Megatron-Prime86/SOC-HOME-LAB

🛡️ SOC Home Lab — Blue Team Detection Environment A fully operational Security Operations Center (SOC) home lab built on WSL 2 (Ubuntu), simulating Tier 1 analyst workflows including log ingestion, network traffic analysis, intrusion detection, automated response, and AI-assisted alert triage. 🏗️ Lab Architecture ┌─────────────────────────────────────────────────────────┐ │ SOC HOME LAB │ │ WSL 2 — Ubuntu │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Suricata │ │ Zeek │ ← Network Layer │ │ │ (IDS) │ │ (Traffic │ │ │ └──────┬──────┘ │ Analysis) │ │ │ │ └──────┬──────┘ │ │ ▼ ▼ │ │ ┌─────────────────────────────────┐ │ │ │ Rsyslog + Filebeat │ ← Log Shipping │ │ └──────────────┬──────────────────┘ │ │ ▼ │ │ ┌─────────────────────────────────┐ │ │ │ Elasticsearch + Kibana │ ← SIEM Layer │ │ └──────────────┬──────────────────┘ │ │ ▼ │ │ ┌─────────────────────────────────┐ │ │ │ AI Triage Layer (Python + │ ← Analysis Layer │ │ │ Anthropic Claude API) │ │ │ │ → MITRE ATT&CK Mapping │ │ │ └─────────────────────────────────┘ │ │ │ │ ┌─────────────┐ │ │ │ Fail2ban │ ← Automated Response │ │ └─────────────┘ │ └─────────────────────────────────────────────────────────┘ 🧰 Stack Overview ComponentRoleCategoryElasticsearchLog storage and indexingSIEMKibanaVisualization and dashboardsSIEMFilebeatLog shipping agentLog CollectionRsyslogSystem log aggregationLog CollectionSuricataNetwork intrusion detection (IDS)DetectionZeekNetwork traffic analysis and metadataDetectionFail2banAutomated IP blocking on brute-forceResponsePython + Claude APIAI-assisted alert triageAnalysis 🔍 Key Capabilities Log Ingestion & Correlation Filebeat ships system logs and Suricata EVE JSON logs into Elasticsearch Kibana Data Views configured for real-time log querying Rsyslog aggregates logs before forwarding Network Intrusion Detection (Suricata) Monitors live network traffic for malicious patterns Generates structured EVE JSON alerts into ELK stack Covers port scans, brute-force attempts, and malicious signatures Network Traffic Analysis (Zeek) Generates connection logs, DNS logs, HTTP logs, and protocol metadata Provides behavioral context beyond signature-based detection Automated Response (Fail2ban) Monitors auth.log for repeated failed SSH attempts Auto-blocks offending IPs via firewall rules Maps to MITRE ATT&CK T1110 — Brute Force AI-Assisted Triage Layer Python script sends log events to the Anthropic Claude API Claude classifies events by severity and maps to MITRE ATT&CK techniques Simulates analyst decision-support tooling in a real SOC environment 🗂️ Repository Structure soc-home-lab/ ├── README.md ├── logs/ # Sample log files for analysis exercises ├── pcaps/ # Packet captures for Wireshark/Zeek analysis ├── scripts/ │ └── ai_triage.py # AI-assisted log triage using Claude API ├── rules/ # Custom Suricata detection rules ├── reports/ # Incident reports and findings documentation └── projects/ └── project1-log-analysis/ 📁 Projects Project 1 — Windows & Linux Log Analysis Status: In Progress Simulated SOC investigation analyzing authentication logs for: T1078 — Valid Accounts T1110 — Brute Force T1136 — Create Account 🗺️ MITRE ATT&CK Coverage TechniqueIDDetection SourceBrute ForceT1110auth.log → Fail2ban + SuricataValid AccountsT1078auth.log → Filebeat → KibanaCreate AccountT1136auth.log → Log AnalysisNetwork Service ScanningT1046Suricata + Zeek 🧪 Lab Users UserRolesoc-analystPrimary analyst — log review, alert triagelab-attackerSimulated threat actor for attack scenariossoc-adminLab administration and tool configuration 📜 Certifications In Progress Google Cybersecurity Professional Certificate — Coursera ✅ Course 1: Foundations of Cybersecurity ✅ Course 2: Play It Safe — Manage Security Risks ✅ Course 3: Connect and Protect — Networks and Network Security 🔗 Related Projects PhishTrace-Intelligence — Phishing threat intelligence web app 👤 About B.Tech Computer Science student specializing in defensive security and Blue Team operations. Open to: 3-month SOC Analyst / Cybersecurity Analyst internships — Bangalore on-site or Remote