement |
|---|---|
| Wazuh Manager | Version 4.14, running and accessible |
| Wazuh Agent (Linux) | Ubuntu 22.04+ or CentOS 8+ with agent installed |
| Wazuh Agent (Windows) | Windows Server 2019+ with agent installed (for Windows scenarios) |
| Wazuh Dashboard | Accessible for alert review |
| Network | Test hosts on an isolated network |
For more on Wazuh capabilities, see the Capabilities section. API information for test automation is available in the REST API Reference .
Last updated on