Home SOC Lab
Role Fit
This project is best aligned with SOC Analyst and Security Analyst roles. It demonstrates practical work with telemetry collection, alert validation, incident triage, escalation thinking, and documentation of security operations workflows.
Project Summary
This project is a home SOC lab built to connect telemetry collection with practical triage. The main value is not simply installing a SIEM. It is showing that Windows, Linux, network, and syslog sources can be brought together, that alerts can be validated instead of blindly trusted, and that investigation steps can be documented clearly.
What this project is meant to prove
- a small lab can still demonstrate real security monitoring habits
- alerting is only useful if detections are validated and tuned
- one investigation walkthrough is often more valuable than a long list of untested rules
- centralised visibility becomes easier to explain when each log source has a clear purpose
Tools and Technologies
- Proxmox
- Wazuh
- Sysmon
- Zeek
- Windows 11 VM
- Ubuntu VM
- UniFi syslog
- GitHub
Intended Build
- Wazuh running on Proxmox
- one Windows endpoint with Sysmon telemetry
- one Linux log source
- UniFi gateway or firewall syslog ingestion
- a Zeek sensor monitoring lab traffic
- a documented set of detections, validation steps, and runbooks
Detection Scope
The planned detections include:
- Repeated failed logons and brute-force behaviour
- Suspicious PowerShell execution
- New local administrator creation
- Unusual outbound connection activity
- Port scanning
- File integrity changes on a watched folder
- Service persistence attempts
- Impossible logon patterns across devices
Phased Build Plan
1. Platform Deployment
- Deploy Wazuh
- Add Windows, Linux, and UniFi log sources
- Add Zeek network telemetry
2. Validation and Tuning
- Generate safe test events
- Confirm that detections alert correctly
- Tune noisy or weak rules
- Record validation evidence for each alert
3. Documentation and Response
- Produce triage, containment, and escalation runbooks
- Capture screenshots and example evidence
- Write a short incident report
- Prepare the project for GitHub presentation
What a finished version should show
- architecture and log-source map
- which detections were written or tuned
- what test events were used to validate them
- triage runbooks tied to actual alert types
- one short investigation or incident summary
Evidence worth capturing
- agent status in Wazuh
- Sysmon or Zeek evidence
- one Wazuh alert view
- one tuned rule example
- one short incident timeline or investigation trail
Technical Assumptions
This is not intended to simulate a production SOC. The purpose is to demonstrate the ability to collect telemetry, write detections, validate alerts, reduce noise, and explain triage decisions clearly.
Key Risks
- Bad time synchronisation
- Log floods or noisy detections
- Brittle rules
- Unvalidated alerts
Current State
This project is still being built, but the useful end goal is already clear: a small, believable SOC lab with tested telemetry, tuned detections, and at least one end-to-end investigation flow that can be discussed clearly.
Interview Talking Point
The strongest way to explain this project in an interview is to walk through one alert end to end: the source log, why it mattered, how noise was reduced, what was checked next, and when escalation would be appropriate.