A fully automated, production-grade Security Operations Center built on open-source tools and commodity hardware. Designed to demonstrate enterprise-level security engineering: threat detection, automated response, threat intelligence integration, and asset management—all connected via CI/CD pipelines and event-driven automation.
SOC Architecture: Three-Tier Detection & Response
┌─────────────────────────────────────────────────────────────────────┐
│ DETECTION LAYER (Real-time) │
├─────────────────────┬─────────────────┬─────────────────────────────┤
│ Wazuh (SIEM) │ Suricata (IDS) │ Zeek (Network Telemetry) │
│ - Agent-based │ - Signature- │ - Protocol parsing │
│ monitoring │ based rules │ - Connection tracking │
│ - Log analysis │ - Network │ - Exploit detection │
│ - Vulnerability │ patterns │ - File extraction │
│ detection │ - ET Open rules │ │
└──────────┬──────────┴────────┬────────┴──────────┬──────────────────┘
│ │ │
└───────────────────┴───────────────────┘
│
┌───────────────▼────────────────┐
│ Alert Aggregation & Filtering │
│ (Wazuh Level 7+ alerts) │
└───────────────┬────────────────┘
│
┌───────────────────────▼──────────────────────────────────────────────┐
│ ORCHESTRATION LAYER (Shuffle - SOAR) │
│ │
│ 1. Parse alert & extract indicators (IP, domain, hash, etc.) │
│ 2. Query threat intelligence sources (6 external APIs) │
│ 3. Lookup in internal threat intel (MISP) │
│ 4. Query asset inventory (NetBox) │
│ 5. Correlate source IP → asset details │
│ 6. Create structured incident case in IRIS │
└───────────────────┬──────────────────────────────────────────────────┘
│
┌───────────────────▼──────────────────────────────────────────────────┐
│ INVESTIGATION LAYER (IRIS - Case Management) │
│ │
│ - Centralized case creation & tracking │
│ - Enriched alert context (asset info, threat intel) │
│ - Manual investigation & evidence collection │
│ - Closure & post-incident review │
└──────────────────────────────────────────────────────────────────────┘
Data Flow: From Detection to Investigation
End-to-End Alert Enrichment Pipeline
1️⃣ DETECTION
Suspicious SSH login detected on server
├─ Source IP: 192.168.1.100
├─ Destination: prod-database.internal
└─ Wazuh Rule: 5761 (Unauthorized access attempt)
│
├─ Alert Level: 10 (Critical)
└─ Webhook → Shuffle
2️⃣ ORCHESTRATION (Shuffle)
Extract indicators from alert
├─ IP: 192.168.1.100
├─ Hostname: prod-database.internal
└─ Hash: sha256_file_signature
│
Query threat intelligence (parallel)
├─ VirusTotal: 2/72 detections (trojan)
├─ AbuseIPDB: 67% confidence, 24 reports
├─ Shodan: Open SSH on unusual port
├─ Pulsedive: Known malicious infrastructure
└─ MISP: Matches 3 recent IOCs
│
Query asset inventory (NetBox)
├─ Device: prod-db-01
├─ Role: Critical Database Server
├─ Owner: Database Team
└─ Status: Active
│
└─ Correlate: "Attack on critical infrastructure"
3️⃣ INVESTIGATION (IRIS)
Automated case created with full context
├─ Title: "Critical: Unauthorized access attempt on prod-database"
├─ Severity: HIGH (escalated from threat intel match)
├─ Asset Context: Database server, critical role, active status
├─ Threat Intel: 67% abuse confidence, known malicious infrastructure
└─ Analyst Actions:
├─ Review MISP sightings & related events
├─ Check NetBox for related assets
├─ Pull logs from Zeek/Suricata
└─ Decide: Isolate → Investigate → Document
Component Deep Dive
Detection Tier: Defense in Depth
Wazuh (SIEM)
- Agent-based monitoring on all endpoints (Linux servers, Windows hosts, Mac)
- Parses application logs, system logs, file integrity monitoring
- Correlates events across sources; generates aggregated alerts
- Custom rules for business logic (failed SSH attempts, permission changes, etc.)
- Output: Structured alerts (level 1-15) to Shuffle webhook (level 7+)
Suricata (IDS)
- Passive network traffic analysis on host network tap (
enp1s0) - ET Open ruleset + MISP-generated IOC rules (updated daily)
- Detects known malware, exploits, and suspicious network patterns
- Logs: EVE.json (embedded within Wazuh for correlation)
Zeek (Network Telemetry)
- Dual-purpose: IDS + telemetry collection
- Protocol parsers: DNS, HTTP, SSL, FTP, SSH, SMTP
- File extraction & hashing (MD5, SHA256)
- Connection tracking with 7-tuple uniqueness
- Passive analysis—doesn’t interfere with traffic
Honeypots (OpenCanary + Cowrie)
- OpenCanary: Simulates exposed services (MySQL, RDP, FTP, etc.)
