OpenSOC is a documented SOC lab series. The repo currently tracks only what has been covered in the published posts:
- OpenSOC: Building an Open Source SOC Lab That Does Not Suck
- OpenSOC: Setting up the SIEM (Wazuh Server)
The point of this repo is to keep a clean paper trail for the lab as it is built. It should not contain placeholder directories, fake runbooks, or documentation for components that have not been covered yet.
The current docs cover:
- Why OpenSOC exists.
- The basic SOC loop: collect, detect, alert, preserve evidence, review, and improve.
- The initial lab direction.
- Wazuh as the first SIEM.
- Wazuh server installation with the official quickstart script.
- Dashboard login and password recovery notes.
The intro post mentions future work such as agents, auditd, osquery, FleetDM OSS, Suricata, Zeek, SOAR, Windows/macOS agents, and Splunk. Those are not documented here yet because the published setup posts have not covered them. I will implement them and get them documented here along with config files and other stuffs
OpenSOC is released under the GNU General Public License v3.0. See LICENSE.