sabelo-tech/Home-SOC-Lab-Threat-Detection-Incident-Response

GitHub: sabelo-tech/Home-SOC-Lab-Threat-Detection-Incident-Response

一个从零构建的家庭安全运营中心实验室,演示端到端的威胁检测、事件调查与响应全流程。

Stars: 0 | Forks: 0

# 家庭 SOC 实验室 — 威胁检测与事件响应 ![状态](https://img.shields.io/badge/Status-Complete-success) ![平台](https://img.shields.io/badge/Platform-Splunk%20%7C%20Suricata%20%7C%20Sysmon-blue) ![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-5%20Techniques-orange) ![IR 报告](https://img.shields.io/badge/IR%20Reports-3%20Complete-green) 一个从零开始构建的、全面运营的安全运营中心,旨在展示端到端的威胁检测、调查和事件响应能力。 由 Sabelo Eugene Moyo 构建

🎯 项目概述

本项目通过一个完整的安全运营环境展示了实用的 SOC 分析师技能。我使用行业标准工具(Splunk、Suricata IDS、Sysmon)构建了一个多平台 SOC 实验室,用于检测、调查和记录映射到 MITRE ATT&CK 框架的真实攻击场景。 ## 本项目的重要性: - 展示了使用 SIEM 平台的实操经验,而不仅仅是理论知识 - 展现了编写自定义检测规则和调查安全事件的能力 - 证明了以专业的事件响应报告记录调查结果的能力 - 验证了对对手战术、技术和程序(TTPs)的理解

🏗️ 架构

环境概述

| 组件 | 技术 | 用途 | |--------------------|--------------------------------|-------------------------------------------------| | **SIEM** | Splunk Enterprise 9.2 | 集中日志聚合、关联、告警 | | **Network IDS** | Suricata | 网络流量监控、签名检测 | | **Windows 遥测** | Sysmon (SwiftOnSecurity config) | 进程创建、网络连接、文件事件 | | **Linux 遥测** | auditd | 系统调用审计、安全事件 | | **攻击平台** | Kali Linux | 对手模拟与渗透测试 | | **虚拟化** | VirtualBox 7.0 | 隔离的实验环境 | ## 步骤

1.downloading VirtualBox:

Disk Sanitization Steps


2.Running installer with default settings:

Disk Sanitization Steps


3.creating the lab virtual network:

Disk Sanitization Steps


4.downloading the ubuntu server ISO image:

Disk Sanitization Steps


5.downloading kali linux ISO image:

Disk Sanitization Steps


6. Downloading Windows 11 enterprise ISO image:

Disk Sanitization Steps


7.1 Creating the Splunk VM:

Disk Sanitization Steps


7.2 Creating the Splunk VM:

Disk Sanitization Steps


7.3 Creating the Splunk VM:

Disk Sanitization Steps


7.4 Creating the Splunk VM:

Disk Sanitization Steps


7.5 Creating the Splunk VM (Network Adapter).png:

Disk Sanitization Steps


8.0 Boot the VM and walk through the Ubuntu Server installation using default options..png:

Disk Sanitization Steps


8.1 choosing ubuntu server installation type.png:

Disk Sanitization Steps


8.2 ubuntu server network configuration and DHCP address.png :

Disk Sanitization Steps


8.3 ubuntu server storage configuration.png:

Disk Sanitization Steps


8.4 ubuntu server profile configuration.png:

Disk Sanitization Steps


8.5 ubuntu server installing.png:

Disk Sanitization Steps


9.1 intial ubuntu configuration.png :

Disk Sanitization Steps


9.2 updating system .png:

Disk Sanitization Steps


9.3 server ip address.png:

Disk Sanitization Steps


9.4 issues downloading splunk.png:

Disk Sanitization Steps


9.5 installing wget, curl and ping.png:

Disk Sanitization Steps


9.6 successfully downloading splunk after troubleshooting.png:

Disk Sanitization Steps


9.7 installing the package and setting username and password.png:

Disk Sanitization Steps


9.8 enabling splunk to start at boot.png:

Disk Sanitization Steps


10. accessing splunk web UI.png:

Disk Sanitization Steps


10.1 creating windows log index on splunk web UI.png:

Disk Sanitization Steps


10.2 creating linux log index in splunk web UI.png:

Disk Sanitization Steps


10.3 creating suricata log index in splunk web UI.png:

Disk Sanitization Steps


10.4 creating firewall log index in splunk web UI.png:

Disk Sanitization Steps


11.1 windows11 configuration.png:

Disk Sanitization Steps


11.creating windows 11 victim machine.png:

Disk Sanitization Steps


12.0 installing windows 11 victim machine.png:

Disk Sanitization Steps


12.1 Win11 ip address.png:

Disk Sanitization Steps


12.2 fixing DNS resolution in Windows VM.png:

Disk Sanitization Steps


12.3 Manualling configuring Windows VM DNS.png:

Disk Sanitization Steps


12.4 Pinging google to verify if DNS resolution worked.png.png:

Disk Sanitization Steps


12.5 pulling the official Sysmon package from Microsoft Sysinternals..png:

Disk Sanitization Steps


12.6 installing sysmon.png:

Disk Sanitization Steps


12.7 confirming if Sysmon is running.png :

Disk Sanitization Steps


12.8 downloading splunk universal forwarder.png:

Disk Sanitization Steps


12.9 running installer.png:

Disk Sanitization Steps


12.10 post installation configuration.png:

Disk Sanitization Steps


12.11 Configuring Log Collection (inputs.conf).png:

Disk Sanitization Steps


12.12 confirming windows index in splunk.png:

Disk Sanitization Steps


13.0 downloading Ubuntu Desktop ISO.png:

Disk Sanitization Steps


13.1 creating ubuntu vm.png:

Disk Sanitization Steps


13.2 downloading splunk universal forwarder on ubuntu vm.png:

Disk Sanitization Steps


13.3 installing splunk universal forwarder.png:

Disk Sanitization Steps


13.4 pointing the forwarder to my splunk server.png:

Disk Sanitization Steps


13.5 adding log sources .png:

Disk Sanitization Steps


13.6 Enabling Auditd for Enhanced Linux Logging .png:

Disk Sanitization Steps


14.1 installing Suricata on Splunk server VM.png:

Disk Sanitization Steps


14.2 configuring suricata on the splunk server vm.png:

Disk Sanitization Steps


14.3 starting and enabling suricata.png:

Disk Sanitization Steps


14.4 configuring inputs.conf so Splunk reliably ingests Suricata logs every time it starts.png:

Disk Sanitization Steps


标签:Metaprompt, Suricata, Sysmon, 安全信息与事件管理, 安全运营中心, 库, 应急响应, 搜索引擎爬取, 现代安全运营, 网络映射