- Cowrie: Captures SSH bruteforce attempts and attacker commands
- Logs all interactions to Loki; triggers high-confidence alerts in Wazuh
Orchestration Tier: Automated Response
Shuffle (SOAR - Security Orchestration, Automation & Response)
Alert → Workflow Pipeline:
- Parse: Extract structured data from Wazuh alert JSON
- Enrich (parallel calls):
- VirusTotal: Hash reputation
- AbuseIPDB: IP abuse confidence
- Shodan: Service discovery
- Pulsedive: Threat scoring
- URLScan.io: URL & domain reputation
- MalwareBazaar: Sample analysis
- Correlate: Query MISP for known malicious indicators
- Asset Lookup: Query NetBox API for device ownership & role
- Create Case: POST enriched alert to IRIS API
- Notify: Slack/email alert to SOC team
Workflow Automation Rules:
- Wazuh level 7-9 → Create IRIS case + notify team
- Wazuh level 10+ → Create case + escalate + pull Zeek logs
- MISP high-confidence match → Escalate severity in IRIS
- Asset is “Critical” → Auto-escalate, immediate notification
Investigation Tier: Case Management
IRIS (Incident Response Investigation System)
- Central hub for all security incidents
- Structured case creation with templates
- Timeline of events with evidence correlation
- Integration with MISP for threat context
- Audit trail for compliance (SOC 2, etc.)
- Post-incident review & closure workflow
Data Connections: The Glue
Real-Time Event Feeds
Wazuh Alerts
├─ JSON webhook to Shuffle @ level 7+
│ └─ Processed within 5 seconds
│
└─ Structured logs to Loki
└─ Retention: 30 days, queryable in Grafana
Suricata Events
├─ EVE.json ingested by Wazuh
└─ Correlated with endpoint data
Zeek Events
├─ conn.log, dns.log, http.log → Loki
├─ File hashes → NetBox (asset tracking)
└─ Network relationships → IRIS investigation
Asset Intelligence
NetBox as Source of Truth:
- 62 Docker containers (synced hourly via API)
- 8 Tailscale devices (synced daily via API)
- 6 Wazuh agents (synced every 6 hours via API)
- Total: 76 devices with IP assignments, roles, ownership
CI/CD Connection:
Infrastructure Changes → NetBox Sync Scripts
├─ New container deployed → Auto-registered in NetBox
├─ Device joins Tailnet → Auto-registered with IP
└─ Wazuh agent installed → Auto-registered as monitored asset
When alert occurs:
Source IP in alert → Lookup in NetBox
├─ "What device owns this IP?"
├─ "Who is responsible?"
├─ "What is this device's criticality?"
└─ Append context to IRIS case
Threat Intelligence Pipeline
MISP (Malware Information Sharing Platform)
- 16 auto-updating feeds (abuse.ch, Emerging Threats, etc.)
- Daily sync with Suricata (generates IOC detection rules)
- Real-time integration with Shuffle (enrichment lookup)
- Sighting tracking: When Wazuh detects a known-bad indicator, MISP records the sighting
CI/CD Connection:
MISP Updates (2:30 AM daily)
↓
Suricata IOC Rules Rebuilt (3:30 AM daily)
↓
IDS monitors network with fresh threat context
↓
Alert generated on match
↓
Shuffle queries MISP for historical context
↓
MISP records sighting + enriches case
Automation in Action: The Full Loop
Example: Detecting a Malware Infection
Timeline:
00:00 Zeek detects suspicious binary execution
└─→ Wazuh correlates with file integrity change
└─→ Rule 5870 (malware detection) fires at level 10
└─→ Webhook sent to Shuffle
00:05 Shuffle receives alert
├─→ Extract: Hash, IP, hostname, process name
├─→ Query VirusTotal: ✓ Detected as Trojan.Generic
├─→ Query AbuseIPDB: ✓ IP has 12 abuse reports
├─→ Query MISP: ✓ Matches 3 known C2 indicators
├─→ Query NetBox: Device = "desktop-user-01" (User: John)
└─→ POST to IRIS with severity HIGH
00:06 IRIS Case Created
Title: "Malware detected on desktop-user-01"
Severity: HIGH
Owner: SOC Team
Context Included:
- VirusTotal: Known malware family
- MISP: Known C2 infrastructure
- NetBox: Desktop, non-critical, user workstation
- Zeek: 12 outbound connections to C2 domain
00:10 SOC Analyst Reviews Case
Decision: Isolate device
└─→ Execute containment (manual or via Wazuh agent)
00:30 Post-Incident Review
└─→ Document findings, update MISP with sightings
└─→ Suricata rules updated for future detection
Infrastructure & Deployment
Hardware:
- Ubuntu Server 24.04 LTS (bare metal)
- 32 CPU cores, 64GB RAM, 2TB NVMe SSD
- Ethernet tap on network (Suricata + Zeek)
Containerization:
- Docker + Docker Compose (19 services)
- Persistent volumes for state (Wazuh, IRIS, MISP, NetBox)
- Shared Docker network for inter-service communication
SSL/TLS:
- Internal CA (self-signed, SAN config)
- Nginx Proxy Manager for HTTPS termination
- All services accessible via .homelab domains (DNS rewrites in AdGuard)
Observability:
- Grafana dashboards (Wazuh alerts, network stats, system health)
- Loki log aggregation (30-day retention)
- Promtail collectors on all services
Security Posture Achieved
✓ Real-time threat detection (3 detection engines, <5sec alert generation) ✓ Automated threat enrichment (6 threat intelligence sources) ✓ Asset-centric incident response (NetBox correlation) ✓ Audit trail & compliance (IRIS case management) ✓ Threat intelligence feedback (MISP sightings, rule updates) ✓ Scalable infrastructure (Docker, automated provisioning)
Next Steps (Planned)
- Velociraptor integration: DFIR hunting on endpoints (✓ deployed)
- AdGuard auto-blocking: Feed MISP/Shuffle detections to DNS blocklist
- Cortex analyzers: Automated hash/IP/domain analysis (pending API keys)
- Authentik SSO: Single sign-on for all services
- Mobile agent deployment: Wazuh agents on mobile devices