Fully Virtualized Enterprise SOC Environment
Running on a single iMac (i7-10700K, 64GB RAM) with VMware Fusion hosting 12+ VMs across 6 isolated VLANs —
simulating a complete enterprise network with Users, Executive, Servers, SOC, and Quarantine segments.
pfSense handles inter-VLAN routing, NAT, and firewall enforcement. Every design decision mirrors real-world SOC architecture.
Dual-SIEM Architecture — Wazuh + Splunk Running in Parallel
Both platforms receive telemetry simultaneously from Windows, Linux, and macOS endpoints —
allowing cross-platform event correlation, alert comparison, and realistic analyst workflows on either tool.
Splunk is used for SPL-driven analytics and dashboarding; Wazuh for XDR alerting and VirusTotal enrichment.
End-to-End Detection → Alert → Email Pipeline
Scan tool execution on Kali Blue triggers a Splunk alert within 60 seconds, which automatically extracts the
target IP via regex, generates a PDF forensic report, and delivers it to Gmail — with zero human interaction required.
Validated live on April 3, 2026.
SplunkSIEM · Analytics · Alerting
WazuhSIEM · XDR · FIM
SuricataNetwork IDS (EVE JSON)
pfSenseFirewall · VLAN Router
SysmonEndpoint Telemetry
Active DirectoryIdentity · GPOs · DNS
VirusTotal APIThreat Intel · Auto-Quarantine
Kali LinuxBlue Team · Attack Sim
Scan Tool Execution Detection — Full Pipeline
Kali Bluenmap executed
→
auth.logsudo logged
→
Splunk UFforwarded
→
SPL Alertregex + IP extraction
→
GmailPDF delivered
MITRE T1046
Network Service Scanning
Validated Live
60s detection time
timestamp: 2026-04-03 19:42:28
host: jean-blue (Kali)
user: root
command: /usr/bin/nmap
target_ip: 10.10.20.101 (WIN11-USER01)
action: Alert fired → PDF generated → Email delivered to Gmail
human intervention: NONE
VirusTotal + Auto-Quarantine — EICAR Test (March 19, 2026)
Wazuh syscheck detected EICAR file → queried VirusTotal API → 62/67 engines positive →
Rule 87105 Level 12 (Critical) triggered → quarantine_file.sh executed automatically.
File isolated in under 2 seconds. Zero manual steps.
MITRE T1203
Auto-Response Active
62/67 engines · 92.5% detection
Privilege Escalation · Lateral Movement · Auth Log Analysis
Sudo usage detection on Linux via linux_secure sourcetype. Windows EventCode correlation
(4624/4625/4648/4672/4720) across domain-joined endpoints. Sysmon EventIDs 1, 3, 11, 13
validated on all Windows hosts. AD trust relationship failures diagnosed and resolved.
MITRE T1078
T1021
T1055
AD · Kerberos · Sysmon
Splunk Config Precedence — Silent Email Failure
Alerts fired and logged INFO but no emails arrived. Root cause:
apps/search/local/alert_actions.conf silently overrode
system/local/ credentials.
Diagnosed by tracing Splunk's config merge hierarchy. Resolved by updating the correct precedence file.
Suricata ET SCAN Limitation — Internal Traffic Blind Spot
Discovered that Suricata's ET SCAN ruleset only fires for EXTERNAL_NET → HOME_NET traffic.
VLAN-to-VLAN internal scans are invisible to Suricata. Solution: use Sysmon EventID 3
(Network Connection) to detect internal reconnaissance at the endpoint level.
SPL Regex for Target IP Extraction from Raw Log
Standard field extraction missed target IPs because COMMAND
field only contains the binary path. Built a custom rex pattern against _raw
to extract the actual target IP from the full sudo log line — providing complete forensic context in every alert email.
DONE
SOC Security Overview Dashboard (Splunk Dashboard Studio) with real-time auto-refresh panels and color-coded thresholds
DONE
Suricata → Splunk EVE JSON pipeline — full network + endpoint visibility in single SIEM
DONE
Email alerting with PDF attachment — end-to-end validated, zero human intervention
IN PROGRESS
3 full documented attack scenarios: Red Team attack → detection → IR report
PLANNED
External Red Team Kali (bridge mode) · Velociraptor threat hunting · TheHive/Cortex SOAR · Honeypot in VLAN 60