What You'll Learn
- Correlate network-level alerts (Suricata/EveBox) with SIEM-level alerts (Wazuh) to build a unified attack timeline
- Map each phase of Operation Wire Tap using evidence from both detection platforms
- Understand how network IDS and host-based SIEM provide complementary visibility into attacks
- Identify attack indicators that are visible to one platform but invisible to the other
- Produce a professional incident timeline documenting the full kill chain with dual-source evidence
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-suricata |
| Containers | Suricata, EveBox |
| Estimated Time | 70–80 minutes |
| Difficulty | Advanced |
| Browser Access | EveBox (Web UI) |
| Pre-Loaded Data | 49 Suricata alert groups (network view) + described Wazuh alert data (host view) |
| Deliverable | A Unified Incident Timeline correlating network and SIEM evidence for all attack phases |
Why Two Views? Network IDS (Suricata) sees traffic on the wire — packet payloads, protocol anomalies, and communication patterns. Host-based SIEM (Wazuh) sees what happens ON the endpoint — file changes, process execution, authentication events, and log entries. Neither alone tells the complete story. Professional incident response always correlates both to reconstruct what really happened.
The Scenario
The incident response team has been activated for Operation Wire Tap. The IR lead needs a unified timeline that combines evidence from BOTH the network IDS (Suricata, which you can query in EveBox) and the SIEM (Wazuh, whose alert data is described for you below). Your job is to map every attack phase using both sources, identify gaps in visibility, and produce a professional incident report.
Reference: Wazuh Alert Summary (Host-Based View)
Since this lab runs the Suricata profile, you will work hands-on with EveBox for network data. The Wazuh (SIEM) data from the same scenario is summarized below for correlation:
Wazuh Alerts — By Phase
Phase 1: Initial Reconnaissance
- Rule 18152: Windows brute force attempt from 91.234.99.87 → WIN-SERVER-01 (15 events)
- Rule 5551: SSH authentication failure from 185.220.101.42 → linux-web-01 (20 events)
- Rule 5712: SSH brute force attack from 185.220.101.42 (threshold alert, 1 event)
Phase 2: Exploitation
- Rule 31103: SQL injection attempt via POST (sqlmap user-agent) → linux-web-01 (3 events)
- Rule 31104: Common SQL injection attack detected (8 events)
- Rule 100002: Suspicious command execution — base64-encoded reverse shell → linux-web-01 (1 event)
Phase 3: Post-Exploitation
- Rule 5402: www-data executed sudo /usr/bin/id on linux-web-01 (1 event)
- Rule 5402: www-data executed sudo /bin/bash -c 'cat /etc/shadow' on linux-web-01 (1 event)
- Rule 5402: www-data opened full /bin/bash shell via sudo on linux-web-01 (1 event)
Phase 4: Persistence & Lateral Movement
- Rule 60106: Successful logon after multiple failures from 91.234.99.87 → WIN-SERVER-01 (1 event)
- Rule 7045: New service installed on WIN-SERVER-01 (1 event)
- Rule 100003: Suspicious PowerShell execution on WIN-SERVER-01 (2 events)
Phase 5: Data Staging
- Agent heartbeat anomaly: dns-server-01 showed unusual outbound traffic spike
- FIM alert: /var/log/auth.log modified on linux-web-01 (log tampering indicator)
Part 1: Phase Mapping — Reconnaissance
Network View (EveBox — Hands-On)
Open EveBox and find alerts related to the reconnaissance phase:
- Scan/probe alerts: Find Nmap or scanning signatures. Record the source IPs, destination IPs, and ports targeted.
- Protocol anomalies: Look for unusual connection patterns (half-open connections, rapid port cycling).
- Record the earliest scan timestamp — this is the attack start time.
SIEM View (Wazuh — Reference Data Above)
From the Wazuh summary:
- SSH brute force from 185.220.101.42 (20 failures + threshold alert)
- Windows brute force from 91.234.99.87 (15 failures)
Correlation Exercise
PHASE 1: RECONNAISSANCE
════════════════════════
Timeline: [start time] to [end time]
NETWORK VIEW (Suricata/EveBox):
Alert: [signature name]
Source: [IP] → Dest: [IP]
Evidence: [what the packets show]
Count: [number of alerts]
SIEM VIEW (Wazuh):
Alert: Rule 18152 — Windows brute force
Source: 91.234.99.87 → WIN-SERVER-01
Evidence: 15 failed logon events (Event ID 4625)
Alert: Rule 5712 — SSH brute force
Source: 185.220.101.42 → linux-web-01
Evidence: 20+ failed SSH authentications
CORRELATION NOTES:
[What does each view show that the other misses?]
