# Project Progress Update Date: February 13, 2026 Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator) ## 1) Executive Summary The MVP platform is operational and running end-to-end in the lab environment. Core integrations are in place: - Detection: Wazuh - Automation: Shuffle - Case management: IRIS-web (replacing DFIRTrack) - Escalation (MVP): PagerDuty Stub - Orchestration/API layer: soc-integrator All major containers are currently up, and key health checks are passing. ## 2) Completed Work ### Platform orchestration and operations - Combined stack runner created and improved (`run-combined-stack.sh`) - Added command support for: - `up`, `down`, `logs`, `status`, `help` - per-target control (`wazuh`, `iris`, `shuffle`, `pagerduty`, `integrator`) - Added consolidated health/status script (`soc-status.sh`) ### Integration architecture - Connected Wazuh, Shuffle, IRIS-web, PagerDuty Stub, and soc-integrator on shared network - Resolved startup conflicts and runtime issues (port, compose, routing compatibility) ### SOC Integrator (MVP) - Added/validated integration APIs for: - Wazuh - Shuffle - IRIS-web - PagerDuty Stub - Implemented MVP orchestration endpoints: - `POST /mvp/incidents/ingest` - `POST /mvp/ioc/evaluate` - `POST /mvp/vpn/evaluate` - `GET /mvp/config/policies` - `PUT /mvp/config/policies` - `GET /mvp/health/dependencies` - Added internal API-key protection for mutation endpoints ### Persistence layer - Added PostgreSQL service for soc-integrator (`soc-integrator-db`) - Added incident/policy/audit schema and startup initialization - Enabled deduplication and audit tracking for incident processing ### Testing utilities and documentation - Added Wazuh test-event injection script: - `scripts/send-wazuh-test-events.sh` - Added root project docs: - `README.md` - Added root ignore rules: - `.gitignore` ## 3) Current Live Status (Lab) Current stack status: **UP** Healthy/available components: - Wazuh manager, indexer, dashboard - IRIS-web app/nginx/worker/db/rabbitmq - Shuffle backend/frontend/opensearch/orborus - PagerDuty Stub - soc-integrator + soc-integrator-db Endpoint checks: - Wazuh Dashboard: OK - Wazuh API: OK (auth-protected, expected 401 on unauthenticated root) - IRIS Web: OK - Shuffle Frontend: OK - Shuffle Backend: reachable - Shuffle OpenSearch: reachable (auth-protected) - PagerDuty Stub: OK - soc-integrator `/health`: OK ## 4) System Architecture Diagram (PlantUML) ```plantuml @startuml title FoodProject SOC Platform - System Architecture (MVP) skinparam componentStyle rectangle actor "Analyst" as analyst cloud "External Log Sources" as logs rectangle "SOC Shared Docker Network" { node "Wazuh Stack" as wazuh { component "Wazuh Manager" as wazuh_mgr component "Wazuh Indexer" as wazuh_idx component "Wazuh Dashboard" as wazuh_dash } node "Shuffle Stack" as shuffle { component "Shuffle Frontend" as shuf_fe component "Shuffle Backend" as shuf_be component "Shuffle Orborus" as shuf_orb component "Shuffle OpenSearch" as shuf_os } node "IRIS-web Stack" as iris { component "IRIS Web App" as iris_app database "IRIS DB" as iris_db component "IRIS RabbitMQ" as iris_mq } node "SOC Integrator Stack" as integ { component "soc-integrator API" as soc_api database "soc-integrator-db" as soc_db } component "PagerDuty Stub" as pd_stub } logs --> wazuh_mgr : Security events wazuh_mgr --> wazuh_idx : Index alerts analyst --> wazuh_dash : Investigate alerts wazuh_dash --> wazuh_idx : Query data wazuh_mgr --> soc_api : Alert/incident input soc_api --> soc_db : Persist incidents\npolicies\naudit soc_api --> iris_app : Create/update cases soc_api --> pd_stub : Escalation (MVP) soc_api --> shuf_be : Trigger automation shuf_fe --> shuf_be : UI/API shuf_be --> shuf_os : Read/write workflow data shuf_orb --> shuf_be : Execution queue polling shuf_orb --> shuf_os : Workflow state interactions iris_app --> iris_db : Case data iris_app --> iris_mq : Async jobs @enduml ``` ## 5) In Progress / Remaining for Customer UAT 1. Detection content tuning - Fine-tune Wazuh rules/decoders for customer log patterns and false-positive reduction 2. Use-case calibration - Validate risk/severity mapping per approved use cases - Tune exception list and threshold logic (especially VPN geo anomaly) 3. UAT evidence package - Capture deterministic UAT scenarios and outputs for: - IOC flow - VPN outside-TH flow - IRIS case creation/update - PagerDuty Stub escalation path 4. Production hardening items - Rotate default/local secrets used in lab config - Lock down internal API keys and access boundaries ## 6) Risks / Notes - Current escalation target is **PagerDuty Stub** by design for MVP. Real PagerDuty production integration is the next stage. - Some Wazuh config certificate directories are root-owned in the local lab clone, which may affect local git add operations if not excluded/fixed. ## 7) Next Milestone (Proposed) Next milestone: **MVP UAT Completion** Target outputs: - Approved UAT checklist execution - Tuned policy thresholds for customer environment - Signed-off incident lifecycle flow: Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation