Overview
Wazuh - Indicator Removal Analysis is an endpoint detection lab about defense evasion after activity has already occurred.
The scenario focuses on traces attackers may try to remove, such as command history or system logs. In a SOC workflow, these events are important because attempts to erase evidence can be as meaningful as the original action.
This lab helps learners practice interpreting Wazuh alerts, recognizing anti-forensics behavior, and using incomplete or tampered evidence to guide the next investigation step.
Related Labs
Related trainings
