A comprehensive, fully-integrated Security Operations Center (SOC) environment featuring automated detection, incident response, threat intelligence, and adversary emulation capabilities. Built entirely with open-source tools.
SOC-in-a-Box demonstrates enterprise-grade security operations capabilities:
- Real-time Threat Detection - Wazuh SIEM with 50+ custom MITRE ATT&CK-mapped rules
- Automated Incident Response - TheHive case management with Cortex enrichment
- Security Orchestration (SOAR) - Shuffle automated playbooks
- Threat Intelligence - MISP integration with 50,000+ IOCs from multiple feeds
- Adversary Simulation - MITRE Caldera for attack emulation and detection validation
- Endpoint Monitoring - Sysmon and Suricata for comprehensive visibility
┌───────────────────────────────────────────────────────────────────────┐
│ SOC-in-a-Box Architecture │
├───────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌──────────────┐ │
│ │ Caldera │ │ Victim │ │ Victim │ │
│ │ (Red Team) │ ──> │ (Windows) │ │ (Linux) │ │
│ └─────────────┘ └──────┬──────┘ └───────┬──────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Wazuh SIEM/XDR │ │
│ │ (Log Collection, Detection, Correlation) │ │
│ └──────────────────────────┬───────────────────────────────┘ │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌────────────────┐ │
│ │ Shuffle │ │ TheHive │ │ MISP │ │
│ │ (SOAR) │──>│ (Cases) │ <─> │ (Threat Intel) │ │
│ └─────────────┘ └──────┬──────┘ └────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ Cortex │ │
│ │ (Enrichment)│ │
│ └─────────────┘ │
│ │
└───────────────────────────────────────────────────────────────────────┘
| Component | Tool | Version | Purpose |
|---|---|---|---|
| SIEM/XDR | Wazuh | 4.7.2 | Log aggregation, threat detection, compliance |
| Case Management | TheHive | 5.2 | Incident response, case tracking |
| Automated Analysis | Cortex | 3.1.7 | IOC enrichment, automated analysis |
| SOAR | Shuffle | Latest | Playbook automation, orchestration |
| Threat Intelligence | MISP | Latest | Threat intel platform, IOC sharing |
| Adversary Simulation | Caldera | Latest | MITRE ATT&CK emulation |
| Endpoint Telemetry | Sysmon | Latest | Windows event logging |
| Network IDS | Suricata | Latest | Network threat detection |
- ✅ 50+ Custom detection rules mapped to MITRE ATT&CK
- ✅ Credential access detection (Mimikatz, LSASS dumping)
- ✅ Lateral movement detection (PsExec, WMI, WinRM)
- ✅ Persistence mechanism detection (Registry, Services, Scheduled Tasks)
- ✅ Ransomware behavior detection (Shadow copy deletion, file encryption)
- ✅ Living-off-the-land binary (LOLBAS) detection
- ✅ Automated alert enrichment via Cortex
- ✅ Automated case creation in TheHive
- ✅ Threat intelligence correlation with MISP
- ✅ Custom Shuffle playbooks for common scenarios
- ✅ MITRE Caldera adversary profiles
- ✅ Full kill-chain simulation capabilities
- ✅ Detection validation framework
- Hardware: 16GB+ RAM, 4 CPU cores, 100GB SSD (minimum)
- Software: Docker & Docker Compose, Git, WSL2 (for Windows users)
# Clone the repository
git clone https://github.com/YOUR_USERNAME/soc-in-a-box.git
cd soc-in-a-box
# Configure system settings (Linux/WSL)
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
# Create Docker network
docker network create soc-network
# Start Wazuh Stack
cd wazuh-docker/single-node
docker compose -f generate-indexer-certs.yml run --rm generator
docker compose up -d
