Security Telemetry Engine is a reproducible SOC testbed designed to generate, correlate, and analyze attack telemetry.
It integrates Zeek and the Wazuh Stack (Manager, Indexer, Dashboard) to analyze telemetry and measure alert noise reduction.
A custom Python-based web-pentest toolkit is used to simulate realistic attack traffic and generate diverse telemetry.
The goal of this project is to develop a reproducible and research-oriented SOC testbed that can:
- Generate and analyze realistic attack telemetry
- Detect and correlate multi-stage attacks
- Measure alert noise and evaluate prioritization methods
- Explore improvements in detection accuracy and analyst efficiency
| Component | Role | Status |
|---|---|---|
| Parrot OS | Attacker VM (offensive testing) | Completed |
| Windows 11 | Victim VM with Sysmon + Wazuh Agent | Completed |
| Wazuh Manager | Docker Stack Deployed, Host & Network Agents Linked | Completed |
| Zeek | Network telemetry and log enrichment | Completed |
Network topology
- Internal network (10.0.0.0/24) for telemetry collection
- NAT interface for pulling Docker updates and accessing the Wazuh Dashboard from the host.
Status Update (Nov 2025)
| Component | Status |
|---|---|
| Attacker VM | Completed |
| Windows 11 Victim | Completed (Sysmon + Wazuh Agent) |
| SIEM (Wazuh Stack via Docker) | Completed |
| Agent Enrollment | Successful (1 Active Agent) |
| Zeek Sensor | Completed (Network telemetry connected to Wazuh) |
This project investigates how multi-source telemetry correlation can improve detection fidelity and reduce SOC analyst workload.
The primary research areas include:
- Correlation between host and network telemetry
- Reducing false positives in SOC environments
- Measuring detection latency and alert volume reduction
Planned evaluation metrics
- True Positive Rate (TPR) and False Positive Rate (FPR)
- Detection latency (event to alert time)
- Alert volume before and after correlation
- Severity and prioritization scores
This testbed is designed primarily for controlled academic experiments rather than production SOC deployment.
| Attack | Description | Status | Detection |
|---|---|---|---|
| SSH Brute Force | Hydra-based SSH brute force | Planned | Pending |
| Directory Fuzzing | Gobuster-based web enumeration | In progress | Pending |
| DNS Tunneling | Data exfiltration via nslookup or iodine | Planned | Pending |
| Privilege Escalation | PowerShell-based local privilege escalation | Planned | Pending |
Detailed steps, logs, and detection artifacts are documented under the attacks/ directory.
| Metric | Before Correlation | After Correlation | Observation |
|---|---|---|---|
| Average Alerts | - | - | - |
| False Positives | - | - | - |
| Detection Latency | - | - | - |
Results section will be updated after experiments begin. Quantitative data will be updated after each experiment.
Web-Pentest Toolkit (Attack Generator)
https://github.com/Lanex69/vulnerability-scanner
- Research Summary(PDF)
- Ethics Statement
- Architecture Diagram v2
- Blog Series – Part 1: Building the Mini SOC
Medium Version | Substack Version
Preliminary findings indicate that correlating host and network telemetry reduces redundant alerts and improves SOC triage efficiency.
Future work includes integrating a lightweight ML-based alert scoring module and exploring automated severity assignment.
This project is licensed under the MIT License. See the LICENSE file for details.