Overview
After deployment, most developers may not be aware of the attacks reaching their servers. Attacks are happening on live servers, but without a way to collect, analyze, and assess the evidence, they remain unaware of the type and nature of these threats.
This project deploys Wazuh as a full SIEM on a production VPS, extends it with a custom decoder for application-level security events, builds detection rules mapped to MITRE ATT&CK techniques, and connects the monitoring to the authentication system so that both infrastructure-level and application-level threats are visible in a single dashboard.
Custom Application Integration
The authentication system writes every security-relevant event as structured JSON to a log file. A custom Wazuh decoder parses this format, extracting fields including the event type, user ID, source IP address, and timestamp, making them available to the detection rule engine.
Custom Detection Rules
Eight custom detection rules are defined, numbered 110001 through 110008.
- 110001 —
LOGIN_FAILURE→ MITRE T1110 (Brute Force) - 110002 — Repeated failures from same IP → active brute force
- 110003 —
ACCOUNT_LOCKEDat severity 10 → MITRE T1110.001 (Password Guessing) - 110004 —
PASSWORD_RESETevents - 110005 — Unusual
TOKEN_REFRESHpatterns - 110006 —
ADMIN_ACTIONaudit trail - 110007 —
LOGIN_SUCCESSafter repeated failures - 110008 — Unusual registration patterns
Real-World Results
Within hours of the server going live, Wazuh detected thousands of automated connection attempts. SSH attempts hit the closed port and received no response. HTTP probes received standard responses. Both categories appear in the dashboard with MITRE ATT&CK classifications.
Detection Stack
| Component | Detail |
|---|---|
| Platform | Wazuh 4.7.5 all-in-one |
| Custom decoder | AUTH_AUDIT JSON event parser |
| Custom rules | 110001 — 110008 |
| MITRE ATT&CK | T1110, T1110.001 and others |
| Log sources | OS auth logs + application audit log |
| Dashboard access | Netbird private network only |
