You can build a functioning home-lab SOC in two days with zero license cost. Choose a free SIEM (Wazuh for the fastest win, or OpenSearch Security Analytics if you want more DIY control), install Sysmon on a Windows machine with a proven config, ship logs to the SIEM, and enable Sigma rules. Then validate with safe test actions and start learning real detection engineering.
What you’ll build (architecture at a glance)
You’ll stand up one SIEM VM and one Windows endpoint. If you want speed, install Wazuh in an all-in-one layout and enroll the Windows agent; you’ll see events quickly and you can add more nodes later. If you want a Sigma-native workflow, deploy OpenSearch with Security Analytics and ship Windows events through a lightweight shipper; you’ll import Sigma rules directly and create detectors in the UI. Either way, your Windows box runs Sysmon so you capture high-signal events like process creation and suspicious network connections. With that plumbing in place, your Sigma rules produce readable alerts you can tweak as you learn.
Why this stack suits hobbyists and students
You avoid license traps, you get a modern UI either way, and you build muscle memory that transfers to commercial SOC tools. Because Sysmon produces rich telemetry and Sigma expresses detections in a vendor-neutral format, your learning time compounds. You’ll practice triage on real process trees, parent-child relationships, command lines, and IP/domain pivots. You’ll also see how a change in your Sysmon config or a Sigma rule improves or floods your signal a core skill for junior analysts and detection engineers.
Prereqs and a realistic weekend plan
Hardware stays modest: a single VM with 4–8 GB RAM and 2–4 vCPU runs the SIEM; one Windows 10/11 host generates events. Use Ubuntu for the SIEM VM because guides and packages stay current, then snapshot the VM so you can revert if you break something. On timing, reserve Day 1 for the SIEM install, agent enrollment, and Sysmon; Day 2 focuses on Sigma rules, detectors, dashboards, and tests. As you go, write down what worked, because your own notes beat any blog when you return to tune something months later.
Install the free SIEM (pick one path)
Option A: Wazuh all-in-one for fastest results
If you want a guided experience, Wazuh’s quickstart installer deploys the indexer, manager, and dashboard on one host. After the install completes, enroll your Windows endpoint from the Wazuh dashboard, copy the agent key, and watch beats of telemetry arrive. Because Wazuh supports Windows event channels, you can collect Sysmon’s Operational channel cleanly and map fields to rules. You can stay within Wazuh’s rules engine or pair it with a Sigma conversion workflow later. The payoff is speed: you’ll spend your time learning detections, not wrestling with pipelines.
Option B: OpenSearch Security Analytics for Sigma-native
If you prefer Sigma in the UI, run OpenSearch and Dashboards, then enable the Security Analytics plugin. You can import Sigma YAML rules directly, edit them in a rule editor, and attach detectors to your log sources. You’ll handle ingestion yourself — a small tax for the extra flexibility. Use a shipper like Winlogbeat or route via Logstash/Data Prepper to normalize Windows events. The benefit is clear: you learn how detections map to fields and see exactly how a rule becomes a query in your chosen backend.
Add Sysmon on Windows (high-signal telemetry)
On the Windows machine, install Sysmon from the official Sysinternals page. Then choose a configuration that balances coverage and noise. The community-famous SwiftOnSecurity config gives you a strong baseline; modern modular forks add granularity if you want to toggle features easily. Install Sysmon with your chosen XML, confirm Events show up under “Microsoft-Windows-Sysmon/Operational,” and note the event IDs you’ll care about first: 1 (process creation), 3 (network connection), 7 (image loaded), 8 (CreateRemoteThread), and 13 (registry object added or deleted). Because signal depends on config, keep two versions: one baseline for daily use and one verbose for short hunting sessions.
Ship logs to your SIEM
For Wazuh, configure the Windows agent to read the Sysmon Operational channel using the eventchannel format and restart the service. You’ll watch the dashboard populate with Windows events that Wazuh parses with built-in decoders. For OpenSearch, point Winlogbeat to the same Sysmon channel and send output to OpenSearch (or Logstash/Data Prepper, then OpenSearch). Confirm that your index receives the fields you expect, especially process.name, process.parent.name, command_line, and network.destination.ip. If dashboards don’t parse as expected, check your shipper’s version compatibility and then review your pipeline mapping.
