On-Prem SIEM Architecture

Built a production SIEM with ELK, Wazuh, Elastic Defend, and n8n to centralize telemetry across 500+ endpoints and network devices.

See resume context Discuss similar work

Challenge

The environment needed centralized visibility, faster detection, and less alert noise across a fast-scaling fintech data center.

Approach

Designed ingestion pipelines for Linux, Windows, MikroTik, firewall, and endpoint logs.
Mapped detections to MITRE ATT&CK and created custom rules for ransomware, scripting, persistence, and lateral movement.
Tuned correlation logic, whitelist management, and thresholds to reduce false positives.
Connected critical alerts to Telegram and email for rapid response.

Outcomes

40+ custom detections shipped.
40% reduction in false positives.
Sub-2-minute notification pipeline for critical alerts.
Unified dashboards for operations and security teams.

Tools and stack

ELK StackWazuhElastic Defendn8nMITRE ATT&CKTelegramEmail

Portfolio note

Each case study should show the exact value you created. Use charts, screenshots, diagrams, and logs where they add proof. Keep the design clean so the evidence remains the focus.