learn-cyber · lesson 10 · capstone

Onboarding your first hotel: the runbook

Everything you've learned, sequenced into one repeatable checklist — the path from a handshake to a delivered, paid-for monitoring service.

Your mission You've signed your first pilot: Seaside Inn — 60 rooms, one restaurant POS, an Oracle OPERA PMS, a firewall, and 4 front-desk PCs. Nine lessons gave you the parts. This lesson is the index that connects them into a service you can run, again and again, for every hotel after this one.

Why a runbook, not a hero project

The difference between a hobbyist and an MSSP is repeatability. A hobbyist installs Wazuh once, heroically, and can never remember how. An MSSP has a checklist: same phases, same order, every client. The checklist is the product — it's what lets you onboard hotel number two in a week instead of a month, and what lets you hand work to a teammate one day.

Key idea Onboarding is not "install Wazuh." It's scope → isolate → deploy → tune → operate → report → expand. Each phase below maps to a lesson you've already done. This page is where they all click together.

The onboarding runbook

Work the phases in order. Each links back to the lesson that taught the skill, so you can drop in for a refresher at any point. We'll use Seaside Inn as the running example throughout.

  1. Phase 1 — Scoping call & asset inventory

    Sit down with the hotel — ideally on-site — and list every system that touches data or the network: the PMS (Seaside runs Oracle OPERA), the restaurant POS terminals, the firewall, switches, the 4 front-desk PCs, the Wi-Fi (guest and staff), and any remote or vendor access (the OPERA support tunnel, the POS vendor's dial-in). For each, ask: what does it do, and does it touch cardholder data? Identify the crown jewels — the systems whose compromise would end the business — using the lens from Lesson 8 (hotel threat model). Anything that takes cards drags you into PCI scope (Lesson 9), so flag it now. Output: an asset / risk register — one row per system, with owner, role, card-data flag, and rough risk. This single document drives every phase that follows.

  2. Phase 2 — Network & data-flow review

    Now trace the wires. Where does a swiped card number actually go — from the POS terminal, through which switch, to which processor? Is the guest Wi-Fi truly segmented from the PMS and POS networks, or is it all one flat LAN (alarmingly common in 60-room properties)? Sketch the data flow and mark the gaps. Be honest about your role: you monitor; you usually don't re-architect. Segmentation fixes may be advisory notes in your report, or a job for the hotel's network partner — but you must know the topology to place sensors well and to scope PCI correctly.

  3. Phase 3 — Stand up (or extend) the Wazuh deployment

    For your first hotel, a single all-in-one node — manager, indexer, and dashboard on one box — is perfectly fine and gets you live fast. Follow Lesson 3 (install the server) exactly as you did in the lab; this is the same procedure, now in production. Keep the bigger picture from Lesson 2 (architecture) in mind: as you add hotels three, four, five, you'll split into a cluster — multiple managers feeding a shared indexer. Don't build that yet. Build the smallest thing that works, and plan the seam for growth.

  4. Phase 4 — Create the client's isolation first

    Before a single agent is deployed, build Seaside Inn's compartment so everything lands in the right place. Create the agent group seaside-inn (Lesson 6, agent groups), an RBAC role scoped to that group, and a dashboard tenant for the hotel (Lesson 7, RBAC & tenants). Doing this before deployment is the whole trick: agents enrolled into seaside-inn inherit the group's config automatically, and their data is walled off from every other client from the first event. Set up the room before you let the guests in.

  5. Phase 5 — Deploy agents, crown jewels first

    Now enroll agents, in order of value: the OPERA PMS host first, then the POS terminals, then the 4 front-desk PCs — the same enrollment flow you practiced in Lesson 4 (first agent & detection), each joined to the seaside-inn group. The firewall and switches can't run an agent, so ingest their logs agentless via syslog instead (the manager listens; the device forwards) — recall the collection paths from Lesson 2. Then push what to watch through the group's agent.conf (Lesson 6): file-integrity monitoring on the POS binaries and OPERA config files, authentication logs, and so on. Configure once at the group; every Seaside host obeys.

  6. Phase 6 — Tune detections

    Out of the box, Wazuh's built-in rules already fire on SSH brute-force, new accounts, and the like — confirm they trigger on Seaside's hosts. Then write the custom decoders and rules for this hotel's specific log formats: OPERA's audit lines, the restaurant POS's transaction log. Build and test them with wazuh-logtest exactly as in Lesson 5 (decoders & rules) before you trust them. The goal here is fewer, truer alerts: chase down false positives now, because an analyst who learns to ignore the dashboard is worse than no analyst at all. Trustworthy alerts are the foundation everything operational rests on.