Add Sigma detections
Sigma rules describe suspicious behavior in a portable format, which means you can reuse knowledge across tools. Start with the SigmaHQ repository to grab a handful of Windows rules that match your Sysmon fields. If you chose OpenSearch Security Analytics, import rules in YAML form, set severity and tags, and create detectors tied to your indices. If you chose Wazuh, convert Sigma to your engine’s query or rule format with pySigma backends or community converters, then test and iterate. Because Sigma logic may reference fields you don’t collect, compare each rule to your Sysmon config and adjust either the rule or the config so they align. Once alerts appear, read them carefully and click into the raw events; the habit of reconciling rule, event, and final alert makes you a better analyst fast.
Prove it works (safe weekend tests)
You do not need malware to see value. Open PowerShell and run a benign command that still looks like admin behavior, such as downloading a harmless file with Invoke-WebRequest. Create and delete a scheduled task. Start a process from an unusual directory. Make a short outbound connection to a test server you control. Each action should generate Sysmon events and, if your Sigma rules match, an alert. If you see nothing, check your Sysmon config, your shipper’s event filter, and your rule query. Small tweaks, then re-run the test. The cycle of adjust-test-observe is the essence of detection engineering.
Dashboards and hunting queries you’ll actually use
Start with a process creation view filtered by parent-child pairs. You’ll spot Office spawning PowerShell, WScript, or regsvr32 when it shouldn’t. Build a network panel that groups connections by process so you can see which executables talk to the internet. Add a lens for new listening ports and unsigned binaries from temp locations. Because these visuals ride on clean Sysmon fields, you’ll level up quickly. As you grow comfortable, pivot to rare events: a legitimate tool used in an odd way beats any signature in isolation.
Troubleshooting without derailing the weekend
If no Sysmon events arrive, verify the Operational channel and ensure your Sysmon XML actually enables the events you expect. If OpenSearch ingestion fails, check version compatibility between shipper and backend, then try routing through Logstash with the OpenSearch output plugin. If Sigma rules won’t import in Wazuh, convert them first, simplify overly nested conditions, or use an external runner that translates Sigma logic into queries your stack understands. Finally, when something still feels off, snapshot and roll back; a home lab thrives on fearless iteration.
Governance for learners: keep it free, keep it fun
Use the prebuilt Wazuh OVA or the OpenSearch one-command bundles when possible to avoid yak-shaving. Save your Sysmon configs and Sigma rule sets in a small Git repo so you can revert changes. Document exactly which test actions trigger which alerts, because repeatable practice beats random tinkering. If you want to share screenshots or blog the build, redact hostnames and public IPs, then focus your write-up on the “why” behind each choice that’s what hiring managers and mentors appreciate.
You can build a credible home-lab SOC in a single weekend for zero license cost. Choose Wazuh if you want fast results or OpenSearch Security Analytics if you want Sigma-native control. Install Sysmon with a solid config, ship the Sysmon Operational channel to your SIEM, and import or convert Sigma rules. Validate with safe tests and learn to tune signals without breaking usability. Because your skills compound, this small lab pays you back every time you investigate faster or explain an alert with confidence.
FAQs
Is Wazuh a SIEM or a HIDS and does it matter for a home lab?
Wazuh behaves like a SIEM for this project because it collects logs, parses them, and visualizes detections with rules, even though the project began as a HIDS. In a weekend, that distinction doesn’t limit you; you still ingest Sysmon, create rules, and triage alerts effectively.
Can I run Sigma rules “natively” on Wazuh?
Not directly in YAML. Convert Sigma to Wazuh’s rule/query format or pair Wazuh with a Sigma runner that outputs compatible queries. Expect to simplify complex logical blocks so they evaluate cleanly on your fields.
What’s the simplest path to Sigma alerts?
OpenSearch Security Analytics. You import Sigma YAML and attach detectors in the UI. That path teaches you how rules become queries without extra tooling.
Do I need Winlogbeat if I use Wazuh?
No. Wazuh’s Windows agent reads the Sysmon Operational channel directly. Winlogbeat fits the OpenSearch/DIY path instead, where you manage ingestion yourself.
How much RAM/CPU do I need for a weekend build?
Allocate 4–8 GB RAM and 2–4 vCPU to the SIEM VM and use one Windows 10/11 host. That footprint keeps things smooth while leaving headroom for detectors and dashboards.
What safe tests can I run without malware?
Create a scheduled task, fetch a harmless file via PowerShell, start a process from an unusual folder, or make a short outbound connection to a test host. Each action should produce Sysmon events that your rules can match.
