Bommalimallesu/Autonomous-SOC-Home-Lab
GitHub: Bommalimallesu/Autonomous-SOC-Home-Lab
Stars: 0 | Forks: 0
# SOC Home Lab: Production-Grade Security Operations Center
# 🛡️ SOC Operations Lab (SOL) Home Lab
*Enterprise-Grade Automated Security Operations Center & Incident Response Pipeline*
[](LICENSE)
[]()
[]()
## 📝 Executive Summary
This repository contains a modular, virtualized Security Operations Center (SOC) environment designed to simulate enterprise-grade threat detection, log analysis, and incident response orchestration. It demonstrates **Detection-as-Code** principles by bridging the gap between raw endpoint telemetry and automated SOAR response workflows.
**The core value proposition:** This lab reduces Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) by orchestrating Wazuh alerts through Shuffle SOAR to trigger automated ServiceNow incident creation.
## 🏗️ Architecture Blueprint
*The environment utilizes a segmented virtual network (pfSense) to facilitate secure log transit from isolated endpoints to the central SIEM.*
[**Read the full Architecture Design**](docs/architecture/system-design.md)
flowchart LR
%% =========================
%% ATTACK LAYER
%% =========================
A["🛑 Kali Linux Attacker
IP: 192.168.100.200"] %% ========================= %% ENDPOINT %% ========================= B["💻 Windows 10 Victim
IP: 192.168.100.50"] C["📡 Sysmon + Wazuh Agent"] %% ========================= %% SIEM %% ========================= D["🛡️ Wazuh SIEM Manager
IP: 192.168.100.100"] E["🚨 Detection Rule Engine
MITRE ATT&CK Mapping"] F["⚠️ Critical Alert
Rule ID: 100089"] %% ========================= %% SOAR %% ========================= G["⚙️ Shuffle SOAR
Automation Engine"] %% ========================= %% ITSM %% ========================= H["📋 ServiceNow
Incident Ticket"] %% ========================= %% INFRASTRUCTURE %% ========================= subgraph NETWORK["🔐 SOC Lab Network"] I["🔥 pfSense Firewall
IP: 192.168.100.1"] J["🖥️ Windows Server 2022 AD
IP: 192.168.100.2"] end %% ========================= %% FLOW %% ========================= A -->|"RDP Brute Force
T1110"| B B --> C C -->|"Event ID 4625
TCP 1514"| D D --> E E --> F F -->|"HTTPS Webhook"| G G -->|"REST API"| H %% ========================= %% COLORS %% ========================= style A fill:#ef4444,color:#ffffff,stroke:#ffffff style B fill:#1f2937,color:#ffffff,stroke:#ffffff style C fill:#2563eb,color:#ffffff,stroke:#ffffff style D fill:#0ea5e9,color:#ffffff,stroke:#ffffff style E fill:#7c3aed,color:#ffffff,stroke:#ffffff style F fill:#facc15,color:#000000,stroke:#333333 style G fill:#9333ea,color:#ffffff,stroke:#ffffff style H fill:#10b981,color:#ffffff,stroke:#ffffff style I fill:#f97316,color:#ffffff,stroke:#ffffff style J fill:#374151,color:#ffffff,stroke:#ffffff ## 📋 Prerequisites Before deploying the lab, ensure your host environment meets these requirements: - Memory: 16GB+ RAM (Recommended for 4–5 concurrent VMs) - Storage: 100GB+ Free SSD Space - Hypervisor: VMware Workstation Pro/Player or VirtualBox - Network: Support for Custom Host-Only Network Adapters ## 🚀 Getting Started ### 1️⃣ Clone the Repository git clone https://github.com/Bommalimallesu/Autonomous-SOC-Home-Lab.git cd Autonomous-SOC-Home-Lab ### 2️⃣ Environment Configuration (Security) Create your local environment