Inicio Explorar Ayuda
Iniciar sesión
tum
/
soc
Seguir 1
Destacar 0
Fork 0
Código Incidencias 0 Pull Requests 0 Commits 8 Releases 0 Wiki

Sin descripción

Árbol: 0359e841fb
Ramas Etiquetas
soc
ZIP TAR.GZ
tum 0359e841fb progress update hace 1 mes
Shuffle 7efe524391 modify conflict hace 1 mes
compose-overrides 9de2549954 first commit hace 1 mes
iris-web 619a0c6d4b config hace 1 mes
scripts 9de2549954 first commit hace 1 mes
soc-integrator 9bd700d33c gitignore hace 1 mes
wazuh-docker 619a0c6d4b config hace 1 mes
.gitignore 9bd700d33c gitignore hace 1 mes
README.md 9ffefbf37c readme hace 1 mes
Security Detection & Threat Intelligence Enhancement Proposal-2.md 9de2549954 first commit hace 1 mes
package-lock.json 9de2549954 first commit hace 1 mes
package.json 9de2549954 first commit hace 1 mes
progress-update.md 0359e841fb progress update hace 1 mes
progress-update.pdf 0359e841fb progress update hace 1 mes
run-combined-stack.sh 7e39c9d3b9 mac update hace 1 mes
soc-status.sh 9de2549954 first commit hace 1 mes

README.md

FoodProject SOC Lab

This repository runs a combined SOC lab with:

  • wazuh-docker (single-node)
  • iris-web
  • Shuffle
  • pagerduty-stub
  • soc-integrator (FastAPI)

All services are connected through a shared Docker network (soc_shared).

Prerequisites

  • Docker + Docker Compose plugin
  • Bash
  • nc (for test event script)

Quick Start

Start all services (detached):

./run-combined-stack.sh up --all -d

Start all and stream logs:

./run-combined-stack.sh up --all

Stop all:

./run-combined-stack.sh down --all

Status overview:

./run-combined-stack.sh status

Service URLs

  • Wazuh Dashboard: https://localhost
  • Wazuh API: https://localhost:55000
  • IRIS-web: https://localhost:8443
  • Shuffle UI: http://localhost:3001
  • PagerDuty Stub: http://localhost:18080
  • SOC Integrator API: http://localhost:8088
  • SOC Integrator Swagger: http://localhost:8088/docs

SOC Integrator

Key env file:

  • soc-integrator/.env

Main sections:

  • Legacy integration APIs (/wazuh/*, /shuffle/*, /action/*)
  • MVP orchestration APIs (/mvp/*)

MVP endpoints

  • POST /mvp/incidents/ingest
  • POST /mvp/ioc/evaluate
  • POST /mvp/vpn/evaluate
  • GET /mvp/config/policies
  • PUT /mvp/config/policies
  • GET /mvp/health/dependencies

Protected endpoints require:

  • Header: X-Internal-API-Key
  • Key from: SOC_INTEGRATOR_INTERNAL_KEY in soc-integrator/.env

Example: MVP ingest

curl -X POST http://localhost:8088/mvp/incidents/ingest \
  -H 'Content-Type: application/json' \
  -H 'X-Internal-API-Key: dev-internal-key' \
  -d '{
    "source":"manual",
    "event_type":"ioc_ips",
    "event_id":"evt-1",
    "timestamp":"2026-02-12T16:00:00Z",
    "severity":"high",
    "title":"Test IOC",
    "description":"MVP test",
    "asset":{"hostname":"labhost","user":"analyst"},
    "network":{"src_ip":"203.0.113.10","country":"US"},
    "tags":["mvp","test"],
    "risk_context":{"admin_account":true},
    "raw":{},
    "payload":{}
  }'

Test Events to Wazuh

Send synthetic events via syslog UDP 514:

scripts/send-wazuh-test-events.sh all

Scenarios:

  • ioc_dns
  • ioc_ips
  • vpn_outside_th
  • windows_auth_fail
  • all

See scripts/README.md for details.

Logs

All logs (non-follow):

./run-combined-stack.sh logs --all --tail 200

Follow one stack:

./run-combined-stack.sh logs integrator -f
./run-combined-stack.sh logs wazuh -f

Notes

  • MVP escalation is wired to pagerduty-stub (not real PagerDuty).
  • IRIS-web is used as case management backend (replacing DFIRTrack).