FazalFollow
2 min read
·
Oct 4, 2025
Project Overview
This project demonstrates the design and deployment of a fully integrated Security Operations Center (SOC) lab within a controlled virtualized environment. It brings together network and host monitoring, incident detection, and real-time alerting to simulate how enterprise SOCs operate.
The setup uses multiple operating systems (Kali Linux, Ubuntu, Windows 10, Windows Server, and Amazon Linux EC2) to represent a real-world heterogeneous infrastructure. Each machine forwards security logs to a central SIEM manager (Ubuntu), configured with Wazuh and snort for end-to-end visibility.
Core Implementations
✅ 1. Multi-OS Virtual Environment:
Configured six different OS environments in VMware for simulating enterprise-scale endpoints — including local servers, user machines, and a cloud server.
✅ 2. Central SIEM Manager Setup:
Built on Ubuntu; integrated Wazuh Manager, Snort IDS, and ELK Stack to handle both host-based and network-based detection.
✅ 3. Promiscuous Mode Networking:
Enabled bridge-mode monitoring for packet capture and real-time inspection across VMs.
✅ 4. Snort IDS Deployment:
Installed and configured Snort as a network intrusion detection system, tuning it to capture malicious activities within the VM network.
✅ 5. Wazuh Agent Integration:
Deployed Wazuh Agents across multiple OS types (Linux, Windows, Cloud) for centralized log collection and correlation.
✅ 6. AWS EC2 Integration (Cloud Node):
Launched an Amazon Linux EC2 instance, connected securely to the on-prem SOC using Tailscale VPN, simulating hybrid enterprise infrastructure.
✅ 7. Detection Rules and Custom Alerts:
Created custom Wazuh rules for SSH brute-force, authentication failures, and suspicious behaviors — applied globally to all agents.
Get Fazal’s stories in your inbox
Join Medium for free to get updates from this writer.Subscribe
✅ 8. Slack Automation for Incident Alerts:
Configured Slack Webhook Integration so that any triggered alert in Wazuh automatically posts a structured JSON alert into a Slack channel for rapid SOC response.
✅ 9. Attack Simulation & Validation:
Executed simulated attacks (brute-force, port scans, etc.) to validate rule accuracy and verify detection pipeline functionality.
Deliverable
- A self-contained SOC Lab guide (.docx) hosted on GitHub.
- Complete instructions to replicate the architecture from scratch — ideal for students, SOC aspirants, and cybersecurity lab builders.
🔗 GitHub Repository: [https://github.com/shaikfazal-del/vm-based-soc-lab.git]
Key Skills Demonstrated
- SIEM and IDS/IPS Configuration (Wazuh + Snort)
- Log Forwarding and Centralized Monitoring
- Alert Automation and Incident Response via Slack
- Cloud Security Integration (AWS EC2 + VPN)
- Network Traffic Capture and Analysis
- Multi-OS Security Environment Management
📫 Connect on LinkedIn: [https://www.linkedin.com/in/fazal-shaikk/]
🌐 Portfolio: [https://fazal-portfolio-git-main-fazals-projects-01b6c4d5.vercel.app/]
Leave a Reply