[Do the timestamps align between network and host events?]
Part 2: Phase Mapping — Exploitation
Network View (EveBox — Hands-On)
Find exploitation-related alerts:
- SQL injection signatures: Look for UNION SELECT, web application attack classtypes
- Web shell indicators: Look for HTTP response anomalies, command output in responses
- C2 establishment: Find initial callback or beacon alerts
Record the exact signatures, payloads (if visible), and timestamps.
SIEM View (Wazuh — Reference Data)
From the Wazuh summary:
- SQL injection POST attempts via sqlmap (Rule 31103)
- Base64-encoded reverse shell execution (Rule 100002)
Correlation Exercise
Answer these questions:
- Does Suricata show the SQL injection PAYLOAD (the actual UNION SELECT query)?
- Does Wazuh show the SQL injection payload or just the rule match?
- Which platform detected the reverse shell? Could BOTH detect it?
- What is the time gap between the SQL injection and the reverse shell execution?
Part 3: Phase Mapping — Post-Exploitation
Network View (EveBox)
Look for post-exploitation network indicators:
- C2 beacon traffic: Regular outbound connections from the compromised host
- DNS tunneling: Encoded DNS queries starting after exploitation
- Data transfer: Large outbound data flows to external IPs
SIEM View (Wazuh — Reference Data)
From the Wazuh summary:
- www-data → sudo → /usr/bin/id (privilege check)
- www-data → sudo → cat /etc/shadow (credential theft)
- www-data → sudo → /bin/bash (full root shell)
Correlation Exercise
This phase shows the strongest complementary visibility:
| Activity | Network View (Suricata) | Host View (Wazuh) |
|---|---|---|
| C2 beacon to attacker IP | Visible — outbound TCP connections | Not visible — no host-level log for outbound connections |
| sudo privilege escalation | Not visible — happens locally | Visible — sudo logs captured |
| Shadow file access | Not visible — local file read | Visible — FIM or command audit |
| DNS tunneling queries | Visible — anomalous DNS patterns | Partially visible — DNS query logs if forwarded |
The Visibility Gap. This exercise reveals a critical SOC principle: no single tool sees everything. Suricata excels at detecting network-borne attacks, C2 traffic, and data exfiltration. Wazuh excels at detecting local actions, authentication events, and file integrity changes. A mature SOC correlates both to eliminate blind spots.
Part 4: Phase Mapping — Lateral Movement & Persistence
Network View (EveBox)
Find lateral movement indicators:
- SMB traffic between internal hosts: Unexpected east-west connections
- Internal scanning: The compromised host scanning other internal systems
- Credential relay: Pass-the-hash or other credential-based movement
SIEM View (Wazuh — Reference Data)
From the Wazuh summary:
- Successful logon from 91.234.99.87 → WIN-SERVER-01 (Rule 60106)
- New service installed on WIN-SERVER-01 (Rule 7045)
- Suspicious PowerShell execution (Rule 100003)
Correlation Exercise
Map the lateral movement chain:
- Network: What protocol/port did the lateral movement use?
- SIEM: What did the attacker DO after landing on WIN-SERVER-01?
- Combined: Build the sequence — initial access → credential reuse → service installation → PowerShell execution
Part 5: Build the Unified Incident Timeline
Combine all phases into a single, chronological timeline:
UNIFIED INCIDENT TIMELINE — OPERATION WIRE TAP
═══════════════════════════════════════════════
Classification: Confirmed Multi-Stage Intrusion
Date: [today's date]
Analyst: [your name]
TIME | PHASE | SOURCE | EVIDENCE
───────────|─────────────────|─────────|──────────────────────────
[HH:MM:SS] | Recon | Network | Nmap SYN scan from [IP] — [count] ports probed
[HH:MM:SS] | Recon | SIEM | SSH brute force from 185.220.101.42 — 20 failures
[HH:MM:SS] | Recon | SIEM | Windows brute force from 91.234.99.87 — 15 failures
[HH:MM:SS] | Exploitation | Network | SQL injection payload: UNION SELECT detected
[HH:MM:SS] | Exploitation | SIEM | Rule 31103: SQL injection via sqlmap POST
[HH:MM:SS] | Exploitation | SIEM | Rule 100002: Base64 reverse shell executed
[HH:MM:SS] | C2 Established | Network | C2 beacon to [IP]:[port] — [interval] second interval
[HH:MM:SS] | Post-Exploit | SIEM | www-data → sudo → id (privilege check)
[HH:MM:SS] | Post-Exploit | SIEM | www-data → sudo → cat /etc/shadow
[HH:MM:SS] | Post-Exploit | SIEM | www-data → sudo → /bin/bash (full root)
[HH:MM:SS] | Lateral Move | Network | SMB connections to internal targets
[HH:MM:SS] | Lateral Move | SIEM | Successful logon on WIN-SERVER-01
[HH:MM:SS] | Persistence | SIEM | New service installed on WIN-SERVER-01
[HH:MM:SS] | Exfiltration | Network | DNS tunneling queries to [domain]
Part 6: Visibility Gap Analysis
Complete this analysis to understand each platform's strengths:
VISIBILITY GAP ANALYSIS
════════════════════════
SEEN BY NETWORK IDS ONLY:
- [list indicators only Suricata detected]
SEEN BY SIEM ONLY:
- [list indicators only Wazuh detected]
SEEN BY BOTH:
- [list indicators both platforms detected]
BLIND SPOTS (Neither detected):
- [list potential attack activities neither platform saw]
RECOMMENDATION:
[What additional data sources would close the gaps?]
Deliverable Checklist
Before completing the lab, ensure you have:
- Phase 1 correlation — reconnaissance from both network and SIEM perspectives
- Phase 2 correlation — exploitation with payload comparison between platforms
- Phase 3 correlation — post-exploitation visibility gap analysis
- Phase 4 correlation — lateral movement and persistence chain
- Unified timeline — all phases in chronological order with source labels
- Visibility gap analysis — what each platform saw, missed, and recommendations
Key Takeaways
- No single security tool provides complete visibility — correlating network IDS and host SIEM data is essential for comprehensive incident understanding
- Network IDS excels at payload inspection, C2 detection, and lateral movement traffic; SIEM excels at authentication events, process execution, and file integrity
- A unified timeline with source labels shows incident responders exactly which evidence came from where
- Visibility gap analysis helps mature security programs identify where to add sensors, logs, or integrations
- The attack kill chain (recon → exploit → C2 → post-exploit → lateral → persist → exfiltrate) only becomes fully visible when multiple data sources are correlated
What's Next
In Lab 3.5 — PCAP Analysis with Wireshark, you will go even deeper into the network layer. Instead of working with Suricata's alert-level view, you will analyze raw packet captures — examining TCP handshakes, HTTP request payloads, DNS tunneling packets, and C2 beacon traffic at the byte level.
Lab Challenge: Two Views, One Attack
10 questions · 70% to pass
Why do professional incident response teams correlate both network IDS and SIEM data instead of relying on one platform?
During the exploitation phase, Suricata detects the SQL injection payload content. What does Wazuh detect for the same event?
The attacker uses 'sudo /bin/bash' on the compromised Linux server to get a root shell. Which platform detects this?
C2 beacon traffic from the compromised host to the attacker's server occurs every 30 seconds. Which platform is better positioned to detect this?
In the unified timeline, what is the significance of labeling each entry with its source (Network vs. SIEM)?
The attacker installs a new service on WIN-SERVER-01 (Wazuh Rule 7045). Would Suricata also detect this activity?
During the lateral movement phase, the attacker moves from linux-web-01 to WIN-SERVER-01. Which combination of evidence from both platforms confirms this?
In your visibility gap analysis, you identify that DNS tunneling exfiltration is 'seen by network IDS only.' What additional data source would close this gap?
When building the unified timeline, you notice a 3-minute gap between the SQL injection (Suricata) and the reverse shell execution (Wazuh). What does this gap likely represent?
Based on the full Operation Wire Tap timeline, which attack phase has the BEST dual-source coverage (visible to both network IDS and SIEM)?
0/10 answered