  7. Phase 7 — Define alerting, triage & escalation

    A firing rule is only half a service; someone has to act. This is the triage step from the very first pipeline you learned (Lesson 1, event → alert). Decide: which severity levels page a human at 3 a.m. versus wait for the morning queue; who is on call; and what the response playbook says for the common cases (brute-force on OPERA, malware on a front-desk PC, POS file change). Write down an SLA — "critical alerts triaged within 30 minutes" — and mean it. The SLA is what the hotel is actually buying.

  8. Phase 8 — Reporting & PCI evidence cadence

    Set a recurring reporting rhythm — monthly and quarterly — pulled from Seaside's own dashboard tenant: log-review summaries, file-integrity changes, alert counts and outcomes, all mapped to the PCI-DSS requirements (Lesson 9) the hotel must satisfy (log review, FIM, access monitoring). This recurring deliverable is not busywork — it's the proof of value the owner can hand to their acquiring bank and their QSA, and it's what justifies your monthly retainer. A hotel forgets the install in a week; it remembers the report that arrives every month.

  9. Phase 9 — Pilot, review, expand

    Run a defined pilot period — say 60 days. At the end, sit down with the hotel again: walk the findings, show the alerts you caught and what you did, tune out whatever still cried wolf, and adjust the SLA against reality. Then expand: add coverage you skipped at first (staff laptops, the booking-engine server), and use the now-proven runbook to onboard the next property. The pilot's real output isn't just a happy client — it's a validated, repeatable process you can sell again.

Minimum viable first hotel Don't let perfect block shipping. The smallest version that delivers real value at Seaside Inn: Ship that. It already protects the crown jewels and produces PCI evidence. Then add the front-desk PCs, the deeper FIM, the tighter SLA. Live and improving beats perfect and unshipped.

On pricing & positioning (briefly): the value you sell is the recurring monitoring and the monthly PCI evidence — the SLA, the triaged alerts, the report that lands every month. That's a retainer. Do not sell a one-off "install Wazuh and walk away" project; it underprices the real work, leaves the hotel unmonitored the day after, and trains the market to see you as a contractor instead of a service. The install is the cheap part; the watching is the business.

Check yourself

Retrieval practice — pull the runbook from memory. Don't peek back up; the sequencing is the whole point.

Question 1 of 3

Why do you create the agent group, RBAC role, and dashboard tenant before deploying any agents?

Setting up the compartment first means every agent you enroll into seaside-inn automatically inherits the group's agent.conf and lands inside the client's walled-off tenant. Build the room before the guests arrive — retrofitting isolation after data has already mixed is painful.

Question 2 of 3

Seaside's firewall can't run a Wazuh agent. How do you get its logs into your SIEM?

Network gear like firewalls and switches rarely runs an agent, so you use agentless syslog ingestion: the device forwards its logs and the Wazuh manager listens. Same pipeline, different collection method — the firewall's events still get decoded, matched, and alerted on.

Question 3 of 3

Which deliverable best justifies Seaside Inn's monthly retainer?

The recurring report is the proof of value: it shows the hotel (and its bank/QSA) that monitoring is happening and that PCI obligations like log review and file-integrity monitoring are being met. The install is the cheap part; the ongoing watching and evidence are what they pay for every month.

Primary source — your go-to reference
Wazuh — Quickstart. This is the canonical all-in-one install and sizing guide; keep it open during Phase 3, and re-read its sizing notes before you cluster for hotels three and beyond. Pair it with the Getting Started overview when you need to re-anchor the whole picture.
I'm your teacher — ask me anything. Want to dry-run the Seaside Inn onboarding end to end? Unsure how to scope PCI for a flat network, or how to word an SLA? Want me to role-play the hotel owner on the pricing conversation? Bring it to the chat — rehearsing the runbook out loud before you do it for real is exactly how it sticks.

You just earned: a repeatable, end-to-end onboarding runbook — scope, isolate, deploy, tune, operate, report, expand — that turns nine lessons of theory into a delivered, paid service for a real hotel.

You've completed the foundational course. You now hold the full arc: the SIEM pipeline and CIA triad, Wazuh's architecture, installing the server and deploying agents, decoders & rules, multi-tenancy (agent groups + RBAC + dashboard tenants), the hotel threat model, PCI-DSS, and now the runbook that ties them together. That's enough to stand up a real pilot. Be proud — and then go validate it against reality.

Where wisdom comes from now: the next level isn't another lesson — it's practitioners. Take your Seaside Inn plan to the Wazuh Community hub and the Wazuh Slack (invite via the same hub), where real MSSPs debate architecture, sizing, and tuning every day. Ask your dumb questions there; ship your pilot; bring back what you learn. Acquiring wisdom is engaging a real community.

Reference: Glossary (revisit it — the terms mean more now) · ← Lesson 9: PCI-DSS · All resources · Mission