Case Study — Detection Engineering
SSH Brute Force Detection with Layered Wazuh Rules
This project extends my SIEM lab by implementing layered detection logic for SSH brute-force attacks. Instead of relying only on default Wazuh alerts, I built custom correlation rules that identify suspicious activity early and escalate to high-severity alerts as attack behavior continues.
Status
Completed Case Study
Focus
Layered Detection
MITRE
T1110 — Brute Force
Tools
Wazuh • Hydra • Kali
What This Project Shows
Objective
The objective was to design and implement layered detection logic for SSH brute-force attacks inside a controlled Wazuh SIEM lab. The project focused on moving beyond basic log monitoring and creating custom correlation-based rules that identify suspicious authentication behavior as it develops.
The goal was not only to generate alerts, but to better understand how SIEM rules operate, how multiple events can be correlated into meaningful patterns, and how threshold-based logic can be tuned to reflect realistic attack scenarios.
Scenario
SSH brute-force attacks attempt to gain unauthorized access by repeatedly trying password combinations against a remote login service. A single failed login may not be meaningful by itself, but repeated failures from the same source can indicate automated attack behavior.
In this lab, Kali Linux was used to simulate a controlled brute-force attack against a Linux server running SSH. Wazuh collected authentication logs and analyzed the behavior so the detection logic could identify both early suspicious activity and confirmed brute-force behavior.
Environment and Tools
The environment was built in VirtualBox using an isolated internal network. A dedicated Wazuh SIEM server collected logs from a Linux target machine, while Kali Linux acted as the attacker system.
The Linux server generated SSH authentication logs, and Wazuh processed those logs through its built-in ruleset and custom correlation rules. This created a realistic but safe environment for validating attack simulation, log ingestion, detection, and alert escalation.
Attack Simulation
Hydra was executed from the Kali Linux machine against the SSH service on the Linux server. Before running the automated attack, manual failed login attempts were performed to confirm that authentication logging was working correctly and to establish a baseline of normal failed login behavior.
The Hydra command generated repeated failed authentication attempts in a short timeframe, creating the activity needed to test thresholds, frequency logic, and correlation-based detection. This mirrors the type of high-volume authentication behavior analysts may see during real brute-force attempts.
hydra -l securityadmin -P passwords.txt ssh://192.168.100.20Detection and Logs
The Linux server recorded authentication activity in /var/log/auth.log, including timestamps, usernames, and source IP addresses. Wazuh ingested those logs through its agent and processed each failed login attempt.
Default Wazuh rule ID 5503 provided visibility into individual PAM authentication failures. However, single-event detection did not fully explain whether those failures were part of a larger attack pattern. Reviewing the logs showed repeated failures from the same source IP, which justified a stronger correlation-based approach.
From an analyst perspective, repeated failures from one source IP represent a clear deviation from normal user behavior and provide a strong signal for automated attack activity.
Layered Detection Engineering
To improve detection quality, I implemented a layered detection strategy using custom Wazuh rules. The first rule acted as an early warning mechanism by triggering when multiple failed login attempts were detected from the same source within a short timeframe.
The second rule confirmed brute-force activity by triggering after a higher threshold of failed attempts. This generated a high-severity alert and showed that the behavior had progressed beyond normal user error.
This approach shifted detection from single-event alerting to behavior-based correlation, which is closer to how real SIEM detection engineering works in security operations. It also makes the alert flow easier for an analyst to understand: suspicious behavior first, confirmed attack behavior second.
Challenges and Troubleshooting
During implementation, the Wazuh manager failed to restart because of an XML configuration error in the custom rule file. A rule element was incorrectly placed outside a group block, causing the rule parser to fail.
I reviewed the service logs, identified the syntax issue, corrected the rule structure, and verified proper nesting. I also checked the use of if_matched_sid, frequency, and timeframe logic to confirm the custom rules behaved correctly.
This was one of the most useful parts of the project because it showed the real troubleshooting process behind detection engineering. Detection work is not just writing rules — it also requires validating syntax, service behavior, rule logic, and alert output.
Mitigation and Response
In a real-world environment, repeated authentication failures could trigger response actions such as temporarily blocking the source IP address, enforcing account lockout policies, applying rate limiting, or disabling password-based SSH authentication in favor of SSH keys.
Although this project focused on detection, it shows how detection logic can support broader incident response by identifying suspicious behavior early and escalating confirmed attack patterns for analyst review.
Validation and Results
After correcting the rule configuration, I ran the attack simulation again and confirmed that both detection stages worked as intended. The early warning rule triggered at a lower threshold, and the high-severity rule triggered after continued attack activity.
The results showed clear visibility into the progression of the brute-force attempt and confirmed that the layered rules accurately reflected attacker behavior. The final detection flow transformed raw authentication failures into meaningful, prioritized alerts.
Evidence
The report includes evidence from the full attack and detection lifecycle, including Hydra output, Linux authentication logs, Wazuh authentication events, custom rule configuration, Wazuh manager troubleshooting, and layered alerts showing both early warning and high-severity detection stages.
The evidence supports the full workflow: attack simulation, log generation, SIEM ingestion, default alerting, custom rule configuration, service troubleshooting, and final validation.
MITRE ATT&CK Mapping
This project maps to MITRE ATT&CK Credential Access technique T1110 — Brute Force. The simulated Hydra activity generated repeated SSH authentication attempts against the target system.
The layered detection approach supports this mapping by identifying both early suspicious activity and confirmed sustained brute-force behavior, which helps turn raw log data into standardized security reporting.
Skills and Concepts Demonstrated
Why This Project Matters
This project shows growth from basic alert validation into more advanced detection engineering. Instead of simply observing default alerts, I built a layered detection strategy that tracks suspicious behavior as it escalates.
It demonstrates the ability to simulate attack activity, interpret logs, troubleshoot SIEM rule issues, validate detection logic, and map the work to a recognized threat framework.
Resume Bullet
Designed and implemented layered Wazuh SIEM detection rules to identify SSH brute-force attacks, correlating authentication failures into early warning and high-severity alerts through simulated attack activity using Hydra.
GitHub Repository
The GitHub repository contains the project materials and supporting technical work for this detection engineering case study.
Open RepositoryFull Report and Supporting Documentation
The full report includes the project objective, lab environment, Hydra attack simulation, Wazuh log analysis, custom layered detection rules, troubleshooting notes, validation evidence, MITRE ATT&CK mapping, and future improvements.