Building your own SOC is a great way to understand how detection actually works, and how it can break. With open-source tools, we can set up a functioning SOC without budget or enterprise stack.
This talk walks through how to build one from scratch - logs forwarding, parsing, normalization. Your first SOC starts with high-signal detections like honey-tokens and AD traps that help you catch real attacker behavior. We go over common pitfalls and help you avoid them.
Whether you're defending your own lab or looking to sharpen your evasion techniques as a red teamer, the talk provides a hands-on view into what SOCs can (and can’t) see—and how to build one to explore further.
Introduction of SOC
• What are SOC's features? Log storage, Easy query, Alerting, etc
• Why you might want one? Defend self-hosted infra, survey trending threat intelligence, learn defense for deeper evasion techniques
Architecture overview
• Component intro: Ingestor, Storage, Processor (Searcher), Visualization (GUI)
• Component mapping: Name of those parts in Elastic & Splunk (Give audience keywords for deeper research)
Syslog forwarding
• What is syslog: Introduce formats of syslog
• How to configure syslog forwarding with rsyslog? Forward general OS logs; Forward application logs, e.g. access logs; Filter out logs with rsyslog
Parsing
• Common mistake: Assume SIEM automatically recognizes and extracts fields
• Failure impact: Unable to search based on keywords
• Solutions overview: Agent-based parsing, Middleware parsing, Index-time parsing
• How to configure in each solution setting?
Normalization
• Common mistake: Inconsistent naming scheme of variables (src_ip vs source_ip, etc)
• Failure impact: Incomplete search coverage
• Solution overview: SIEM-defined naming standards, run time normalization
• Details: Introduce current naming schemes of different SIEMs (ECS for elastic, CIM for Splunk)
High-fidelity starter alerts
• General Honey-token: Overview of available honey-tokens
• AD Honey-token: Deep dive into each AD honey-token & corresponding attack it detects
• Certiception: Extend and invite audience to check our Certiception paper and GitHub
