Home Labs | Kevin Rivera

Security Lab Topology

Lab Security Network

This lab simulates a small enterprise security monitoring environment. It is designed for testing detection rules, endpoint visibility, and incident workflows in a controlled setting.

Modem → Firewall → Router → Switches → KVM Switch → Endpoints
                                  ├─ Windows (Workstation)
                                  ├─ macOS (Workstation)
                                  ├─ Kali Linux (Testing / Security Tools)
                                  └─ Raspberry Pi (Wazuh Agent / collectors)

Security Monitoring Stack (Ubuntu Server)
  ├─ Wazuh Manager
  ├─ Elasticsearch
  └─ Kibana

Focus: endpoint telemetry, log collection, alerting, and repeatable security testing scenarios.

Monitoring Workflow

SIEM Logs Dashboards

Endpoints forward security telemetry to the Wazuh Manager (agent-based monitoring).
Wazuh analyzes events and forwards indexed data into Elasticsearch.
Kibana provides dashboards for visibility, investigations, and detection tuning.
The firewall can forward logs (syslog) into the monitoring pipeline for perimeter visibility.

Outcome: improved detection tuning, reduced false positives, and repeatable incident simulations.

SOAR Integration

SOAR Response Automation

A SOAR platform should sit next to the SIEM and consume alerts from Wazuh/Elastic. In this lab, the SOAR tool would run either on the Ubuntu Server (if resources allow) or on a separate lightweight VM/host to keep workflows isolated and stable.

How it works across this setup

Ingest: SOAR pulls alerts via API/webhook from Wazuh or Elasticsearch.
Enrich: Adds context (asset inventory, user identity, GeoIP, threat intel).
Decide: Runs playbooks to classify severity and recommend actions.
Respond: Triggers actions such as ticket creation, Slack/email alerts, or script execution.
Contain (lab-safe): Optional actions like blocking a test IP at the firewall or disabling a test account (where supported).

Goal: reduce time-to-triage by automating repetitive steps while keeping actions controlled and auditable.

Planned Lab Scenarios

Testing Detection Ops

Credential access simulations and detection tuning (lab-only test accounts).
Phishing and suspicious sign-in investigations using log correlation.
Baseline hardening checks and compliance validation workflows.
SOAR playbooks for alert enrichment + ticketing + notifications.