configuration file from the template: cp config/servicenow/.env.example config/servicenow/.env Edit the `.env` file and add your actual API credentials. ### 3️⃣ Deployment & Execution Make the deployment script executable: chmod +x scripts/automation/deploy-wazuh.sh Run the automated deployment script: sudo bash scripts/automation/deploy-wazuh.sh ## ✨ Key Features - Fully Isolated Network using pfSense and VMware Host-Only - Automated Detection & Incident Response Pipeline - Custom Wazuh Detection Rules with MITRE ATT&CK Mapping - Zero-Touch ServiceNow Incident Creation via Shuffle SOAR - Comprehensive Documentation & Testing Framework - Production-Grade Security Practices (No Hardcoded Secrets) ## 🔄 Detection & Response Workflow This SOC pipeline prioritizes high-fidelity alerting through an automated and standardized detection workflow: - **Ingestion:** Endpoint telemetry (Sysmon & Windows Event Logs) is collected through the Wazuh Agent. - **Detection:** Wazuh Manager correlates events using custom MITRE ATT&CK-aligned detection rules. - **Orchestration:** Shuffle SOAR processes alert payloads through automated webhook workflows. - **Response:** ServiceNow automatically generates incident tickets for security operations tracking and response. ## 🛠️ Technology Stack | Component | Technology | Role | |------------|------------|------| | SIEM | Wazuh | Log Ingestion, Correlation, and XDR | | SOAR | Shuffle | Workflow Automation and Orchestration | | ITSM | ServiceNow | Incident Management | | Network | pfSense | Perimeter Security and Network Segmentation | | Telemetry | Sysmon | Advanced Windows Endpoint Monitoring | ## 📁 Project Structure Autonomous-SOC-Home-Lab/ ├── README.md ├── CHANGELOG.md ├── CONTRIBUTING.md ├── LICENSE ├── .gitignore │ ├── screenshots/ │ ├── wazuh-dashboard.png │ ├── shuffle-workflow.png │ └── servicenow-incident.png │ ├── docs/ │ ├── ARCHITECTURE.md │ ├── SETUP.md │ ├── TROUBLESHOOTING.md │ ├── architecture/ │ │ ├── system-design.md │ │ └── data-flow.md │ ├── setup/ │ │ ├── pfsense-setup.md │ │ ├── windows-server-setup.md │ │ ├── wazuh-setup.md │ │ └── automation-setup.md │ └── troubleshooting/ │ ├── common-issues.md │ └── solutions.md │ ├── config/ │ ├── wazuh/ │ │ ├── ossec.conf │ │ ├── rules-custom.xml │ │ └── integration-shuffle.conf │ ├── pfsense/ │ │ └── firewall-rules.txt │ ├── windows-server/ │ │ └── ad-setup.ps1 │ └── servicenow/ │ └── incident-template.json │ ├── scripts/ │ ├── integration/ │ │ ├── custom-shuffle.py │ │ └── servicenow-api.py │ ├── automation/ │ │ ├── deploy-wazuh.sh │ │ └── configure-agents.ps1 │ └── testing/ │ ├── test-webhook.sh │ └── test-integration.py │ ├── diagrams/ │ ├── architecture/ │ │ ├── system-overview.txt │ │ └── data-flow.txt │ ├── network/ │ │ └── network-topology.txt │ └── workflow/ │ └── soar-workflow.txt │ ├── examples/ │ ├── alerts/ │ │ └── sample-alert.json │ ├── incidents/ │ │ └── sample-incident.json │ └── logs/ │ └── sample-logs.txt │ └── tests/ └── integration/ └── e2e-test.sh ## 🔄 Detection Workflow Summary Kali Linux Attack ↓ Windows Event ID 4625 ↓ Wazuh Detection Engine ↓ Shuffle SOAR Automation ↓ Automated ServiceNow Incident ## 🧠 Skills Demonstrated - Enterprise SOC Architecture Design - SIEM Administration & Detection Engineering - SOAR Automation & Security Orchestration - Incident Response Automation - Security Tool Integration & Log Correlation - Blue Team Operations & Threat Monitoring ## 🤖 Future Enhancements - Sigma Rule Integration for Advanced Detection Engineering - Active Response & Automated Threat Containment - Threat Intelligence Enrichment & IOC Correlation - Advanced Security Analytics & Visualization Dashboards ## 👤 Author ### 🧑💻 Bommali Mallesu **Cybersecurity Engineer | SOC Analyst | SIEM & SOAR Automation Developer** - 🔐 SOC Home Lab Project Maintainer - 🛡️ Focused on Detection Engineering, Security Automation, and Blue Team Operations - 📅 Last Updated: May 26, 2026
IP: 192.168.100.200"] %% ========================= %% ENDPOINT %% ========================= B["💻 Windows 10 Victim
IP: 192.168.100.50"] C["📡 Sysmon + Wazuh Agent"] %% ========================= %% SIEM %% ========================= D["🛡️ Wazuh SIEM Manager
IP: 192.168.100.100"] E["🚨 Detection Rule Engine
MITRE ATT&CK Mapping"] F["⚠️ Critical Alert
Rule ID: 100089"] %% ========================= %% SOAR %% ========================= G["⚙️ Shuffle SOAR
Automation Engine"] %% ========================= %% ITSM %% ========================= H["📋 ServiceNow
Incident Ticket"] %% ========================= %% INFRASTRUCTURE %% ========================= subgraph NETWORK["🔐 SOC Lab Network"] I["🔥 pfSense Firewall
IP: 192.168.100.1"] J["🖥️ Windows Server 2022 AD
IP: 192.168.100.2"] end %% ========================= %% FLOW %% ========================= A -->|"RDP Brute Force
T1110"| B B --> C C -->|"Event ID 4625
TCP 1514"| D D --> E E --> F F -->|"HTTPS Webhook"| G G -->|"REST API"| H %% ========================= %% COLORS %% ========================= style A fill:#ef4444,color:#ffffff,stroke:#ffffff style B fill:#1f2937,color:#ffffff,stroke:#ffffff style C fill:#2563eb,color:#ffffff,stroke:#ffffff style D fill:#0ea5e9,color:#ffffff,stroke:#ffffff style E fill:#7c3aed,color:#ffffff,stroke:#ffffff style F fill:#facc15,color:#000000,stroke:#333333 style G fill:#9333ea,color:#ffffff,stroke:#ffffff style H fill:#10b981,color:#ffffff,stroke:#ffffff style I fill:#f97316,color:#ffffff,stroke:#ffffff style J fill:#374151,color:#ffffff,stroke:#ffffff ## 📋 Prerequisites Before deploying the lab, ensure your host environment meets these requirements: - Memory: 16GB+ RAM (Recommended for 4–5 concurrent VMs) - Storage: 100GB+ Free SSD Space - Hypervisor: VMware Workstation Pro/Player or VirtualBox - Network: Support for Custom Host-Only Network Adapters ## 🚀 Getting Started ### 1️⃣ Clone the Repository git clone https://github.com/Bommalimallesu/Autonomous-SOC-Home-Lab.git cd Autonomous-SOC-Home-Lab ### 2️⃣ Environment Configuration (Security) Create your local environment configuration file from the template: cp config/servicenow/.env.example config/servicenow/.env Edit the `.env` file and add your actual API credentials. ### 3️⃣ Deployment & Execution Make the deployment script executable: chmod +x scripts/automation/deploy-wazuh.sh Run the automated deployment script: sudo bash scripts/automation/deploy-wazuh.sh ## ✨ Key Features - Fully Isolated Network using pfSense and VMware Host-Only - Automated Detection & Incident Response Pipeline - Custom Wazuh Detection Rules with MITRE ATT&CK Mapping - Zero-Touch ServiceNow Incident Creation via Shuffle SOAR - Comprehensive Documentation & Testing Framework - Production-Grade Security Practices (No Hardcoded Secrets) ## 🔄 Detection & Response Workflow This SOC pipeline prioritizes high-fidelity alerting through an automated and standardized detection workflow: - **Ingestion:** Endpoint telemetry (Sysmon & Windows Event Logs) is collected through the Wazuh Agent. - **Detection:** Wazuh Manager correlates events using custom MITRE ATT&CK-aligned detection rules. - **Orchestration:** Shuffle SOAR processes alert payloads through automated webhook workflows. - **Response:** ServiceNow automatically generates incident tickets for security operations tracking and response. ## 🛠️ Technology Stack | Component | Technology | Role | |------------|------------|------| | SIEM | Wazuh | Log Ingestion, Correlation, and XDR | | SOAR | Shuffle | Workflow Automation and Orchestration | | ITSM | ServiceNow | Incident Management | | Network | pfSense | Perimeter Security and Network Segmentation | | Telemetry | Sysmon | Advanced Windows Endpoint Monitoring | ## 📁 Project Structure Autonomous-SOC-Home-Lab/ ├── README.md ├── CHANGELOG.md ├── CONTRIBUTING.md ├── LICENSE ├── .gitignore │ ├── screenshots/ │ ├── wazuh-dashboard.png │ ├── shuffle-workflow.png │ └── servicenow-incident.png │ ├── docs/ │ ├── ARCHITECTURE.md │ ├── SETUP.md │ ├── TROUBLESHOOTING.md │ ├── architecture/ │ │ ├── system-design.md │ │ └── data-flow.md │ ├── setup/ │ │ ├── pfsense-setup.md │ │ ├── windows-server-setup.md │ │ ├── wazuh-setup.md │ │ └── automation-setup.md │ └── troubleshooting/ │ ├── common-issues.md │ └── solutions.md │ ├── config/ │ ├── wazuh/ │ │ ├── ossec.conf │ │ ├── rules-custom.xml │ │ └── integration-shuffle.conf │ ├── pfsense/ │ │ └── firewall-rules.txt │ ├── windows-server/ │ │ └── ad-setup.ps1 │ └── servicenow/ │ └── incident-template.json │ ├── scripts/ │ ├── integration/ │ │ ├── custom-shuffle.py │ │ └── servicenow-api.py │ ├── automation/ │ │ ├── deploy-wazuh.sh │ │ └── configure-agents.ps1 │ └── testing/ │ ├── test-webhook.sh │ └── test-integration.py │ ├── diagrams/ │ ├── architecture/ │ │ ├── system-overview.txt │ │ └── data-flow.txt │ ├── network/ │ │ └── network-topology.txt │ └── workflow/ │ └── soar-workflow.txt │ ├── examples/ │ ├── alerts/ │ │ └── sample-alert.json │ ├── incidents/ │ │ └── sample-incident.json │ └── logs/ │ └── sample-logs.txt │ └── tests/ └── integration/ └── e2e-test.sh ## 🔄 Detection Workflow Summary Kali Linux Attack ↓ Windows Event ID 4625 ↓ Wazuh Detection Engine ↓ Shuffle SOAR Automation ↓ Automated ServiceNow Incident ## 🧠 Skills Demonstrated - Enterprise SOC Architecture Design - SIEM Administration & Detection Engineering - SOAR Automation & Security Orchestration - Incident Response Automation - Security Tool Integration & Log Correlation - Blue Team Operations & Threat Monitoring ## 🤖 Future Enhancements - Sigma Rule Integration for Advanced Detection Engineering - Active Response & Automated Threat Containment - Threat Intelligence Enrichment & IOC Correlation - Advanced Security Analytics & Visualization Dashboards ## 👤 Author ### 🧑💻 Bommali Mallesu **Cybersecurity Engineer | SOC Analyst | SIEM & SOAR Automation Developer** - 🔐 SOC Home Lab Project Maintainer - 🛡️ Focused on Detection Engineering, Security Automation, and Blue Team Operations - 📅 Last Updated: May 26, 2026