dmwasielewski

Wazuh FIM Validation

3 min read

Summary

This scenario validates one simple Wazuh File Integrity Monitoring alert from beginning to end. The point is not to simulate a breach. The point is to show a clean, safe workflow for generating a change event, confirming that Wazuh sees it, and reviewing the alert with enough context to explain whether the activity is expected or suspicious.

Scenario Goal

The scenario answers one narrow question:

Can the lab detect and explain an unexpected file change on a monitored Windows path?

That is enough to prove that the Wazuh manager, the endpoint agent, and the analyst workflow are connected.

Lab Components

  • WAZUH-MGR-01 or equivalent Wazuh manager VM
  • W11-SOC-01 or equivalent Windows 11 endpoint
  • Wazuh agent on the Windows endpoint
  • a dedicated watched folder such as C:\Lab\Watched

Build Steps

1. Prepare a monitored folder

Create a folder on the Windows endpoint that is easy to test and safe to modify. A path such as C:\Lab\Watched is better than a sensitive system directory because it avoids noisy baseline changes and makes validation easier.

2. Confirm Wazuh File Integrity Monitoring scope

Check the Wazuh agent configuration and verify that the watched folder is included in file integrity monitoring. If the path is missing, add it and restart the agent so the manager receives the correct telemetry.

3. Generate a safe change

Create or modify one test file inside the watched folder. For example:

New-Item -ItemType Directory -Force C:\Lab\Watched
Set-Content -Path C:\Lab\Watched\test-note.txt -Value "initial content"
Add-Content -Path C:\Lab\Watched\test-note.txt -Value "second line"

This produces a simple, explainable change event without pretending it is malware.

4. Review the alert in Wazuh

Open Wazuh and find the matching file integrity alert. Confirm at minimum:

  • host name
  • watched path
  • file name
  • timestamp
  • event type such as added, modified, or deleted

5. Record a short analyst verdict

Document whether the change was:

  • expected administrative testing
  • legitimate but unplanned user activity
  • suspicious enough to justify follow-up

For this lab, the correct verdict should normally be “expected administrative validation activity.”

What To Capture As Evidence

  • the folder path configured for monitoring
  • the test file before and after modification
  • the Wazuh alert list
  • the alert detail view
  • a short note explaining why the event was expected

What This Scenario Proves

This scenario proves that:

  • the endpoint agent is reporting correctly
  • file integrity monitoring is active on a defined path
  • an alert can be generated on demand
  • the operator can review the event with context instead of just taking a screenshot

That is enough to make the SIEM lab more credible.

Common Failure Points

  • the monitored path is not actually configured
  • the agent was not restarted after configuration changes
  • the manager is receiving events late because of service or clock issues
  • the chosen folder is too noisy, making the signal hard to isolate

Follow-On Improvements

The next useful extensions would be:

  • testing delete events as well as create and modify
  • comparing expected admin activity with a less expected user action
  • correlating the FIM alert with other endpoint telemetry such as Sysmon

Graph View