Beginner Pro

Suspicious file change detection and Respond On Ubuntu Using Wazuh

Detect unauthorized or suspicious file modifications in critical directories using Wazuh’s FIM (File Integrity Monitoring) module and automatically isolate or remediate affected endpoints through Active Response.

Self-Paced by Jaimin Pathak

Overview

This lab focuses on detecting and responding to suspicious file changes using Wazuh’s File Integrity Monitoring (FIM) capability. You’ll simulate file tampering on a monitored directory and observe how Wazuh detects these changes in real-time, generates alerts, and triggers automated responses.

The use case emphasizes how security analysts can leverage FIM alerts, Wazuh decoders, and correlation rules to differentiate between authorized and unauthorized changes—forming the foundation of host-based intrusion detection.

When a suspicious modification or deletion is detected, Wazuh Active Response will execute a pre-defined remediation action—such as quarantining the file, isolating the endpoint, or reverting the change—to ensure rapid containment.

Configure FIM to monitor directories like /etc/, /var/www/, or custom sensitive folders.

Generate legitimate vs. malicious file changes to validate rule accuracy and event correlation.

Observe detection in the Wazuh Dashboard (Integrity Monitoring module) and correlate with agent logs.

Collect and analyze artifacts: ossec.log, alerts.json, and local file hashes before and after modification.

Automate response with Active Response to isolate the host or remove malicious files from the system.

Complete the full Detect → Analyze → Respond workflow for file-based threats.

What You'll Learn

  • Configure File Integrity Monitoring (FIM)

    Learn to enable and tune Wazuh’s FIM module to monitor specific directories, file types, and permissions for critical system paths.

  • Simulate File Modification Events

    Safely simulate unauthorized file changes, deletions, or creations to generate real FIM alerts and understand how Wazuh detects tampering.

  • Correlate and Investigate Alerts

    Use the Wazuh Dashboard to analyze integrity change events, compare file hashes, view diffs, and identify potential compromises.

Prerequisites

  • Wazuh Server: Ubuntu 24.04 with Wazuh Manager + Indexer + Dashboard. Monitored Host: Ubuntu 24.04 with Wazuh Agent installed and connected to the Manager. Test System: Any Linux host (or the same monitored agent) where you can perform controlled file modifications.

About Trainer

Jaimin Pathak

Jaimin Pathak

Jaimin Pathak is a dynamic cybersecurity leader with deep expertise in Blue Team operations, digital forensics, and threat intelligence. As the Head of Security at HaxSecurity, Jaimin brings a hands-on approach to building and scaling modern Security Operations Centers (SOC). His career spans years of dedicated work in incident response, SIEM engineering, and proactive threat hunting. Jaimin is also a passionate mentor and educator, having guided thousands of cybersecurity learners through practical training programs, shaping the next generation of defenders in the field.

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.