Homelab SOC: Active Directory, File Server & Wazuh SIEM
a realistic enterprise security lab to simulate identity, file access and endpoint monitoring.
This project is a continuously evolving Security Operations (SOC) homelab designed to replicate a small corporate infrastructure and practice real-world detection, monitoring and troubleshooting scenarios.
Why This Project Exists
Most labs focus on isolated tools. Real environments donβt.
This project was created to practice how systems interact, where real security problems appear:
Authentication flows
Log centralization
Monitoring endpoints and servers
Troubleshooting integrations
Hardening services over time
The goal is not just to build a lab β but to operate it like a real environment.
High-Level Architecture
This lab simulates a small company internal network where users authenticate, access shared files and use an internal web portal β all monitored by a SIEM.
Homelab SOC architecture diagram
Core components:
Active Directory domain
SMB file server with NTFS permissions
Internal Flask web application (AD authentication)
Wazuh SIEM (Manager + Indexer + Dashboard)
Wazuh agents across all hosts and containers
Environment
This environment represents a realistic enterprise setup:
Applications On Docker
Identity Provider: Active Directory domain controller
File Services: SMB file server with departmental shares
Internal App: Flask portal integrated with LDAP & SMB
Security Monitoring: Wazuh SIEM stack
Endpoint Monitoring: Agents on servers and containers
Core Features
Identity & Access
Active Directory
Centralized authentication via LDAP / Active
Domain users and groups controlling file access
Group Policies simulating enterprise restrictions
File Server Monitoring
SMB access monitoring
File creation, deletion and modification tracking
Detection of unauthorized access attempts
Web Application Integration
Custom internal portal that:
Web App Directories
Web App Directories
Authenticates users against Active Directory
Lists SMB shared files
Allows directory navigation
Supports secure file downloads
This simulates a real intranet-style corporate application.
SIEM Visibility
Full Wazuh monitoring across the environment:
Wazuh Dashboard
Authentication and security logs from Active Directory
File integrity and system activity monitoring
Container and host-level log collection
Centralized alerting and visibility
Detection & Monitoring Use Cases
The lab already supports detection of:
Wazuh Endpoints
Failed logon attempts in Active Directory
Brute-force and repeated authentication failures
Suspicious system and container activity
File integrity and system changes
Container lifecycle events
This provides a foundation to practice SOC workflows and detection engineering.
Current Security Posture
Implemented
Centralized authentication (LDAP)
Permission-based file access
Full SIEM monitoring across hosts and containers
Planned Hardening
HTTPS for the web application
Remove credential storage from session
Container hardening
Custom Wazuh detection rules
More granular File Integrity Monitoring
Project Roadmap
Future improvements include:
Detection engineering scenarios
Simulated attack techniques
Custom Wazuh rules and dashboards
Security automation experiments
Zero-trust concepts
Latest Updates
2026-04 β Major SIEM Integration
Wazuh agents deployed across all hosts
Web application onboarded as monitored endpoint
Centralized logging fully operational
Improved Docker persistence strategy
Technical Stack
Infrastructure
Active Directory
Windows Server
Linux Servers
Docker
Security
Wazuh SIEM
OpenSearch
Endpoint monitoring
Log analysis
Development
Python
Flask
LDAP (ldap3)
SMB (Impacket)
Related Technical Articles
This project acts as the central hub for all technical deep dives.
