progress-update.md 5.2KB
Project Progress Update
Date: February 13, 2026 Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
1) Executive Summary
The MVP platform is operational and running end-to-end in the lab environment. Core integrations are in place:
- Detection: Wazuh
- Automation: Shuffle
- Case management: IRIS-web (replacing DFIRTrack)
- Escalation (MVP): PagerDuty Stub
- Orchestration/API layer: soc-integrator
All major containers are currently up, and key health checks are passing.
2) Completed Work
Platform orchestration and operations
- Combined stack runner created and improved (
run-combined-stack.sh) - Added command support for:
up,down,logs,status,help- per-target control (
wazuh,iris,shuffle,pagerduty,integrator)
- Added consolidated health/status script (
soc-status.sh)
Integration architecture
- Connected Wazuh, Shuffle, IRIS-web, PagerDuty Stub, and soc-integrator on shared network
- Resolved startup conflicts and runtime issues (port, compose, routing compatibility)
SOC Integrator (MVP)
- Added/validated integration APIs for:
- Wazuh
- Shuffle
- IRIS-web
- PagerDuty Stub
- Implemented MVP orchestration endpoints:
POST /mvp/incidents/ingestPOST /mvp/ioc/evaluatePOST /mvp/vpn/evaluateGET /mvp/config/policiesPUT /mvp/config/policiesGET /mvp/health/dependencies
- Added internal API-key protection for mutation endpoints
Persistence layer
- Added PostgreSQL service for soc-integrator (
soc-integrator-db) - Added incident/policy/audit schema and startup initialization
- Enabled deduplication and audit tracking for incident processing
Testing utilities and documentation
- Added Wazuh test-event injection script:
scripts/send-wazuh-test-events.sh
- Added root project docs:
README.md
- Added root ignore rules:
.gitignore
3) Current Live Status (Lab)
Current stack status: UP
Healthy/available components:
- Wazuh manager, indexer, dashboard
- IRIS-web app/nginx/worker/db/rabbitmq
- Shuffle backend/frontend/opensearch/orborus
- PagerDuty Stub
- soc-integrator + soc-integrator-db
Endpoint checks:
- Wazuh Dashboard: OK
- Wazuh API: OK (auth-protected, expected 401 on unauthenticated root)
- IRIS Web: OK
- Shuffle Frontend: OK
- Shuffle Backend: reachable
- Shuffle OpenSearch: reachable (auth-protected)
- PagerDuty Stub: OK
- soc-integrator
/health: OK
4) System Architecture Diagram (PlantUML)
@startuml
title FoodProject SOC Platform - System Architecture (MVP)
skinparam componentStyle rectangle
actor "Analyst" as analyst
cloud "External Log Sources" as logs
rectangle "SOC Shared Docker Network" {
node "Wazuh Stack" as wazuh {
component "Wazuh Manager" as wazuh_mgr
component "Wazuh Indexer" as wazuh_idx
component "Wazuh Dashboard" as wazuh_dash
}
node "Shuffle Stack" as shuffle {
component "Shuffle Frontend" as shuf_fe
component "Shuffle Backend" as shuf_be
component "Shuffle Orborus" as shuf_orb
component "Shuffle OpenSearch" as shuf_os
}
node "IRIS-web Stack" as iris {
component "IRIS Web App" as iris_app
database "IRIS DB" as iris_db
component "IRIS RabbitMQ" as iris_mq
}
node "SOC Integrator Stack" as integ {
component "soc-integrator API" as soc_api
database "soc-integrator-db" as soc_db
}
component "PagerDuty Stub" as pd_stub
}
logs --> wazuh_mgr : Security events
wazuh_mgr --> wazuh_idx : Index alerts
analyst --> wazuh_dash : Investigate alerts
wazuh_dash --> wazuh_idx : Query data
wazuh_mgr --> soc_api : Alert/incident input
soc_api --> soc_db : Persist incidents\npolicies\naudit
soc_api --> iris_app : Create/update cases
soc_api --> pd_stub : Escalation (MVP)
soc_api --> shuf_be : Trigger automation
shuf_fe --> shuf_be : UI/API
shuf_be --> shuf_os : Read/write workflow data
shuf_orb --> shuf_be : Execution queue polling
shuf_orb --> shuf_os : Workflow state interactions
iris_app --> iris_db : Case data
iris_app --> iris_mq : Async jobs
@enduml
5) In Progress / Remaining for Customer UAT
- Detection content tuning
- Fine-tune Wazuh rules/decoders for customer log patterns and false-positive reduction
- Use-case calibration
- Validate risk/severity mapping per approved use cases
- Tune exception list and threshold logic (especially VPN geo anomaly)
- UAT evidence package
- Capture deterministic UAT scenarios and outputs for:
- IOC flow
- VPN outside-TH flow
- IRIS case creation/update
- PagerDuty Stub escalation path
- Production hardening items
- Rotate default/local secrets used in lab config
- Lock down internal API keys and access boundaries
6) Risks / Notes
- Current escalation target is PagerDuty Stub by design for MVP. Real PagerDuty production integration is the next stage.
- Some Wazuh config certificate directories are root-owned in the local lab clone, which may affect local git add operations if not excluded/fixed.
7) Next Milestone (Proposed)
Next milestone: MVP UAT Completion
Target outputs:
- Approved UAT checklist execution
- Tuned policy thresholds for customer environment
- Signed-off incident lifecycle flow: Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation