dmwasielewski

Home SOC Lab

3 min read

Summary

This project is a small home SOC lab built to show practical security monitoring rather than product installation. The main goal is to collect telemetry from a few realistic sources, validate one alert path end to end, and document the investigation logic clearly enough that the lab can be defended in conversation or portfolio review.

The lab stays intentionally small. That is deliberate. A narrow security workflow with real evidence is more useful than a wide lab full of unchecked detections.

Current Scope

The working scope of the lab is:

  • 1 Wazuh manager running in Proxmox
  • 1 Windows endpoint with Wazuh agent and Sysmon
  • 1 Linux log source
  • optional UniFi syslog ingestion
  • one concrete file integrity monitoring validation flow
  • one short alert review and evidence trail

This scope is enough to show that the project is more than a dashboard screenshot. It produces a real signal, a validation path, and an analyst decision.

Concrete Scenario Added

The main scenario added in this phase is a Wazuh File Integrity Monitoring workflow on the Windows endpoint.

The scenario is simple on purpose:

  • a watched folder is defined on the Windows system
  • a benign file is created or modified inside that folder
  • Wazuh records the change
  • the alert is reviewed in the Wazuh interface
  • the source host, file path, timestamp, and change type are validated
  • the result is documented as either expected administrative activity or something worth escalation

That turns the project from “I installed a SIEM” into “I validated one useful detection path and can explain it.”

Why File Integrity Monitoring Matters

File integrity monitoring is not the whole of security monitoring, but it is a good first scenario because it is easy to trigger safely and easy to validate. It teaches the habit of asking the right questions:

  • what changed
  • where it changed
  • when it changed
  • which host reported it
  • whether the change was expected
  • what should happen next

Those are the same habits that matter in broader SIEM work.

Practical Value

This project is useful because it demonstrates several connected skills at once:

  • basic agent deployment and telemetry collection
  • separating a test event from a real incident
  • validating alerts instead of trusting them blindly
  • writing short, defensible investigation notes
  • explaining security evidence in plain language

Public Project Pages

More public pages should only be added when there is another concrete, tested scenario worth showing.

Evidence Worth Capturing

  • Wazuh agent status
  • watched directory configuration
  • the file creation or modification on the endpoint
  • the Wazuh alert generated by the event
  • the event detail showing host, path, and change type
  • one short analyst verdict recorded after validation

What This Project Intentionally Does Not Claim

This lab does not claim to be a full production SOC. It does not claim complete coverage, mature detection engineering, or enterprise-scale response. Its value is narrower and more honest: it shows that a small lab can produce real telemetry, one validated detection path, and clear supporting notes.

1 item under this folder.