This page deals with SOC internals: generic architecture, logs to alerts workflow, detection handling workflow, and underlying tools.

Generic SOC architecture example

Here is an example of an architecture, open source based, with:

• SIEM: Wazuh;
• TIP: MISP;
  • plus VirusTotal, etc. via automated API requests by SOA.
• SIRP: IRIS;
• SOA: Suffle

As per the project's GitHub README page:

• Wazuh: Real-time monitoring and alerting for security events.
• DFIR-IRIS: Streamlined incident response and forensics capabilities.
• Shuffle: Automated workflow management to streamline security processes.
• MISP: Open source threat intelligence platform.

Logs to alerts global workflow

Quoted from this article:

Following the arrows, we go from log data sources to data management layer, to then data enrichment layer (where detection happens), to end-up in behavior analytics or at user interaction layer (alerts, threat hunting...). All of that being enabled and supported by automation.

SOC detection handling workflow

Based on CYRAIL's paper drawing, that I've slightly modified, here is an example of detection handling workflow with the underlying tools achitecture (SIEM, SIRP, TIP interconnections):

• Sensors log sources are likely to be: audit logs, security sensors (antimalware, FW, NIDS, proxies, EDR, NDR, CASB, identity threat detection, honeypot...).

End

Go to main page.