Flagship case study

PP_SOC_Integration: from a verified rule library to a live detection workflow

Evidence-first transition from static detection artifacts to a running SOC production-sim environment. Numbers are sourced from observed monitoring data; redacted screenshots and artifacts are available in the project repository.

Context

The HawkinsOperations detection library reached a verified baseline: 103 Sigma rules, 28 Wazuh rule blocks, and 8 Splunk SPL queries — all confirmed by CI and reproducible from repo root. The gap was not rule correctness. It was workflow validity. None of those rules had been run against continuous live telemetry in a real environment with a real analyst decision loop on top. The question became: do these rules fire on actual endpoint and VM behavior, at SOC speed, in a way that produces actionable alerts rather than noise?

Problem

Wazuh agent coverage across Windows 11 Enterprise endpoint and Proxmox-hosted VMs (7 agents active at time of case study).
Agents stream telemetry (process creation, file integrity, authentication events, network connections) to a Wazuh manager.
Detection rules deployed from dist/wazuh/local_rules.xml — generated by scripts/build-wazuh-bundle.ps1 from the verified rule set in detection-rules/wazuh/rules/.
Splunk available in the lab for SPL rule authoring and pivot work; not yet connected to the live telemetry pipeline during this phase.

Approach

Observe Wazuh alert stream. Classify by rule level (low / medium / high / critical).
Pivot on process trees and parent-child relationships for high-level alerts.
Correlate with known-good baselines; apply suppression for confirmed noise patterns.
For any critical or high alert: apply the documented SOC analyst decision flow — classify → pivot → validate source → document findings or escalate suppression.
Capture alert evidence artifacts per PROOF_PACK/EVIDENCE_CHECKLIST.md policy (redacted where internal identifiers are present).

Outcome

15,052 alerts observed in a single 24-hour monitoring window — confirming agent connectivity and rule coverage at scale.
CVE-2025-55130 identified during active monitoring. Remediation steps applied and verified as closed.
Agent health confirmed via Wazuh manager dashboard after each bundle redeploy cycle.

Bundle rebuild verification command:

pwsh -File .\scripts\build-wazuh-bundle.ps1

Evidence

All artifacts from this project are collected in the repository evidence directory. Screenshots containing internal identifiers are redacted per repo sanitization policy.

PP_SOC_Integration evidence directory (GitHub) — Wazuh alert screenshots, agent status, CVE remediation artifacts.
Full project package (GitHub) — README, docs, and structured proof artifacts.
Upcoming project direction doc — next phase priorities and expansion plan.

SOC infrastructure map showing collect detect triage investigate respond improve workflow across Proxmox and endpoint systems

Lessons + next hardening step

Single-node Wazuh manager — home lab, not clustered. No high-availability or cross-site correlation.
Splunk not connected to live telemetry during this phase. SPL detections are authored and verified against static log samples only.
15,052 alerts/24h includes untuned noise — suppression tuning is ongoing work, not a completed deliverable.
Screenshots contain internal hostnames and identifiers; all are redacted per PROOF_PACK/EVIDENCE_CHECKLIST.md.
No correlation engine across data sources — ATT&CK lateral movement coverage relies on per-host telemetry only at this stage.

Next hardening step

Connect Splunk to live telemetry pipeline to run SPL detections against real data.
Expand Proxmox VM coverage — add additional agent targets for lateral movement simulation.
Build a daily alert triage log as a structured artifact (consistent format, reviewer-readable).
Add synthetic event generators for Wazuh regression testing after rule changes.
Publish a false-positive review matrix per rule family.

View evidence artifacts See the proof pack Wazuh rule-build case study