ARM_SOC_Home_Lab

This project is a full-featured, ARM-native Security Operations Center (SOC) lab using Parallels virtualization. It includes a dedicated SOC server, alongside attacker, analyst, and victim VMs — all designed for cybersecurity research, monitoring, and incident response simulation.

Project Goals

• Build a fully functional SOC that runs natively on ARM without emulation or x86 dependencies
• Learn and experiment with network intrusion detection (NIDS), host-based intrusion detection (HIDS), behavioral monitoring, log correlation, and incident response
• Enable repeatable and scalable offensive/defensive cybersecurity testing using a multi-VM lab

Lab Architecture

• SOC Server

  • Ubuntu Server 22.04 ARM
  • Runs Suricata, Zeek, syslog-ng, dashboards, TheHive, Cortex, OSSEC

• Analyst VM

  • Ubuntu Desktop 25.04 ARM
  • Accesses dashboards, performs threat hunting, case triage

• Victim VM's

  • Windows 11 ARM
  • Simulates user endpoint; monitored for malicious activity

• Attacker VM

  • Kali Linux ARM64
  • Launches exploits and attack traffic toward victim

Core Stack

• Suricata

  • NIDS, packet-level detection
  • Signature-based alerts

• Zeek

  • Network behavior monitoring
  • Deep protocol logging (HTTP, DNS, SSL, etc.)

• syslog-ng

  • Log collection/forwarding
  • Bridges Suricata/Zeek to storage

• Grafana + Loki

  • Dashboards + log search
  • Lightweight, scalable alternative to OpenSearch

• TheHive

  • Alert/case management
  • Incident response workflows

• Cortex

  • Threat enrichment engine
  • Used for VT lookups, AbuseIPDB, etc.

• OSSEC

  • Host-based intrusion detection
  • Monitors file integrity, logins, config changes