💡 A containerized, Splunk-powered SOC environment, combining alerting, ticket automation, change management, and policy design.
This homelab features automated security incident detection using Splunk with alert patterns documented in alerts.md.
This homelab features a custom integration between Splunk and Jira to automatically create tickets for each alert.
This homelab features a change management workflow to ensure audit-safe operations.
This homelab features a mock policy setup compliant to SOC 2.
This homelab features role-based access control (RBAC) using OpenLDAP for authentication and groups as documented in groups and users.md.
This homelab is built with docker-compose to provide a simple way to launch the entire system locally.
For more detailed instructions, see Requirements & Launching locally.
Example Requirement Ticket created by "Head of IT Governance" after releasing new security policies:
Example Feature Ticket proposed by "Head of SOC Team":
Example Security Incident Ticket after usage of sudo:
Example Splunk search for sudo usage events with field extraction:
Example Splunk dashboard for monitoring log volume and incident trends:
This homelab simulates real-world monitoring and alerting scenarios for the following activity types:
🔐 Authentication & Access Control
| Source | Use Case | Name | Description |
|---|---|---|---|
| Unix | UC0001 | Unix use of sudo | Detects elevated privilege usage for accountability |
| LDAP | UC1001 | LDAP failed admin login | Detects failed login attempts to the OpenLDAP admin account |
🗃️ Database Monitoring (Postgres)
| Source | Use Case | Name | Description |
|---|---|---|---|
| Postgres | UC2001 | Postgres schema change | Detects DDL activity for Postgres instances |
🧠 Collaboration Platform Changes
| Source | Use Case | Name | Description |
|---|---|---|---|
| Jira | UC3001 | Jira repeated failed login | Detects repeated failed logins via Jira |
| Jira | UC3002 | Jira successful login at unusual time | Detects logins via Jira at non-business hours |
| Jira | UC3003 | Jira permission scheme change | Detects changes to the Jira permission scheme |
| Path | Description |
|---|---|
| /Components/ | Component configuration files |
| /Components/*/Config/ | Application-specific configuration |
| /Components/*/ConfigEtc/ | OS-specific configuration (e.g. sudo logging) |
| /Components/*/ConfigSplunk/ | Splunk data forwarding configuration |
| /Components/*/Dockerfile | Docker configuration for installing and configuring container |
| /Components/Splunk/CustomApp/ | Custom Splunk app storing indexes, alerts, dashboards and more |
| /Documentation/ | Documentation simulating IT Governance duties |
| /Documentation/Project/ | Top-level documentation about the system |
| /Documentation/Jira/ | Jira-specific documentation (installation, structure) |
| /Documentation/Policies/ | Mock policy setup simulating basic SOC 2 compliance |
| /compose.yaml | Docker compose entrypoint for starting containers |
- OpenLDAP
- PhpLDAPAdmin (not secured, only for visualizing LDAP structure)
- Postgres instance
- Jira
- Splunk server for log ingestion
- Docker Desktop v4.44.3+ (might work on older versions, untested)
- Splunk account (for downloading universal forwarders)
- Jira License (a trial license is sufficient)
In the root project directory, run docker compose up -d and wait for installation to finish.
Follow application-specific instructions:
- https://localhost:6443: PhpLDAPAdmin
- http://localhost:8080: Jira
- http://localhost:8000: Splunk
- 🔧 Governance: Expand Policy definitions
- 🔄 Automation: Automate Jira setup process
- 🧠 Integration: Add Incident update automation if activity continues
- 📊 Visualization: Add Jira dashboards to repo
- ✅ Workflow Enforcement: Enforce Jira ticket consistency
- 📚 Documentation: Add Confluence
- 📤 Reporting: Automate report exports from Splunk/Jira