joelwwiggins/homelab-soc-playbooks

# Homelab SOC Playbooks & Incident Response Portfolio **Repository Purpose** This repository contains sanitized, professional-grade Security Operations Center (SOC) playbooks, incident documentation, and detection logic developed in a personal Kubernetes + Wazuh homelab environment. It demonstrates practical skills in: - Threat detection and correlation across SIEM + container platforms - Playbook authoring following real SOC standards (NIST/SANS-aligned) - Prioritization by blast radius and confidence - Post-incident improvement (detection engineering + architectural hardening) - Clear, actionable documentation suitable for handoff or audit **Intended Audience** - Cybersecurity students and career transitioners building portfolios - Hiring managers or professors reviewing practical SOC capabilities - Personal reference for ongoing homelab security operations ## Skills Demonstrated | Category | Examples | |----------------------------|----------| | **Incident Response** | Full investigation workflow, evidence collection, containment decision trees | | **Playbook Development** | Structured, version-controlled, MITRE ATT&CK mapped procedures | | **Detection Engineering** | Custom Wazuh rule logic, correlation of multi-source signals | | **Kubernetes Security** | NetworkPolicy containment, pod/node forensics, workload isolation | | **SIEM Operations** | Wazuh agent key management, rogue agent impersonation response | | **Documentation** | Professional Markdown structure suitable for real SOC teams | | **Continuous Improvement** | Lessons Learned section + actionable post-incident tasks | **Background Context** Author is a cybersecurity student (IT-Info Tech Cybersecurity certificate track) with 20+ years of process optimization and refinery experience. This homelab work bridges industrial control systems thinking with modern cloud-native security practices — a strong foundation for ICS/OT cybersecurity or hybrid SOC roles. ## Repository Structure homelab-soc-playbooks/ ├── README.md ├── SKILL.md # Instructions for future LLM / AI assistance ├── playbooks/ │ └── wazuh-agent-impersonation-kubernetes.md ├── incidents/ # Example incident reports (sanitized) ├── detections/ │ └── wazuh/ # Custom rules & decoders (future) └── architecture/ └── wazuh-kubernetes-notes.md # Deployment & hardening notes (future) ## How to Use These Playbooks 1. Review the playbook for the scenario that matches your alert or investigation. 2. Follow the **Investigation → Containment → Eradication → Recovery** flow. 3. Use the **Lessons Learned** section after every real or simulated incident to improve detections and architecture. 4. All commands and NetworkPolicy examples are ready to adapt to your environment (after proper testing). ## Important Notes - All content in this repository has been **sanitized** for public sharing. Real hostnames, internal IP ranges, namespace names, and specific identifiers have been generalized or replaced with placeholders. - These artifacts were created for **educational and portfolio purposes** while building defensive capabilities in a homelab. - This is **not** production advice for any live environment. Always test thoroughly and follow your organization's change management processes. ## Future Additions (Planned) - Additional playbooks (ransomware, supply-chain compromise in Kubernetes, etc.) - Custom Wazuh rules and decoders - Sample incident reports with timelines - Architecture diagrams and hardening guides - Mapping to CompTIA Security+ / CySA+ / PenTest+ objectives where relevant **License** Educational / Portfolio use. Feel free to fork and adapt for your own learning. Please credit if you reuse substantial portions. **Contact / Links** - GitHub: [your-username]/homelab-soc-playbooks - LinkedIn / X: (add your professional profiles) *Last updated: May 2026* *Built while pursuing cybersecurity certificate and building practical SOC skills in a Kubernetes homelab.*