> Overview

The SOC Lab is a fully dockerized, self-hosted Security Operations Center built to practice detection engineering and incident response end to end — from the defender's side. Every component runs as its own container, wired together so a simulated attack actually gets caught, logged, and correlated the way it would be in a real SOC.

> Stack

Wazuh — the core SIEM: collects and correlates security events, runs file integrity monitoring, and surfaces intrusion detections, including alerts forwarded from the honeypot.

Wazuh Dashboard — a Kibana-based UI for threat hunting and reviewing alerts.

Cowrie — an SSH honeypot that emulates a vulnerable Linux server, capturing attacker credentials, commands, and full session activity.

Suricata — a network intrusion detection system watching Docker network traffic for known attack signatures and anomalies.

OpenCTI & MISP — threat intelligence platforms for storing and visualising IOCs, TTPs, threat actors, and malware families, feeding each other via a connector.

RabbitMQ & MinIO — the internal message queue and S3-compatible object storage that OpenCTI relies on to process and store intel data and reports.

> How It Works

Everything runs in Docker — each container behaves like its own small VM, with no desktop environment of its own. Attacker activity against Cowrie or suspicious network traffic picked up by Suricata gets forwarded into Wazuh as security alerts, which I then investigate through the dashboard, cross-referencing indicators against the threat intel stored in OpenCTI and MISP.

Start the entire SOC:   docker compose up -d
Stop the entire SOC:    docker compose down
Check running containers: docker ps
View container logs:   docker logs <container-name>

> Why I Built This

Most of my hands-on security work has been from the offensive side. This lab is the counterweight — seeing what an attack actually looks like from a SOC analyst's chair: what gets logged, what gets missed, and how detections need tuning before they're useful rather than just noisy.