Skip to content
/ Security-Telemetry-Engine Public

Research SOC testbed for alert correlation and noise reduction. Zeek + Wazuh + Elastic. Includes generated attack telemetry, detections, metrics, and reproducible experiments

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Lanex69/Security-Telemetry-Engine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
attacks
attacks
 
 
detections
detections
 
 
docs
docs
 
 
images
images
 
 
scripts
scripts
 
 
ETHICS.md
ETHICS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

SOC Research Testbed

Operational Impact of Cross-Layer Telemetry Correlation on Intrusion Detection in Modern SOC Architectures

This research conducts a controlled systems-level evaluation of SIEM-level cross-layer telemetry correlation within a reproducible SOC testbed. The study isolates correlation logic as the independent architectural variable while holding detection tooling constant (Zeek for network telemetry and the Wazuh stack with Sysmon for host telemetry).

Rather than proposing new detection algorithms, the research quantitatively measures how correlating host and network telemetry impacts alert consolidation, detection accuracy (TPR/FPR), and detection latency compared to host-only and network-only monitoring configurations.

Structured, repeatable multi-stage attack scenarios are executed in an isolated environment with formally recorded ground truth timestamps. The study further evaluates sensitivity to correlation time windows (Δt) and controlled operational stress conditions to characterize architectural trade-offs in detection performance.

Status SOC Telemetry Zeek License Wazuh

Research Objectives

The study aims to:

  • Compare detection performance across three configurations:

    • Host-only detection

    • Network-only detection

    • Cross-layer correlated detection

  • Quantify alert noise reduction using a formal Alert Consolidation Ratio (CR)

  • Measure detection latency under each configuration

  • Evaluate sensitivity to the correlation time window (Δt)

  • Assess robustness under controlled operational stress (partial log loss)

  • Demonstrate a reproducible experimental methodology for SOC architectural evaluation

Current Lab Architecture

Component Role Status
Parrot OS Attacker VM (offensive testing) Completed
Windows 11 Victim VM with Sysmon + Wazuh Agent Completed
Wazuh Manager Docker Stack Deployed, Host & Network Agents Linked Completed
Zeek Network telemetry and log enrichment Completed

Active Agent in Wazuh Dashboard

Active Agent

Zeek Sensor Working

Zeek Logs

Architecture Diagram

Architecture

Network topology

  • Internal network (10.0.0.0/24) for telemetry collection
  • NAT interface for pulling Docker updates and accessing the Wazuh Dashboard from the host.

Status Update (Nov 2025)

Component Status
Attacker VM Completed
Windows 11 Victim Completed (Sysmon + Wazuh Agent)
SIEM (Wazuh Stack via Docker) Completed
Agent Enrollment Successful (1 Active Agent)
Zeek Sensor Completed (Network telemetry connected to Wazuh)

Research Focus Areas

The goal of this project is to design and evaluate a reproducible, systems-level SOC testbed that enables controlled measurement of SIEM-level cross-layer telemetry correlation.

Specifically, the testbed is used to:

  • Compare host-only, network-only, and cross-layer correlated detection configurations

  • Quantify alert consolidation using a formal Alert Consolidation Ratio (CR)

  • Measure detection performance (TPR/FPR) and detection latency under each configuration

  • Analyze sensitivity to correlation time windows (Δt)

  • Evaluate correlation robustness under controlled operational stress conditions

  • The project focuses on empirically characterizing architectural trade-offs in SOC detection performance rather than developing new detection algorithms.

  • This testbed is designed primarily for controlled academic experiments rather than production SOC deployment.

Attack Scenarios

Experiments include structured and repeatable intrusion scenarios:

  • Reconnaissance and authentication brute-force activity

  • Multi-stage attack chain involving privilege escalation and lateral movement

  • Living-off-the-land (LOTL) activity using native system tools (e.g., PowerShell abuse, scheduled tasks)

Each scenario is executed multiple times under identical conditions to enable comparative measurement.

Ground truth timestamps are recorded at the attacker system to formally validate detection timing and classification.

Detailed steps, logs, and detection artifacts are documented under the attacks/ directory.

Preliminary Results (Work in Progress)

Metric Before Correlation After Correlation Observation
Average Alerts - - -
False Positives - - -
Detection Latency - - -

Results section will be updated after experiments begin. Quantitative data will be updated after each experiment.

Related Work

Web-Pentest Toolkit (Attack Generator)
https://github.com/Lanex69/vulnerability-scanner

Documentation and Reports

Research Insights

Preliminary findings indicate that correlating host and network telemetry reduces redundant alerts and improves SOC triage efficiency.
Future work includes integrating a lightweight ML-based alert scoring module and exploring automated severity assignment.

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

Research SOC testbed for alert correlation and noise reduction. Zeek + Wazuh + Elastic. Includes generated attack telemetry, detections, metrics, and reproducible experiments

Topics

siem soc security-analytics detection-engineering alert-correlation

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages