Aucune description

Tum 27d20adb0d pass		il y a 4 jours
Shuffle	0de071e7c9 soc update	il y a 3 semaines
compose-overrides	922e61ec37 wazuh iris	il y a 6 jours
docs	fc2cceda21 codex wazuh sim log	il y a 1 semaine
flask-openapi-shuffle	1d73c93084 custom	il y a 4 semaines
iris-web	922e61ec37 wazuh iris	il y a 6 jours
samples	4a7a140247 sample logs	il y a 5 jours
scripts	922e61ec37 wazuh iris	il y a 6 jours
shuffle-workflows	0de071e7c9 soc update	il y a 3 semaines
soc-integrator	67d19d6dd6 multipart	il y a 6 jours
wazuh-docker	fc2cceda21 codex wazuh sim log	il y a 1 semaine
.gitignore	0de071e7c9 soc update	il y a 3 semaines
README.md	51a7d8f87f workflow api	il y a 1 mois
Security Detection & Threat Intelligence Enhancement Proposal-2.md	9de2549954 first commit	il y a 1 mois
Security Detection & Threat Intelligence Enhancement Proposal-revise.md	1028963fde before claude code	il y a 2 semaines
overall.md	8800d39110 update meeting	il y a 2 semaines
overall.pdf	09eff977c0 rule update	il y a 2 semaines
package-lock.json	9de2549954 first commit	il y a 1 mois
package.json	9de2549954 first commit	il y a 1 mois
pass.txt	27d20adb0d pass	il y a 4 jours
progress-update.md	8800d39110 update meeting	il y a 2 semaines
progress-update.pdf	09eff977c0 rule update	il y a 2 semaines
run-combined-stack.sh	922e61ec37 wazuh iris	il y a 6 jours
soc-status.sh	9de2549954 first commit	il y a 1 mois
virustotal_v3.json	1d73c93084 custom	il y a 4 semaines
virustotal_v3.openapi.json	1d73c93084 custom	il y a 4 semaines
virustotal_v3.yaml	1d73c93084 custom	il y a 4 semaines

FoodProject SOC Lab

This repository runs a combined SOC lab with:

wazuh-docker (single-node)
iris-web
Shuffle
pagerduty-stub
soc-integrator (FastAPI)

All services are connected through a shared Docker network (soc_shared).

Prerequisites

Docker + Docker Compose plugin
Bash
nc (for test event script)

Quick Start

Start all services (detached):

./run-combined-stack.sh up --all -d

Start all and stream logs:

./run-combined-stack.sh up --all

Stop all:

./run-combined-stack.sh down --all

Status overview:

./run-combined-stack.sh status

Service URLs

Wazuh Dashboard: https://localhost
Wazuh API: https://localhost:55000
IRIS-web: https://localhost:8443
Shuffle UI: http://localhost:3001
PagerDuty Stub: http://localhost:18080
SOC Integrator API: http://localhost:8088
SOC Integrator Swagger: http://localhost:8088/docs

SOC Integrator

Key env file:

soc-integrator/.env

Main sections:

Legacy integration APIs (/wazuh/*, /shuffle/*, /action/*)
MVP orchestration APIs (/mvp/*)
Wazuh-to-MVP sync API (/wazuh/sync-to-mvp)
Wazuh auto-sync status API (/wazuh/auto-sync/status)

MVP endpoints

POST /mvp/incidents/ingest
POST /mvp/ioc/evaluate
POST /mvp/vpn/evaluate
GET /mvp/config/policies
PUT /mvp/config/policies
GET /mvp/health/dependencies

Protected endpoints require:

Header: X-Internal-API-Key
Key from: SOC_INTEGRATOR_INTERNAL_KEY in soc-integrator/.env

Example: MVP ingest

curl -X POST http://localhost:8088/mvp/incidents/ingest \
  -H 'Content-Type: application/json' \
  -H 'X-Internal-API-Key: dev-internal-key' \
  -d '{
    "source":"manual",
    "event_type":"ioc_ips",
    "event_id":"evt-1",
    "timestamp":"2026-02-12T16:00:00Z",
    "severity":"high",
    "title":"Test IOC",
    "description":"MVP test",
    "asset":{"hostname":"labhost","user":"analyst"},
    "network":{"src_ip":"203.0.113.10","country":"US"},
    "tags":["mvp","test"],
    "risk_context":{"admin_account":true},
    "raw":{},
    "payload":{}
  }'

Test Events to Wazuh

Send synthetic events via syslog UDP 514:

scripts/send-wazuh-test-events.sh all

Scenarios:

ioc_dns
ioc_ips
vpn_outside_th
windows_auth_fail
all

See scripts/README.md for details.

Sync Wazuh alerts from indexer into MVP pipeline:

curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*" \
  -H 'X-Internal-API-Key: dev-internal-key'

Notes:

This sync reads from wazuh-alerts-* in Wazuh indexer.
Re-running sync is safe; dedupe is applied by source + event_id.
Your send-wazuh-test-events.sh traffic appears only after Wazuh rules generate alerts.

Enable automatic sync worker:

sed -i 's/^WAZUH_AUTO_SYNC_ENABLED=.*/WAZUH_AUTO_SYNC_ENABLED=true/' soc-integrator/.env
./run-combined-stack.sh up integrator --build -d
./run-combined-stack.sh logs integrator -f

Auto-sync settings in soc-integrator/.env:

WAZUH_AUTO_SYNC_ENABLED (true|false)
WAZUH_AUTO_SYNC_INTERVAL_SECONDS (default 60)
WAZUH_AUTO_SYNC_QUERY (default *)
WAZUH_AUTO_SYNC_LIMIT (default 50)
WAZUH_AUTO_SYNC_MINUTES (default 120)

Logs

All logs (non-follow):

./run-combined-stack.sh logs --all --tail 200

Follow one stack:

./run-combined-stack.sh logs integrator -f
./run-combined-stack.sh logs wazuh -f

Notes

MVP escalation is wired to pagerduty-stub (not real PagerDuty).
IRIS-web is used as case management backend (replacing DFIRTrack).