Cybersecurity · Network Security Capstone · 2026

Lab-to-SOC — SIEM Detection Build

A working intrusion-detection pipeline built from an empty lab: Suricata watching the wire, the ELK stack making the data legible, and custom detection rules proven against live attacks I ran myself.

Kibana dashboard — an alerts-over-time chart, a top-signatures breakdown, and a timestamped table showing detected SSH brute force, Nmap SYN scan, and suspicious DNS query events

Overview

The assignment was deceptively simple: stand up a real intrusion-detection system and prove it works. We started from bare Linux hosts and built the whole chain — a hardened network with a UFW firewall and a WireGuard VPN, Suricata inspecting traffic as an IDS, and the ELK stack (Elasticsearch, Kibana) turning raw events into something a human analyst can actually read. Filebeat, running the Suricata module, carried the alerts from the sensor into the dashboard.

This was a two-person team project. My work centered on the detection layer — writing and tuning the Suricata rules, wiring the Filebeat-to-Elasticsearch pipeline, and running the attack simulation that proved the alerts fired the way they were supposed to.

Detection Engineering

A SIEM is only as good as the rules feeding it. Rather than ship stock signatures, we wrote custom Suricata rules tuned to specific attacker behavior — and, importantly, tuned the thresholds so the alerts mean something instead of drowning an analyst in noise:

  • SSH brute force — fires on 5 failed attempts within 60 seconds
  • Nmap SYN scan — fires on 10 SYN probes within 10 seconds
  • Suspicious DNS queries — flags lookups associated with reconnaissance and exfiltration patterns

The thresholds are the point. Five SSH failures in a minute is an attack; two is a tired user. Picking those numbers — and being able to defend why — is the difference between writing a rule and understanding detection.

Troubleshooting (the real work)

The pipeline didn't work the first time — they never do. Two fixes mattered: correcting the eve.json path so Filebeat's Suricata module could actually find and ship the events, and tuning the loopback interface so Suricata inspected the right traffic. Most of the learning lived in the gap between "configured" and "actually flowing."

Proving It — Red-Team Validation

Red team playbook slide — Nmap port scan, SSH brute force, and DNS lookup, with the actual nmap -sS SYN scan and brute-force loop commands

A detection system you haven't attacked is a guess. So we played the adversary: ran nmap SYN scans and an SSH brute-force loop against the lab, then watched the alerts land in Kibana in real time. Each rule was verified by triggering exactly the behavior it was written to catch — closing the loop from sensor to dashboard to confirmed detection.

We also mapped each rule to MITRE ATT&CK tactics — recon, credential access, command-and-control — and to the real-world tradecraft they mirror (Conti ransomware, credential stuffing, Cobalt Strike beacons). Detection isn't just "did an alert fire"; it's knowing what the alert means.

Outcome

A complete, working lab-to-SOC pipeline: traffic inspected, events centralized, custom rules firing on demand, and dashboard evidence to back every claim. The build earned full marks, and the accompanying presentation was cited by the instructor as the strongest of the semester — credit I share with my project partner.