# Start TheHive + Cortex
cd ../../docker
docker compose -f docker-compose.thehive.yml up -d
# Start Shuffle SOAR
docker compose -f docker-compose.shuffle.yml up -d
# Start Caldera
docker compose -f docker-compose.caldera.yml up -d
# Start MISP
docker compose -f docker-compose.misp.yml up -d| Service | URL | Default Credentials |
|---|---|---|
| Wazuh Dashboard | https://localhost:443 | admin / SecretPassword |
| TheHive | http://localhost:9000 | admin@thehive.local / secret |
| Cortex | http://localhost:9001 | admin / admin |
| Shuffle | http://localhost:3001 | admin / shuffle123 |
| Caldera | http://localhost:8888 | red / admin |
| MISP | https://localhost:8443 | admin@admin.test / admin |
| Tactic | Techniques | Coverage |
|---|---|---|
| Initial Access | T1566.001, T1566.002 | ██████░░░░ 60% |
| Execution | T1059.001, T1059.003, T1047 | ████████░░ 80% |
| Persistence | T1547.001, T1053.005, T1543.003 | ████████░░ 80% |
| Privilege Escalation | T1134, T1548 | ██████░░░░ 60% |
| Defense Evasion | T1070.001, T1070.006, T1562.001 | ████████░░ 80% |
| Credential Access | T1003.001, T1003.002, T1110 | ██████████ 100% |
| Discovery | T1082, T1016, T1018 | ████████░░ 80% |
| Lateral Movement | T1021.002, T1021.006, T1047 | ████████░░ 80% |
| Collection | T1560 | ██████░░░░ 60% |
| Exfiltration | T1048, T1567 | ██████░░░░ 60% |
Total Rules: 50+
├── Windows Rules: 35
├── Linux Rules: 10
├── Network Rules: 5
└── Custom Correlation: 5
Simulates a complete ransomware attack chain:
- Initial access via phishing (simulated)
- Execution of encoded PowerShell
- Credential dumping with Mimikatz
- Lateral movement via PsExec
- Shadow copy deletion
- File encryption simulation
Advanced persistent threat simulation:
- Spearphishing delivery
- Persistence via registry
- Discovery commands
- Data staging and exfiltration
Internal threat detection:
- Unusual access patterns
- Mass file access
- Data exfiltration attempt
soc-in-a-box/
├── README.md
├── LICENSE
├── docker/
│ ├── docker-compose.thehive.yml
│ ├── docker-compose.shuffle.yml
│ ├── docker-compose.caldera.yml
│ └── docker-compose.misp.yml
├── detection-rules/
│ ├── windows/
│ │ └── custom_rules.xml
│ ├── linux/
│ └── network/
├── playbooks/
│ └── shuffle/
├── docs/
│ ├── architecture/
│ ├── installation/
│ ├── configuration/
│ ├── runbooks/
│ └── attack-scenarios/
├── configs/
│ ├── wazuh/
│ ├── thehive/
│ ├── cortex/
│ ├── shuffle/
│ └── caldera/
└── assets/
├── screenshots/
└── diagrams/
- Threat Events in MISP: 21+ pages (thousands of events)
- IOCs in MISP: 50,000+ (malware hashes, IPs, domains)
- MITRE ATT&CK Techniques Covered: 30+
- Custom Detection Rules: 50+
- Automated Playbooks: Alert enrichment, case creation, malware response
- Threat Feeds: abuse.ch, CIRCL, Botvrij.eu, URLhaus
- ✅ SIEM deployment and configuration
- ✅ Custom detection rule development
- ✅ Incident response workflow design
- ✅ SOAR playbook automation
- ✅ Threat intelligence integration
- ✅ Red team/Blue team operations
- ✅ Docker container orchestration
- ✅ Security documentation
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
- Wazuh - Open source security platform
- TheHive Project - Incident response platform
- Shuffle - SOAR platform
- MITRE ATT&CK - Threat framework
- MITRE Caldera - Adversary emulation
- MISP Project - Threat intelligence sharing
Project Author - Faraz Ahmed and Pramath Yaji
⭐ If you found this project helpful, please give it a star! ⭐