Skip to content

mateusiclopes/soc-portfolio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

SOC / Blue Team Homelab & Portfolio

Professional Statement / Declaración Profesional / Declaração Profissional
Last updated: 2025-09-13

🇧🇷 Português

Sou um analista SOC em formação, com base militar e paixão por tecnologia, focado em detecção e resposta para reduzir MTTD/MTTR. No meu homelab, implementei Sysmon, envio logs para SIEM (Splunk/Wazuh/Elastic) e desenvolvo detecções (SPL/KQL/SQL), automações em Python/SQL e análises PCAP/Zeek. Atuo com ética, boa comunicação, hard work, respeito à hierarquia e disciplina para aumentar a visibilidade, melhorar a triagem e apoiar metas de segurança.

🇺🇸 English

I’m an aspiring SOC analyst with a military background and a love for technology, focused on detection & response to improve MTTD/MTTR. In my homelab I deploy Sysmon, ship logs to a SIEM (Splunk/Wazuh/Elastic), and build detections (SPL/KQL/SQL), Python/SQL automations, and PCAP/Zeek analyses. I operate with ethics, clear communication, hard work, respect for hierarchy, and discipline to increase visibility, strengthen triage, and support security goals.

🇪🇸 Español

Soy un analista SOC en formación con experiencia militar y pasión por la tecnología, enfocado en detección y respuesta para reducir MTTD/MTTR. En mi homelab implemento Sysmon, envío registros a un SIEM (Splunk/Wazuh/Elastic) y desarrollo detecciones (SPL/KQL/SQL), automatizaciones en Python/SQL y análisis PCAP/Zeek. Actúo con ética, comunicación clara, esfuerzo, respeto a la jerarquía y disciplina para aumentar la visibilidad, mejorar la triage y apoyar los objetivos de seguridad.

Keywords: SIEM · Splunk · Windows Event Logs · Sysmon · KQL/SPL/SQL · MITRE ATT&CK · Incident Triage · Wireshark/Zeek · Python · Sigma · OpenVAS

📌 Table of Contents

🗺️ Roadmap & Progress

Objective: first remote, international SOC/Blue Team role.

Deliverables (end of plan):
8 detections (SPL/KQL/SQL + Sigma) · 1 dashboard · 2 reports + 2 playbooks · 3 Python scripts (SOC) · 2 PCAP/Zeek analyses · 1 OpenVAS→Hardening page · README on-prem vs cloud · Cheatsheets (Win/Linux/PS/Bash)

Current progress (snapshot):

  • ✅ Win11 VM baseline (UEFI/TPM) on external SSD; Guest Additions; Windows Update; Power/Sleep = Never
  • ✅ Networking: NAT + Host-Only (192.168.56.x)
  • ✅ Tools: 7-Zip, Editor (Notepad++/VS Code), Wireshark + Npcap
  • PCAP-01 saved (C:\_lab\pcaps\week01_basic-traffic_2025-09-11.pcapng)
  • ✅ Sysinternals + Sysmon installed & validated (Event IDs 1/3)
  • ✅ Snapshots: BASE-W11-clean, BASE-W11-tools-partial, BASE-W11-tools
  • 🔜 Splunk ingest (host:9997) + first queries (4625/4672)
  • 🔜 Repo structure & first docs

🧩 Lab Topology

  • Doc: notes/lab_topologia.mdTODO: add diagram and IPs
  • Win11 (SOC workstation) — NAT + Host-Only
  • (Planned) Kali / Linux box (traffic generation & Zeek)
  • (Planned) SIEM: Splunk (host) or Wazuh/Elastic (VM)

🛡️ Detections

Folder: detections/

  1. 001_4625_failed_logons.md — SPL/KQL/SQL + Sigma — TODO
  2. 002_4672_privileged_logon.md — SPL/KQL/SQL + Sigma — TODO
  3. 003_sysmon1_suspicious_powershell.mdTODO
  4. 004_sysmon3_beacon_like.mdTODO
  5. 005_sysmon22_dns_suspicious.mdTODO
  6. 006_4624_logon_type_10_3.mdTODO
  7. 007_lolbins_execs.mdTODO
  8. 008_scheduled_tasks_abuse.mdTODO

Each file includes: hypothesis, query (SPL/KQL/SQL), Sigma rule (when applicable), FP considerations, response.

📊 Dashboard

Folder: dashboard/

  • auth_overview_v1.md — hosts/users, success vs failures — TODO
  • auth_overview_v2.md — thresholds, executive summary — TODO

📝 Reports

Folder: reports/

  • incident_password_spray.mdTODO
  • incident_malicious_powershell.mdTODO

▶️ Playbooks

Folder: playbooks/

  • pbk_brute_force_4625.mdTODO
  • pbk_malicious_powershell.mdTODO

🐍 Scripts (Python)

Folder: scripts/

  • evtx_failed_logons.py — parse Security.evtx → CSV (User, IP, LogonType, Time) — TODO
  • beacon_heuristic.py — periodicity on Sysmon 3 (dst IP/port) — TODO
  • report_md_generator.py — build Markdown report/playbook from template — TODO

📡 PCAP / Zeek Analyses

Folder: network/

  • pcap01_dns_tcp3way.md — analysis of DNS + TCP 3-way handshake (from week01_basic-traffic_2025-09-11.pcapng) — TODO
  • pcap02_summary.md — 3–5 line summary + screenshots — TODO
  • (Optional) zeek_logs_walkthrough.md — conn/dns/http — TODO

✅ OpenVAS → Hardening

Folder: vuln/

  • openvas_scan_vm.md — findings 1–2 reais — TODO
  • hardening_actions.md — finding → fix (before/after) — TODO

☁️ On-prem vs Cloud

Folder: notes/

  • onprem_vs_cloud.md — logging differences, IAM pitfalls, cost/visibility trade-offs — TODO

🧾 Cheatsheets

Folder: cheatsheets/

  • windows_events.md (4624/4625/4672/4688…) — TODO
  • linux_ops.md (journalctl, systemctl, chmod/chown) — TODO
  • powershell.md (Get-WinEvent, regex) — TODO
  • bash.md (grep/awk/sed pipelines) — TODO

🧰 SIEM Config (Splunk)

Host (Receiving 9997):

  • Splunk Web → Settings → Forwarding and receiving → Receiving → Add new (9997)
  • Windows Firewall rule (Inbound TCP 9997)

VM (Forwarder):
C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.56.1:9997

[tcpout-server://192.168.56.1:9997]

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors