01. ELK Stack Security Lab — Cloud Deployment
Deployed a full production-grade ELK Stack on cloud infrastructure from scratch. This lab mirrors the architecture used in real enterprise SOC environments and serves as the primary research platform for threat detection and incident investigation.
Stack components deployed
Central data store for all security events and telemetry. Configured index lifecycle management and field mappings for security data.
Log ingestion and transformation pipeline. Configured to parse and normalise Windows event logs before indexing into Elasticsearch.
Security dashboards, alert management, and investigation interface. Used for real-time threat visualisation and event analysis.
Deployed Elastic Agent on a Windows VM and enrolled it into Fleet for centralised policy management and telemetry collection.
02. Elastic Defend — Endpoint Detection & Response
Configured Elastic Defend as the EDR layer on the Windows VM. Created and tuned custom security policies covering login monitoring and file integrity — then analysed alert behaviour and investigated detections in Kibana.
Built a detection policy that captures both successful and failed Windows login events (Event ID 4624 / 4625). Analysed alert firing patterns, source IP correlation, and timing to distinguish brute-force from legitimate access. Tested by simulating failed login sequences and verifying alert generation in Kibana Security.
Configured Elastic Defend's built-in FIM capability to monitor critical Windows directories. Tested by creating, modifying, and deleting files and verifying detection accuracy in the Kibana alerts feed. Cross-referenced findings with custom Python FIM tool to compare detection approaches.
Practiced end-to-end SOC analyst workflow in Kibana Security: alert triage → event timeline analysis → process tree investigation → documentation. Built familiarity with Elastic's detection rule structure for future rule creation and tuning work.
Detections researched and tested
| Detection | Source | Event IDs | Severity | Status |
|---|---|---|---|---|
| Failed login brute-force | Windows Security Log | 4625 | High | ✅ Tested |
| Successful login | Windows Security Log | 4624 | Info | ✅ Tested |
| File modification in system dirs | Elastic Defend FIM | — | Medium | ✅ Tested |
| New file created in monitored path | Elastic Defend FIM | — | Medium | ✅ Tested |
| Lateral movement indicators | Process + Network events | 4648, 4672 | High | 🔬 Research |
| Privilege escalation patterns | Windows Security Log | 4672, 4673 | High | 🔬 Research |
| Process injection detection | Elastic Defend EDR | — | High | 🔬 Research |
03. Wazuh SIEM Lab
Wazuh SIEM, Kali Linux (attacker), Windows Server (target), Python security automation, PostgreSQL event storage
Brute-force login attempts, network port scanning, file integrity violations, suspicious authentication activity
SIEM correlation rules, log-based alerting, rule-based brute-force detection via SQL correlation pipeline
Structured SOC-style incident reports with containment and mitigation recommendations for each simulated scenario
04. Azure Cloud — RDP Brute-Force Investigation
Deployed a Windows VM on Microsoft Azure and deliberately exposed RDP to the internet to capture real-world brute-force attacks. Analysed attack logs over 24–48 hours: identified attacker IP geolocation patterns, authentication failure clustering, and timing-based attack patterns. Findings documented in a formal SOC-style incident investigation report.
05. Ongoing Research Areas
Currently researching detection engineering for advanced attack techniques: lateral movement via Pass-the-Hash, privilege escalation, and process injection. Building and testing custom Elastic detection rules using KQL and EQL query languages.
Mapping lab-simulated attack scenarios to MITRE ATT&CK technique IDs to build structured threat intelligence and improve detection rule coverage across the kill chain.