Lab

Home lab (built to break detections, not egos)

This is the environment used to test rules, generate logs, and validate playbooks. If a detection can’t survive messy reality, it doesn’t belong in a repo.

Compute

Proxmox host: HO-SR-01 • ~72 CPUs • ~2 TiB RAM

VirtualizedSnapshot drivenEvidence-first

Monitoring

Wazuh Manager + agented endpoints (Windows + Linux) feeding test data.

WazuhSysmon-readyAlert tuning

SIEM / Search

Splunk for SPL detections and investigation pivots.

SPLES-style pivots

Network

Private lab subnet (192.168.8.0/24). Isolated, reproducible, boring in a good way.

IsolatedRepeatable runs

What to screenshot for proof (redact anything sensitive)

Wazuh alert showing a custom rule firing (rule ID + level visible, no hostnames if you don’t want them public).
Splunk search results with the SPL query name + hit count.
One screenshot of the lab topology (VM list) with internal IPs only.

Drop images into assets/screenshots/ and link them on this page. Placeholders are included so you don’t forget.

Screenshot: detection firing (placeholder)

Add a redacted screenshot to: assets/screenshots/detection_firing.png

Screenshot: splunk pivot (placeholder)

Add a redacted screenshot to: assets/screenshots/splunk_pivot.png