Detection engineering getting started
Setting up a home lab is one of the most practical ways to understand how real-world attack behaviours look on endpoints and how those signals are captured by detection tools. Whether you’re new to detection engineering or building a new detection pipeline, having a flexible lab environment allows you to safely simulate, monitor, and iterate on detection rules.
This post kicks off the infrastructure setup for my !Detection Engineering](https://srijankafle.com.np/categories/detection-engineering/) blog series. Over time, I plan to explore different exploit behaviours, build detection use cases around them, and refine existing ones. This lab will evolve along with that process. For now, we’ll focus on what’s necessary to support the first few experiments—nothing more.
Disclaimer: This is not a complete SOC-in-a-box. The lab setup presented here is intentionally minimal and modular—components will be added or removed as needed throughout the series. None of the tools mentioned are sponsored; they are the result of personal testing and exploration in my own homelab.
Lab Overview: What We’re Setting Up
Our core logging and detection stack will consist of:
- Wazuh (running in Docker on a Linux host)
- A Windows Server endpoint (to simulate common enterprise workloads)
- A Linux (Ubuntu) server endpoint
- A Windows Workstation OS (Windows 11)
The primary focus here is post-installation configuration—not the base OS setup or Docker installation. We’ll walk through integrating agents, configuring telemetry (like Sysmon or Auditd), and validating that events are ingested correctly by our detection/visulization platform. Please refer to Wazuh’s latest docker deployment article for the Wazuh setup and generic Windows and Linux setup.