soc/progress-upd...

Project Progress Update

Date: February 13, 2026 Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)

1) Executive Summary

The MVP platform is operational and running end-to-end in the lab environment. Core integrations are in place:

• Detection: Wazuh
• Automation: Shuffle
• Case management: IRIS-web (replacing DFIRTrack)
• Escalation (MVP): PagerDuty Stub
• Orchestration/API layer: soc-integrator

All major containers are currently up, and key health checks are passing.

2) Completed Work

Platform orchestration and operations

• Combined stack runner created and improved (run-combined-stack.sh)
• Added command support for:
  • up, down, logs, status, help
  • per-target control (wazuh, iris, shuffle, pagerduty, integrator)
• Added consolidated health/status script (soc-status.sh)

Integration architecture

• Connected Wazuh, Shuffle, IRIS-web, PagerDuty Stub, and soc-integrator on shared network
• Resolved startup conflicts and runtime issues (port, compose, routing compatibility)

SOC Integrator (MVP)

• Added/validated integration APIs for:
  • Wazuh
  • Shuffle
  • IRIS-web
  • PagerDuty Stub
• Implemented MVP orchestration endpoints:
  • POST /mvp/incidents/ingest
  • POST /mvp/ioc/evaluate
  • POST /mvp/vpn/evaluate
  • GET /mvp/config/policies
  • PUT /mvp/config/policies
  • GET /mvp/health/dependencies
• Added internal API-key protection for mutation endpoints

Persistence layer

• Added PostgreSQL service for soc-integrator (soc-integrator-db)
• Added incident/policy/audit schema and startup initialization
• Enabled deduplication and audit tracking for incident processing

Testing utilities and documentation

• Added Wazuh test-event injection script:
  • scripts/send-wazuh-test-events.sh
• Added root project docs:
  • README.md
• Added root ignore rules:
  • .gitignore

3) Current Live Status (Lab)

Current stack status: UP

Healthy/available components:

• Wazuh manager, indexer, dashboard
• IRIS-web app/nginx/worker/db/rabbitmq
• Shuffle backend/frontend/opensearch/orborus
• PagerDuty Stub
• soc-integrator + soc-integrator-db

Endpoint checks:

• Wazuh Dashboard: OK
• Wazuh API: OK (auth-protected, expected 401 on unauthenticated root)
• IRIS Web: OK
• Shuffle Frontend: OK
• Shuffle Backend: reachable
• Shuffle OpenSearch: reachable (auth-protected)
• PagerDuty Stub: OK
• soc-integrator /health: OK

4) System Architecture Diagram (PlantUML)

@startuml
title FoodProject SOC Platform - System Architecture (MVP)
skinparam componentStyle rectangle

actor "Analyst" as analyst
cloud "External Log Sources" as logs

rectangle "SOC Shared Docker Network" {
  node "Wazuh Stack" as wazuh {
    component "Wazuh Manager" as wazuh_mgr
    component "Wazuh Indexer" as wazuh_idx
    component "Wazuh Dashboard" as wazuh_dash
  }

  node "Shuffle Stack" as shuffle {
    component "Shuffle Frontend" as shuf_fe
    component "Shuffle Backend" as shuf_be
    component "Shuffle Orborus" as shuf_orb
    component "Shuffle OpenSearch" as shuf_os
  }

  node "IRIS-web Stack" as iris {
    component "IRIS Web App" as iris_app
    database "IRIS DB" as iris_db
    component "IRIS RabbitMQ" as iris_mq
  }

  node "SOC Integrator Stack" as integ {
    component "soc-integrator API" as soc_api
    database "soc-integrator-db" as soc_db
  }

  component "PagerDuty Stub" as pd_stub
}

logs --> wazuh_mgr : Security events
wazuh_mgr --> wazuh_idx : Index alerts
analyst --> wazuh_dash : Investigate alerts
wazuh_dash --> wazuh_idx : Query data

wazuh_mgr --> soc_api : Alert/incident input
soc_api --> soc_db : Persist incidents\npolicies\naudit
soc_api --> iris_app : Create/update cases
soc_api --> pd_stub : Escalation (MVP)
soc_api --> shuf_be : Trigger automation

shuf_fe --> shuf_be : UI/API
shuf_be --> shuf_os : Read/write workflow data
shuf_orb --> shuf_be : Execution queue polling
shuf_orb --> shuf_os : Workflow state interactions

iris_app --> iris_db : Case data
iris_app --> iris_mq : Async jobs
@enduml

5) In Progress / Remaining for Customer UAT

1. Detection content tuning

2. Fine-tune Wazuh rules/decoders for customer log patterns and false-positive reduction

3. Use-case calibration

4. Validate risk/severity mapping per approved use cases

5. Tune exception list and threshold logic (especially VPN geo anomaly)

6. UAT evidence package

7. Capture deterministic UAT scenarios and outputs for:

   • IOC flow
   • VPN outside-TH flow
   • IRIS case creation/update
   • PagerDuty Stub escalation path

8. Production hardening items

9. Rotate default/local secrets used in lab config

10. Lock down internal API keys and access boundaries

6) Risks / Notes

• Current escalation target is PagerDuty Stub by design for MVP. Real PagerDuty production integration is the next stage.
• Some Wazuh config certificate directories are root-owned in the local lab clone, which may affect local git add operations if not excluded/fixed.

7) Next Milestone (Proposed)

Next milestone: MVP UAT Completion

Target outputs:

• Approved UAT checklist execution
• Tuned policy thresholds for customer environment
• Signed-off incident lifecycle flow: Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation