A complete SOC lab with Wazuh, ELK, Zeek, pfSense, Snort, TheHive, Cortex, MISP, and Shuffle.
You can read the full SOC lab documentation here:
---> SOC_Lab_Report.pdf
This lab is a fully functional, open-source-based Security Operation Center (SOC) environment designed for learning, simulation, and hands-on practice in threat detection, investigation, and response.
The project integrates a wide range of tools and platforms to simulate realistic blue team and red team operations. It includes endpoint agents, SIEM components, SOAR, firewall, IDS, threat intel platforms, and attack emulation.
- Windows Server 2016 – Domain Controller
- Windows Client
- Ubuntu Client
- Parrot OS Client – Linux workstation for diversity
- Wazuh – Agent management and log analysis
- ELK Stack (ElasticSearch, Logstash, Kibana) – Visual dashboard and storage
- pfSense Firewall
- Snort IDS integrated within pfSense
- Zeek – Network traffic analysis
- Custom Zeek detection scripts – Alert generation based on suspicious patterns
- Kali Linux – Attacker machine for red team scenarios (penetration testing, malware, brute-force, etc.)
- Shuffle SOAR – Automation of security workflows
- Integrated with:
- Gmail API – Alert notifications
- VirusTotal API – File/URL intelligence enrichment
- Integrated with:
- TheHive – Incident response platform
- Cortex – Analyzer engine connected to TheHive
- MISP – Threat intelligence sharing (feeds and IOCs)
- Wazuh Server ⇄ ELK Stack
- pfSense ⇄ Snort IDS
- Shuffle ⇄ TheHive ⇄ Cortex ⇄ MISP
- Zeek ⇄ Wazuh via custom scripts
- Shuffle ⇄ Gmail + VirusTotal APIs
- Simulate real-world SOC environments
- Practice blue team monitoring and incident response
- Automate threat detection and alerting
- Enrich incidents with threat intel sources
- Test offensive security techniques in a safe environment
- Add MITRE ATT&CK correlation
- Integrate YARA or Suricata
- Automate IOC ingestion from MISP to Wazuh
Built by BOUSSETA HATIM