MINI SOC LAB

An enterprise security monitoring lab with Wazuh, Elastic, and Suricata for detection engineering practice.
SERVICE /
DETECTION ENG
CLIENT /
INTERNAL LAB
YEAR /
2024
THE PROBLEM
Detection engineering is hard to learn from slides. Analysts need correlated host and network telemetry, rules that fire on sequences rather than single log lines, and attack traffic they can replay without touching production. Most training environments are either toy setups that teach nothing about noise, or production access that interns should not have on day one. The gap was a lab that felt like a real SOC without the blast radius.
MY APPROACH
I built a self-contained monitoring stack. Suricata feeds network events. Wazuh collects host telemetry. Elastic correlates both so rules can reason across signal types. Each alert links back to the raw events that triggered it. Attack scenarios run from replayed traffic so practitioners tune detections against known behaviour instead of waiting for a live incident.
THE SOLUTION
The Mini SOC Lab gives practitioners a full detection pipeline: ingest, correlation, rule authoring, and alert triage. Exercises walk through writing a first detection, tuning false positives, and tracing an alert to source events. The environment mirrors what they would see in enterprise monitoring without requiring production credentials.
WHAT CHANGED
Over a hundred practitioners have run exercises in the lab and shipped their first detection within a week of starting. The lab became the default training ground for detection engineering on the team. Analysts arrive at production work already knowing how correlated rules behave under replayed attack traffic.