Security Operations

SOC & Threat Intelligence

Full-cycle SOC — alert triage in TheHive, automated analysis via Cortex 100+ analyzers, MISP threat sharing, OpenCTI intelligence graph, and Caldera adversary simulation. All mapped to MITRE ATT&CK.

Incident Workflow

Alert → Triage → Intelligence

🔔

Detection

WAZUH · SURICATA · SPLUNK · CILIUM

Wazuh SIEM alert + FIM + auditd

Suricata IDS/IPS signature match

Splunk SPL correlation rule fire

KubeArmor runtime syscall block

Cilium/Hubble L7 anomaly flow

→

📋

Triage & Response

THEHIVE · CORTEX

TheHive auto-create case from alert

Observable IP · hash · domain · URL

Cortex 100+ analyzers auto-run

Responder block IP / quarantine pod

AWX job auto-remediation trigger

→

🧠

Intelligence

OPENCTI · MISP · CALDERA

OpenCTI STIX2 graph enrich

MISP IoC feed + community share

ATT&CK TTP mapping per alert

Caldera adversary simulation

Report PDF timeline + evidence

Component Details

SOC Stack — All Services

📋

TheHive

hive.onelabs.work

RoleSecurity Case Management

Case createAuto from Splunk alerts

ObservablesIP · Hash · Domain · URL

IntegrationCortex analyzers + MISP

AuthAuthentik OIDC SSO

🔬

Cortex

cortex.onelabs.work

RoleObservable Analysis Engine

Analyzers100+ (VT, Shodan, AbuseIPDB)

RunnerJOB_RUNNER=kubernetes

RespondersBlock · Quarantine · Notify

DOCKER_HOSTEmpty (K8s native)

🦠

MISP

misp.onelabs.work

RoleThreat Sharing Platform

FormatSTIX2 · TAXII · OpenIOC

IoC FeedAuto-sync from Wazuh/Suricata

IntegrationOpenCTI bi-directional

EventsGalaxies · Clusters · Tags

🧠

OpenCTI

cti.onelabs.work

RoleCTI Knowledge Graph

StandardSTIX2 · ATT&CK · Kill Chain

BackendElasticsearch · RabbitMQ · Redis · MinIO — SEC cluster

FeedMISP sync + TAXII pull

EntitiesActors · TTPs · Campaigns

ConnectorsAlienVault · CVE · MISP · Shodan · URLHaus · VirusTotal

Workers5/5 Running · SEC cluster

⚔️

Caldera C2

c2c.onelabs.work

FrameworkMITRE Caldera

Agentsk8s-sandcat · caldera-agent NS

ImageCustom + internal CA baked

OpsATT&CK-based operations

HostExternal VM · internet-facing

🛡️

Wazuh

wazuh.onelabs.work

RoleSIEM + Compliance + FIM

Agents9/9 DaemonSet (6 SOC · 3 SEC) + all VMs · ✔ Running

FIM/etc · /bin · /usr/bin watch

BenchmarkCIS Level 1/2 auto-score

ATT&CKAlert TTP tagging

Detection Coverage

MITRE ATT&CK Mapping

Each SOC component contributes coverage across ATT&CK tactics. Caldera simulates adversary ops to validate detection effectiveness.

Reconnaissance

Suricata · Cilium · Wazuh

Initial Access

Suricata IPS · Cloudflare WAF

Execution

KubeArmor · Wazuh auditd

Persistence

Kyverno · Wazuh FIM

Privilege Esc

Wazuh auditd · KubeArmor

Defense Evasion

Wazuh · Kyverno PSA

Cred Access

Vault · Wazuh · Suricata

Discovery

Cilium L7 · Suricata

Lateral Movement

Cilium NetworkPolicy · Hubble

Collection

Wazuh FIM · KubeArmor

Exfiltration

Cilium DNS · Suricata · Hubble

Impact

MinIO Object Lock · Longhorn

→ Observability

BACK

← DevSecOps