Detecting User Creation, Password Changes, and Network Connections with Windows Audit Policies
In this video, I demonstrate how to configure Windows auditing and Wazuh to detect key security events in a SOC lab environment. The walkthrough covers enabling the necessary Group Policy audit settings, configuring the Wazuh agent to collect Windows Security logs, and building dashboards to visualize important identity and network activity.
Topics covered in this lab include:
Enabling Advanced Audit Policies in Group Policy
Monitoring user account creation and deletion events (4720, 4726)
Detecting password changes and resets (4723, 4724, 4738)
Tracking successful and failed network connections (5156, 5157)
Configuring ossec.conf so the Wazuh agent ingests Windows Security logs
Building Wazuh dashboards to visualize identity and network security activity
This setup is part of a SOC home lab built with Wazuh and Windows endpoints to simulate real-world monitoring scenarios such as account management activity and network scanning behavior.
The goal of this lab is to demonstrate how security teams can collect, analyze, and visualize critical authentication and network events for threat detection and investigation.
Tools used in this lab:
Wazuh SIEM
Windows Event Logging
Windows Advanced Audit Policy
Proxmox lab environment
This project is part of a hands-on cybersecurity SOC lab focused on building detection capabilities and understanding how Windows security events are collected and analyzed in a SIEM environment.