SOC Analyst Project | Threat Detection, Simulation, Automation & SIEM Integration by Alla Krishna Vamsi Reddy (cipherkrish69x)
This project demonstrates a comprehensive Security Operations Center (SOC) setup designed to enable real-time threat detection, automated responses, and seamless SIEM (Security Information and Event Management) integration. The project includes Sigma detection rules, attack simulations, and a variety of tools for automating security workflows, providing hands-on experience with industry-standard SOC practices.
The SOC Analyst Project integrates multiple components to monitor, detect, and respond to various security incidents. Key features include:
- Sigma Detection Rules: Detection of attacks such as Brute Force, Process Injection, and Suspicious DNS Queries using Sigma format.
- Attack Simulations: Realistic simulations of common attack scenarios that help test the detection capabilities.
- Automated Response: Scripts that automatically block malicious IPs or take other predefined actions when an attack is detected.
- SIEM Integration: Configuration and use of Elastic Stack (Elasticsearch, Kibana) to collect, analyze, and visualize data in real time.
- Comprehensive Documentation: Full documentation explaining the project structure, setup, and execution.
Alla Krishna Vamsi Reddy (cipherkrish69x)
-
Sigma Detection Rules
- Detect Brute Force login attempts, Process Injection, Suspicious DNS Queries, and more.
- Built in the Sigma YAML format, easily adaptable to various SIEM systems.
-
Attack Simulations
- Simulate Brute Force Attacks, Process Injection, and Data Exfiltration to test detection systems.
- Scripts include both PowerShell and Bash variations for cross-platform testing.
-
Automated Response
- Implement automation scripts for blocking malicious IP addresses or triggering alerts upon attack detection.
This project uses the Elastic Stack (Elasticsearch, Logstash, Kibana) for centralized logging and threat detection.
-
Logs generated from simulated attacks are forwarded to Elasticsearch via configured pipelines.
-
Kibana dashboards are manually built from these logs after the attack simulations.
-
These dashboards help in visualizing attack patterns, detection alerts, and overall security posture.
-
⚠️ Note: Dashboards are not pre-exported in this repository. Users are encouraged to manually create visualizations from the logged events to gain practical experience. -
Reporting & Documentation
- Complete project documentation, including installation instructions, setup guides, and a detailed report on attack simulations and testing results.
- Elastic Stack (Elasticsearch, Logstash, Kibana) for SIEM functionality.
- PowerShell for running attack simulations on Windows.
- Bash for attack simulations on Linux/macOS.
-
Clone the repository:
git clone https://github.com/Cipherkrish69x/SOC-Analyst-Project.git cd SOC-Analyst-Project -
Set up Elastic Stack:
- Follow the Elastic Stack setup instructions.
- Use the configuration files in the
SIEM-Configfolder.
-
Run Attack Simulations: Navigate to the
Attack-Simulations/folder and execute scripts. Example:bash brute_force_attack.sh
-
Deploy Sigma Rules: Import YAML rules from
Sigma-Rules/into Kibana or your SIEM platform. -
Automate Responses: Use automation scripts from
Automation-Scripts/likeblock_ip.shto mitigate threats. -
View Results in Kibana: Access Kibana dashboards to visualize alert data.
Here are examples of detection alerts generated during the simulations:
Alert Name: Brute Force Attempt Detected
Event ID: 4625
Account Name: user123
Target User: user123
Failure Reason: Unknown user name or bad password
Source IP: 192.168.1.101
Level: High
Tags: attack.mitre, attack.t1110Alert Name: Suspicious Process Injection Detected
Event ID: 4688
Parent Process: explorer.exe
Injected Process: powershell.exe
Command Line: powershell -enc <encoded>
User: WIN-ADMIN
Source IP: 10.0.0.12
Level: Critical
Tags: attack.mitre, attack.t1055Alert Name: Suspicious DNS Query
Event ID: 5156
Queried Domain: h4x0r.evil-domain.xyz
Query Type: A
Source Process: chrome.exe
Source IP: 172.16.5.30
Level: Medium
Tags: attack.mitre, attack.t1071Alert Name: Possible Data Exfiltration
Event ID: 4670
File Accessed: /var/log/secure.zip
Transfer Method: curl to pastebin.com
User: root
Destination IP: 104.26.10.78
Level: High
Tags: attack.mitre, attack.t1041
SOC-Analyst-Project/
├── Sigma-Rules/
│ ├── brute_force.yml
│ ├── process_injection.yml
│ └── suspicious_dns_queries.yml
├── Attack-Simulations/
│ ├── brute_force_attack.sh
│ ├── process_injection_attack.ps1
│ └── exfiltration_attack.sh
├── Automation-Scripts/
│ └── block_ip.sh
├── Documentation/
│ ├── README.md
│ └── project_report.md
├── SIEM-Config/
│ └── elasticsearch_config.yml
├── .gitignore
└── LICENSE
- Brute Force: Triggered using Hydra. Detected by
brute_force.yml. - Process Injection: Injected using PowerShell. Detected by
process_injection.yml. - DNS Abuse: Queried suspicious domain. Detected by
suspicious_dns_queries.yml.
- IP Blocking: Malicious IPs blocked using custom automation scripts.
- Alerting: Real-time alerts sent and visualized in Kibana.
This project is licensed under the MIT License – see the LICENSE file.
The SOC Analyst Project equips learners and professionals with practical skills to monitor and defend modern IT environments. From detection rules to simulation scripts and SIEM dashboards, this hands-on setup mirrors real-world SOC operations.
For queries, suggestions, or collaborations:
📧 Email: krishnavamsi2032@gmail.com 🔗 LinkedIn: cipherkrish69x
Let me know if you'd like this saved as a downloadable `.md` file or if you want a version with clickable links and badges (like stars, forks, tools used, etc.) to make it more GitHub-ready.