🛡️ SOC Lab Project — Automated Security Operations Center

A distributed Next-Generation SOC lab built by a 5-member team, each running their component on a separate machine linked via OpenVPN. This repository documents the NDR Probe + Wazuh SIEM component.

---

📸 Screenshots

Global Architecture

Wazuh Dashboard — NDR-Probe Events

Arkime — Live Session Capture

Zeek — Active Logs

---

🗺️ Architecture Overview

┌─────────────────────────────────────────────────────────────────┐
│                        SOC Lab Network                          │
│                      VPN Subnet 10.0.8.0/24                     │
│                                                                 │
│  ┌─────────────┐     ┌──────────────────┐                       │
│  │    Kali     │────▶│ pfSense+Suricata │                      │
│  │ 10.0.8.6   │     │   10.0.8.1        │                       │
│  │ (Attacker) │     │ (Firewall/NIDS)   │                       │
│  └─────────────┘     └────────┬─────────┘                       │
│                               │ OpenVPN (tun0)                  │
│                               ▼                                 │
│                  ┌────────────────────────┐                     │
│                  │     NDR Probe          │  ◀── THIS REPO      │
│                  │     10.0.8.8           │                     │
│                  │  Zeek + Arkime         │                     │
│                  │  Filebeat + Wazuh Agent│                     │
│                  └────────────┬───────────┘                     │
│                               │ TCP :5044 / :1514               │
│                               ▼                                 │
│                  ┌────────────────────────┐                     │
│                  │     Wazuh SIEM         │                     │
│                  │     10.0.8.5           │                     │
│                  │  Manager+Indexer       │                     │
│                  │  +Dashboard            │                     │
│                  └────────────┬───────────┘                     │
│                               │                                 │
│              ┌────────────────┴────────────────┐                │
│              ▼                                 ▼                │
│  ┌───────────────────┐           ┌─────────────────────────┐    │
│  │   Shuffle SOAR    │           │  TheHive + Cortex + MISP│    │
│  │   10.0.8.4        │           │  10.0.8.3               │    │
│  └───────────────────┘           └─────────────────────────┘    │
└─────────────────────────────────────────────────────────────────┘

---

👥 Team

Name	Role	Component	VPN IP	GitHub
Yasser Chettour	SIEM Engineer	Wazuh SIEM + NDR Probe	10.0.8.5 / 10.0.8.8	@yasser-ch
Mounir Merghich	Network Engineer	pfSense + Suricata	10.0.8.1	@
Malak Belkhou	SOAR Engineer	Shuffle + DVWA + Windows Client	10.0.8.4	@
Landry Dossah	Red Team / Deception	Kali Linux + Cowrie Honeypot	10.0.8.6 / 10.0.8.10	@m4jesty228
Hiba Sidinou	Threat Intelligence	TheHive + Cortex + MISP	10.0.8.3	@hibasidinou

---

🔧 My Components

VM 1 — Wazuh SIEM (10.0.8.5)

Component	Role	Port
Wazuh Indexer	Storage & indexation (OpenSearch)	:9200 HTTPS
Wazuh Manager	Correlation engine & rules	:1514 / :5044
Filebeat 7.17	Log transfer Manager → Indexer	:5044 TCP
Wazuh Dashboard	Visualization & Threat Hunting	:443 HTTPS

VM 2 — NDR Probe (10.0.8.8)

Component	Role	Details
Zeek 8.0.5	Passive network analysis	Captures on tun0
Arkime 5.4.0	Full Packet Capture (PCAP)	Web UI :8005
OpenSearch	Local storage for Arkime	localhost:9200
Filebeat 7.17	Ships Zeek logs → Wazuh	TCP :5044
Wazuh Agent	Agent ID 004 — NDR-Probe	TCP :1514

---

📊 Zeek Log Types

Log File	Content
conn.log	All TCP/UDP connections
dns.log	DNS queries and responses
http.log	HTTP requests, URLs, user-agents
ssl.log	TLS handshakes, certificates
notice.log	Zeek security alerts

---

📁 Repository Structure

SOC-LAB-PROJECT/
│
├── configs/
│   ├── zeek/
│   │   ├── node.cfg          # Zeek interface config (interface=tun0)
│   │   ├── local.zeek        # Loaded Zeek scripts
│   │   └── zeek.service      # systemd autostart unit
│   │
│   ├── arkime/
│   │   └── config.ini        # Arkime capture + viewer config
│   │
│   ├── wazuh/
│   │   └── ossec.conf        # Wazuh agent config (→ 10.0.8.5)
│   │
│   └── filebeat/
│       └── filebeat.yml      # Filebeat → Wazuh Manager :5044
│
├── docs/
│   └── screenshots/          # Place your screenshots here
│
└── README.md

---

✅ Validation Results

Verification	Result
Zeek captures traffic on tun0	✅ conn.log, dns.log, http.log generated in real time
Filebeat ships logs to Wazuh	✅ filebeat test output → talk to server... OK (TCP :5044)
Wazuh receives NDR events	✅ 503 events indexed — filtered on agent.name: NDR-Probe
Arkime indexes sessions	✅ 290+ PCAP sessions — web UI accessible on :8005
Wazuh Agent active	✅ Agent ID 004 — NDR-Probe — status: active (running)

---

🚀 Quick Start — Services

# Check all services at once
for s in opensearch arkimecapture arkimeviewer wazuh-agent zeek; do
  echo -n "$s: "; systemctl is-active $s
done

# Restart everything
sudo systemctl restart opensearch
sudo systemctl restart arkimecapture arkimeviewer
sudo systemctl restart wazuh-agent
sudo /opt/zeek/bin/zeekctl deploy

Browser Access (via SSH tunnel from your PC)

# Arkime UI
ssh -L 8005:localhost:8005 ndr@<VM_LOCAL_IP>
# → open http://localhost:8005

# Wazuh Dashboard
ssh -L 8443:10.0.8.5:443 ndr@<VM_LOCAL_IP>
# → open https://localhost:8443

# pfSense UI
ssh -L 8080:10.0.8.1:80 ndr@<VM_LOCAL_IP>
# → open http://localhost:8080

---

🛠️ Key Technical Details

• OS: Ubuntu Server 22.04 LTS (no GUI)
• Hypervisor: VMware Workstation
• Capture interface: tun0 (OpenVPN) — all inter-member traffic flows here
• Zeek logs location: /opt/zeek/logs/current/
• Arkime storage: OpenSearch local on NDR VM localhost:9200
• Wazuh Agent ID: 004 — name: NDR-Probe
• All services autostart on boot: opensearch, arkimecapture, arkimeviewer, wazuh-agent, zeek

---

🧱 Tech Stack

---

📄 License

This project was built for educational purposes as part of a university cybersecurity program.