progress-update.md 3.6KB
Project Progress Update
Date: February 13, 2026 Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
1) Executive Summary
The MVP platform is operational and running end-to-end in the lab environment. Core integrations are in place:
- Detection: Wazuh
- Automation: Shuffle
- Case management: IRIS-web (replacing DFIRTrack)
- Escalation (MVP): PagerDuty Stub
- Orchestration/API layer: soc-integrator
All major containers are currently up, and key health checks are passing.
2) Completed Work
Platform orchestration and operations
- Combined stack runner created and improved (
run-combined-stack.sh) - Added command support for:
up,down,logs,status,help- per-target control (
wazuh,iris,shuffle,pagerduty,integrator)
- Added consolidated health/status script (
soc-status.sh)
Integration architecture
- Connected Wazuh, Shuffle, IRIS-web, PagerDuty Stub, and soc-integrator on shared network
- Resolved startup conflicts and runtime issues (port, compose, routing compatibility)
SOC Integrator (MVP)
- Added/validated integration APIs for:
- Wazuh
- Shuffle
- IRIS-web
- PagerDuty Stub
- Implemented MVP orchestration endpoints:
POST /mvp/incidents/ingestPOST /mvp/ioc/evaluatePOST /mvp/vpn/evaluateGET /mvp/config/policiesPUT /mvp/config/policiesGET /mvp/health/dependencies
- Added internal API-key protection for mutation endpoints
Persistence layer
- Added PostgreSQL service for soc-integrator (
soc-integrator-db) - Added incident/policy/audit schema and startup initialization
- Enabled deduplication and audit tracking for incident processing
Testing utilities and documentation
- Added Wazuh test-event injection script:
scripts/send-wazuh-test-events.sh
- Added root project docs:
README.md
- Added root ignore rules:
.gitignore
3) Current Live Status (Lab)
Current stack status: UP
Healthy/available components:
- Wazuh manager, indexer, dashboard
- IRIS-web app/nginx/worker/db/rabbitmq
- Shuffle backend/frontend/opensearch/orborus
- PagerDuty Stub
- soc-integrator + soc-integrator-db
Endpoint checks:
- Wazuh Dashboard: OK
- Wazuh API: OK (auth-protected, expected 401 on unauthenticated root)
- IRIS Web: OK
- Shuffle Frontend: OK
- Shuffle Backend: reachable
- Shuffle OpenSearch: reachable (auth-protected)
- PagerDuty Stub: OK
- soc-integrator
/health: OK
4) In Progress / Remaining for Customer UAT
- Detection content tuning
Fine-tune Wazuh rules/decoders for customer log patterns and false-positive reduction
Use-case calibration
Validate risk/severity mapping per approved use cases
Tune exception list and threshold logic (especially VPN geo anomaly)
UAT evidence package
Capture deterministic UAT scenarios and outputs for:
- IOC flow
- VPN outside-TH flow
- IRIS case creation/update
- PagerDuty Stub escalation path
Production hardening items
Rotate default/local secrets used in lab config
Lock down internal API keys and access boundaries
5) Risks / Notes
- Current escalation target is PagerDuty Stub by design for MVP. Real PagerDuty production integration is the next stage.
- Some Wazuh config certificate directories are root-owned in the local lab clone, which may affect local git add operations if not excluded/fixed.
6) Next Milestone (Proposed)
Next milestone: MVP UAT Completion
Target outputs:
- Approved UAT checklist execution
- Tuned policy thresholds for customer environment
- Signed-off incident lifecycle flow: Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation