Beginner Pro

Suspicious file change detection and Respond On Windows using Wazuh

Detect unauthorized or suspicious file modifications in critical directories using Wazuh’s FIM (File Integrity Monitoring) module and automatically isolate or remediate affected endpoints

Self-Paced by Jaimin Pathak

Overview

This lab focuses on detecting and responding to suspicious file changes using Wazuh’s File Integrity Monitoring (FIM) capability. You’ll simulate file tampering on a monitored directory and observe how Wazuh detects these changes in real-time, generates alerts, and triggers automated responses.

The use case emphasizes how security analysts can leverage FIM alerts, Wazuh decoders, and correlation rules to differentiate between authorized and unauthorized changes—forming the foundation of host-based intrusion detection.

When a suspicious modification or deletion is detected, Wazuh Active Response will execute a pre-defined remediation action—such as quarantining the file, isolating the endpoint, or reverting the change—to ensure rapid containment.

Configure FIM to monitor any folder of Windows Machine.

Observe detection in the Wazuh Dashboard (Integrity Monitoring module) and correlate with agent logs.

Collect and analyze artifacts: ossec.log, alerts.json, and local file hashes before and after modification.

What You'll Learn

  • Configure File Integrity Monitoring (FIM)

    Learn to enable and tune Wazuh’s FIM module to monitor specific directories, file types, and permissions for critical system paths.

  • Simulate File Modification Events

    Safely simulate unauthorized file changes, deletions, or creations to generate real FIM alerts and understand how Wazuh detects tampering.

  • Correlate and Investigate Alerts

    Use the Wazuh Dashboard to analyze integrity change events, compare file hashes, view diffs, and identify potential compromises.

Prerequisites

  • Wazuh Server: Ubuntu 24.04 with Wazuh Manager + Indexer + Dashboard. Monitored Host: Windows 11/Windows Server with Wazuh Agent installed and connected to the Manager.

About Trainer

Jaimin Pathak

Jaimin Pathak

Jaimin Pathak is a dynamic cybersecurity leader with deep expertise in Blue Team operations, digital forensics, and threat intelligence. As the Head of Security at HaxSecurity, Jaimin brings a hands-on approach to building and scaling modern Security Operations Centers (SOC). His career spans years of dedicated work in incident response, SIEM engineering, and proactive threat hunting. Jaimin is also a passionate mentor and educator, having guided thousands of cybersecurity learners through practical training programs, shaping the next generation of defenders in the field.

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.