# FoodProject SOC Lab This repository runs a combined SOC lab with: - `wazuh-docker` (single-node) - `iris-web` - `Shuffle` - `pagerduty-stub` - `soc-integrator` (FastAPI) All services are connected through a shared Docker network (`soc_shared`). ## Prerequisites - Docker + Docker Compose plugin - Bash - `nc` (for test event script) ## Quick Start Start all services (detached): ```bash ./run-combined-stack.sh up --all -d ``` Start all and stream logs: ```bash ./run-combined-stack.sh up --all ``` Stop all: ```bash ./run-combined-stack.sh down --all ``` Status overview: ```bash ./run-combined-stack.sh status ``` ## Service URLs - Wazuh Dashboard: `https://localhost` - Wazuh API: `https://localhost:55000` - IRIS-web: `https://localhost:8443` - Shuffle UI: `http://localhost:3001` - PagerDuty Stub: `http://localhost:18080` - SOC Integrator API: `http://localhost:8088` - SOC Integrator Swagger: `http://localhost:8088/docs` ## SOC Integrator Key env file: - `soc-integrator/.env` Main sections: - Legacy integration APIs (`/wazuh/*`, `/shuffle/*`, `/action/*`) - MVP orchestration APIs (`/mvp/*`) - Wazuh-to-MVP sync API (`/wazuh/sync-to-mvp`) - Wazuh auto-sync status API (`/wazuh/auto-sync/status`) ### MVP endpoints - `POST /mvp/incidents/ingest` - `POST /mvp/ioc/evaluate` - `POST /mvp/vpn/evaluate` - `GET /mvp/config/policies` - `PUT /mvp/config/policies` - `GET /mvp/health/dependencies` Protected endpoints require: - Header: `X-Internal-API-Key` - Key from: `SOC_INTEGRATOR_INTERNAL_KEY` in `soc-integrator/.env` ### Example: MVP ingest ```bash curl -X POST http://localhost:8088/mvp/incidents/ingest \ -H 'Content-Type: application/json' \ -H 'X-Internal-API-Key: dev-internal-key' \ -d '{ "source":"manual", "event_type":"ioc_ips", "event_id":"evt-1", "timestamp":"2026-02-12T16:00:00Z", "severity":"high", "title":"Test IOC", "description":"MVP test", "asset":{"hostname":"labhost","user":"analyst"}, "network":{"src_ip":"203.0.113.10","country":"US"}, "tags":["mvp","test"], "risk_context":{"admin_account":true}, "raw":{}, "payload":{} }' ``` ## Test Events to Wazuh Send synthetic events via syslog UDP 514: ```bash scripts/send-wazuh-test-events.sh all ``` Scenarios: - `ioc_dns` - `ioc_ips` - `vpn_outside_th` - `windows_auth_fail` - `all` See `scripts/README.md` for details. Sync Wazuh alerts from indexer into MVP pipeline: ```bash curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*" \ -H 'X-Internal-API-Key: dev-internal-key' ``` Notes: - This sync reads from `wazuh-alerts-*` in Wazuh indexer. - Re-running sync is safe; dedupe is applied by `source + event_id`. - Your `send-wazuh-test-events.sh` traffic appears only after Wazuh rules generate alerts. Enable automatic sync worker: ```bash sed -i 's/^WAZUH_AUTO_SYNC_ENABLED=.*/WAZUH_AUTO_SYNC_ENABLED=true/' soc-integrator/.env ./run-combined-stack.sh up integrator --build -d ./run-combined-stack.sh logs integrator -f ``` Auto-sync settings in `soc-integrator/.env`: - `WAZUH_AUTO_SYNC_ENABLED` (`true|false`) - `WAZUH_AUTO_SYNC_INTERVAL_SECONDS` (default `60`) - `WAZUH_AUTO_SYNC_QUERY` (default `*`) - `WAZUH_AUTO_SYNC_LIMIT` (default `50`) - `WAZUH_AUTO_SYNC_MINUTES` (default `120`) ## Logs All logs (non-follow): ```bash ./run-combined-stack.sh logs --all --tail 200 ``` Follow one stack: ```bash ./run-combined-stack.sh logs integrator -f ./run-combined-stack.sh logs wazuh -f ``` ## Notes - MVP escalation is wired to `pagerduty-stub` (not real PagerDuty). - IRIS-web is used as case management backend (replacing DFIRTrack).