This repo documents my hands-on SOC analyst lab, simulating real-world detection, investigation, and incident response.
Environment includes Wazuh, Splunk Free, Azure Sentinel (trial), Sysmon + OSQuery telemetry, threat intelligence feeds (OTX, Abuse.ch), and adversarial simulations (brute force, phishing, malware, exfiltration, Atomic Red Team).
| CVE ID | Title | Severity | Status | Report |
|---|---|---|---|---|
| CVE-2023-4863 | Heap buffer overflow in libwebp | Critical | Mitigated | Report |
| CVE-2024-1234 | Example Windows Kernel vuln | High | Open | Report |
Writeups on simulated adversarial activity and how it was detected in SIEM.
| Attack Type | MITRE ATT&CK ID | Agent | Detection | Report |
|---|---|---|---|---|
| RDP Brute Force | T1110 | Dell (Windows) | Failed logins + account lockout | Report |
| Credential Dumping (Mimikatz) | T1003 | Dell (Windows) | Sysmon event 10 + Wazuh alert | Report |
| File Integrity Change | T1070 | Macbook | FIM event triggered | Report |
Each playbook documents a full SOC-style incident workflow: detection → triage → investigation → response → lessons learned.
| Incident | Trigger | Impact | Playbook |
|---|---|---|---|
| Suspicious Login | Brute force from Kali | Potential RDP compromise | Playbook |
| Malware Alert | EICAR test file | AV triggered, confirmed detection | Playbook |
- AlienVault OTX → API integrated in Wazuh, subscribed to key pulses:
- AlienVault Official
- Abuse.ch MalwareBazaar / URLhaus
- Windows Malware IOCs
- macOS Malware IOCs
- Recent Critical CVEs
- Detection examples:
- IOC match with Emotet C2 domain
- Known ransomware IP blocked
- SIEM: Wazuh, Splunk, Sentinel (trial)
- EDR-like telemetry: Sysmon, OSQuery
- Threat Intel: OTX, Abuse.ch
- Adversarial Simulation: brute force, phishing, malware, exfiltration, Atomic Red Team
- Incident Response: detection → investigation → root cause → remediation → reporting
- Scripting: Python, PowerShell, Bash (automation for log parsing & enrichment)