This repository documents a cloud-based SOC homelab built on Microsoft Azure to detect, investigate, and respond to a range of cyber attacks and demonstrates end-to-end SOC capability, combining SIEM, SOAR, endpoint telemetry, malware analysis, and incident response playbooks aligned to how a real Australian SOC operates. The focus is not just on alerting, but on investigation quality, decision-making, automation, and documentation.
- Detect infrastructure attacks and their downstream impact (credential theft, malware execution, BEC activity)
- Investigate incidents using correlated email, identity, endpoint, and network telemetry
- Enrich alerts using interactive malware analysis and threat intelligence
- Automate repeatable SOC tasks using SOAR playbooks
- Produce clear, defensible incident case files suitable for audit and reporting
- Align response and prevention recommendations to ACSC Essential Eight principles
The homelab simulates a small enterprise environment hosted in Azure:
- Azure VNet with Windows endpoints and a Linux network sensor
- Microsoft Sentinel as the central SIEM/SOAR platform
- Microsoft Defender telemetry for endpoint and email security signals
- ANY.RUN for interactive malware analysis
- Centralised logging and automated incident workflows on seperate workspaces
High-level flow: Phishing email → user interaction → identity / endpoint activity → SIEM detection → enrichment → containment → lessons learned
Architecture and data-flow diagrams are provided in the architecture/ directory.
- Microsoft Sentinel
- KQL (Kusto Query Language)
- Logic Apps (Sentinel automation playbooks)
- Microsoft Defender (endpoint and email signals)
- Microsoft Entra ID (Azure AD) sign-in logs
- Windows Event Logs
- Sysmon
- ANY.RUN Interactive Malware Sandbox
- IOC extraction and correlation
- Threat intelligence enrichment (hashes, domains, URLs)
- Velociraptor (endpoint artifact collection and live hunts)
- Zeek
- Suricata
- GitHub for version control and case management
- Markdown-based incident reports
- Diagrams.net for architecture diagrams
Azure-SOC-AI-Enhanced-Homelab/
├── README.md
├── LICENSE
├── AI Enhancements/ # AI-assisted SOC workflows (summaries, triage aids, detection drafting)
├── Architecture/ # Architecture and data-flow diagrams
├── Automation/ # Sentinel automation rules + Logic Apps playbooks (exports, screenshots)
├── Case Studies/ # Full incident case files (end-to-end investigations)
├── Cloud Audit Events/ # Cloud audit/event logs and references used in investigations
├── Cyber-risk-management/ # Risk and compliance assessment reports of companies with adherence to ISO/COBIT, compliance notes, asset risk assessment
├── DFIR/ # DFIR tooling outputs (e.g., Velociraptor collections, memory/disk triage notes)
├── Dashboards/ # Sentinel workbook screenshots and dashboards
├── Defender For Endpoint/ # MDE setup notes, alerts, advanced hunting, telemetry examples
├── Endpoint Telemetry/ # Sysmon configs, Windows event logging, endpoint data pipelines
├── Essential Eight Mapping/ # ACSC Essential Eight alignment notes and mappings
├── Exposure Management/ # Attack surface / posture findings and remediation tracking
├── MITRE ATT&CK/ # Technique mapping used for detections and case studies
├── Malware Analysis/ # ANY.RUN analysis summaries, IOC extraction, triage notes
├── Playbooks/ # Incident response playbooks (phishing + related runbooks)
├── Sentinel/ # KQL queries, analytics rules, watchlists, workbook content
└── Vulnerability Management/ # Scanning outputs, prioritisation, remediation documentation
Each directory contains real artifacts used in detection engineering, investigation, automation, and incident response within the Azure SOC homelab. Note: Live malware files are uploaded and encrypted for later triage use cases. If you want specific access to them, please email me, as unauthorized use can lead to system compromise which you would be liable for!