soc

FoodProject SOC Lab

This repository runs a combined SOC lab with:

• wazuh-docker (single-node)
• iris-web
• Shuffle
• pagerduty-stub
• soc-integrator (FastAPI)

All services are connected through a shared Docker network (soc_shared).

Prerequisites

• Docker + Docker Compose plugin
• Bash
• nc (for test event script)

Quick Start

Start all services (detached):

./run-combined-stack.sh up --all -d

Start all and stream logs:

./run-combined-stack.sh up --all

Stop all:

./run-combined-stack.sh down --all

Status overview:

./run-combined-stack.sh status

Service URLs

• Wazuh Dashboard: https://localhost
• Wazuh API: https://localhost:55000
• IRIS-web: https://localhost:8443
• Shuffle UI: http://localhost:3001
• PagerDuty Stub: http://localhost:18080
• SOC Integrator API: http://localhost:8088
• SOC Integrator Swagger: http://localhost:8088/docs

SOC Integrator

Key env file:

• soc-integrator/.env

Main sections:

• Legacy integration APIs (/wazuh/*, /shuffle/*, /action/*)
• MVP orchestration APIs (/mvp/*)
• Wazuh-to-MVP sync API (/wazuh/sync-to-mvp)
• Wazuh auto-sync status API (/wazuh/auto-sync/status)

MVP endpoints

• POST /mvp/incidents/ingest
• POST /mvp/ioc/evaluate
• POST /mvp/vpn/evaluate
• GET /mvp/config/policies
• PUT /mvp/config/policies
• GET /mvp/health/dependencies

Protected endpoints require:

• Header: X-Internal-API-Key
• Key from: SOC_INTEGRATOR_INTERNAL_KEY in soc-integrator/.env

Example: MVP ingest

curl -X POST http://localhost:8088/mvp/incidents/ingest \
  -H 'Content-Type: application/json' \
  -H 'X-Internal-API-Key: dev-internal-key' \
  -d '{
    "source":"manual",
    "event_type":"ioc_ips",
    "event_id":"evt-1",
    "timestamp":"2026-02-12T16:00:00Z",
    "severity":"high",
    "title":"Test IOC",
    "description":"MVP test",
    "asset":{"hostname":"labhost","user":"analyst"},
    "network":{"src_ip":"203.0.113.10","country":"US"},
    "tags":["mvp","test"],
    "risk_context":{"admin_account":true},
    "raw":{},
    "payload":{}
  }'

Test Events to Wazuh

Send synthetic events via syslog UDP 514:

scripts/send-wazuh-test-events.sh all

Scenarios:

• ioc_dns
• ioc_ips
• vpn_outside_th
• windows_auth_fail
• all

See scripts/README.md for details.

Sync Wazuh alerts from indexer into MVP pipeline:

curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*" \
  -H 'X-Internal-API-Key: dev-internal-key'

Notes:

• This sync reads from wazuh-alerts-* in Wazuh indexer.
• Re-running sync is safe; dedupe is applied by source + event_id.
• Your send-wazuh-test-events.sh traffic appears only after Wazuh rules generate alerts.

Enable automatic sync worker:

sed -i 's/^WAZUH_AUTO_SYNC_ENABLED=.*/WAZUH_AUTO_SYNC_ENABLED=true/' soc-integrator/.env
./run-combined-stack.sh up integrator --build -d
./run-combined-stack.sh logs integrator -f

Auto-sync settings in soc-integrator/.env:

• WAZUH_AUTO_SYNC_ENABLED (true|false)
• WAZUH_AUTO_SYNC_INTERVAL_SECONDS (default 60)
• WAZUH_AUTO_SYNC_QUERY (default *)
• WAZUH_AUTO_SYNC_LIMIT (default 50)
• WAZUH_AUTO_SYNC_MINUTES (default 120)

Logs

All logs (non-follow):

./run-combined-stack.sh logs --all --tail 200

Follow one stack:

./run-combined-stack.sh logs integrator -f
./run-combined-stack.sh logs wazuh -f

Notes

• MVP escalation is wired to pagerduty-stub (not real PagerDuty).
• IRIS-web is used as case management backend (replacing DFIRTrack).