Skip to content

PCarba/SOC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
ai
ai
 
 
dashboards
dashboards
 
 
detection-rules
detection-rules
 
 
docs
docs
 
 
infrastructure
infrastructure
 
 
lab
lab
 
 
scripts
scripts
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

🛡️ Modular SOC Platform

Deployable SOC building blocks for SMEs: log collection, detection, dashboards, automation, and optional AI-assisted triage.

Goal: Provide a clean, reproducible reference implementation and tooling to deploy a SOC stack in a customer environment (on-prem or lab) using open-source components.

SOC Automation Infra License

What’s inside

Core capabilities

  • Centralized logging (SIEM layer) with dashboards
  • Endpoint telemetry (Linux/Windows) via agents
  • Network detection (Suricata/Zeek) optional
  • Health checks, backups, and baseline hardening
  • Automation hooks for response actions (safe, opt-in)

AI-assisted (optional)

  • Alert summarization / ticket drafting
  • Triage suggestions (next steps)
  • Natural-language helper using ShellGPT (optional integration)

Architecture (high level)

  • SIEM/Storage: Elastic/OpenSearch-compatible stack via Docker Compose (templates provided)
  • Endpoint layer: Wazuh agents (Linux/Windows) (installers + enrollment helpers)
  • Network layer (optional): Suricata (IDS) + Zeek (NSM) on a sensor host
  • Automation: shell scripts + Python helpers

See: docs/architecture.md

Quick start (local / lab)

This repository provides templates and automation. You will choose the final stack (Elastic/OpenSearch/Wazuh bundle) according to your environment.

1) Clone

git clone https://github.com/PCarba/Modular-SOC-Platform.git
cd Modular-SOC-Platform

2) Bring up the SIEM stack (template)

cp infrastructure/.env.example infrastructure/.env
docker compose -f infrastructure/docker-compose.yml up -d

3) Check services

./scripts/health_check.sh

4) Enroll endpoints (agents)

  • Linux: scripts/deploy_wazuh_agent_linux.sh
  • Windows: scripts/deploy_wazuh_agent_windows.ps1

Folder overview

.
├── docs/                  # Technical docs (architecture, deployment, ops)
├── infrastructure/        # Docker Compose templates + environment file
├── scripts/               # Install, hardening, backup, health checks, response hooks
├── detection-rules/       # Suricata / Wazuh rule templates and notes
├── dashboards/            # Exported dashboard templates (placeholders)
├── ai/                    # Optional AI helpers (summaries, triage)
└── lab/                   # Example log samples + simulation notes (optional)

Security / Ethics

This project is for defensive security and SOC enablement. Any testing must be performed only on systems you own or have explicit authorization to test.

See: SECURITY.md

Operational notes

  • Review infrastructure/docker-compose.yml and set credentials in infrastructure/.env
  • Place this stack behind a firewall, restrict access, enable TLS
  • Maintain updates and backups (see scripts/backup.sh)

Roadmap

  • MITRE ATT&CK mapping for detections
  • SOAR-style playbooks (opt-in)
  • Threat intel ingestion templates
  • CI checks (shellcheck, python lint)

Author

Pablo Carballeira Baamonde
GitHub: PCarba

About

No description, website, or topics provided.

Resources

Readme

License

View license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages