> For the complete documentation index, see [llms.txt](https://cybermed.gitbook.io/soc-home-lab/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybermed.gitbook.io/soc-home-lab/configure-wazuh-alerts.md). # Configure Wazuh Alerts We have to start with Wazuh config file. our intension is to configure mimikatz alert to the Wazuh server. You can find the Wazuh agent configurations under the **C:\Program Files (x86)\ossec-agent** We are trying to edit the file called **ossec.conf**

Before we are going to do any modifications, we have to backup the ossec.conf file. I will simply go ahead and make a copy and name that file as **“ ossec-backp.conf.”** After you open the **ossec.conf** file just scroll down and then you will see the log analysis file tag. That part is the important part to us for this demo.

In here what we are going to do is copy the local file tag and past under the local file tag. We want add the **Sysmon** (which we have installed initially) as our application location.

We have to replace that application name with the Sysmon application name. How we can find the name ? It is relatively easy, please follow the following path to find the real name. {% hint style="info" %} Windows even viewer — >Application and services —> Microsoft —> Windows —> Sysmon —>operational —> right click on the operational go to properties and copy the full name {% endhint %}

Now paste the copied Full name under the application location in ossc.config file. Also I'll remove the duplicated application name **security and system** file tags and save it. This means it will no longer forward the event logs to the Wazuh manager.

Next step is restart the Wazuh service in our client PC ( same PC). go ahead and open the **windows services— > find the Wazuh service** and restart.

{% hint style="info" %} If you have changed the configuration, then you must restart the service. {% endhint %} Come back to the Wazuh dashboard, open security events and go inside. Then click events and under events search Sysmon. Some times this might take time to retrieve the Sysmon logs. Be patient and wait until you receive the logs.

Our next step is to download the Mimikatz to the client machine. (Windows 10 VM). Make sure that you have **disabled** the windows defender before download the Mimikatz, cause that will detect and delete the Mimikatz. {% embed url="" %} once downloaded, extract the Mimikatz like this

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybermed.gitbook.io/soc-home-lab/configure-wazuh-alerts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.