A Docker-based detection engineering lab for learning blue team skills
Open-source security operations center (SOC) lab environment designed for defenders, detection engineers, and security analysts to learn and practice blue team tradecraft in a controlled, reproducible setting.
This project provides:
- A containerized lab stack (Docker Compose) for instant deployment
- Mock log generation simulating realistic security events
- Attack simulation scripts to trigger detectable events
- Detection queries & examples for learning query languages (KQL, SPL, PromQL)
- Pre-built dashboards to visualize security data
- Comprehensive documentation for architecture, lab deployment, and learning paths
Whether you're new to detection engineering, preparing for security certifications, or building detection portfolios, SOC Lab Docker provides a hands-on learning environment without requiring enterprise infrastructure.
Local Docker Stack
- Compose-based deployment (Elasticsearch, data lake, log shipper, UI)
- One-command lab spin-up:
docker-compose up - Development-friendly with
.envconfiguration
Realistic Log Generation
- Mock event generator (web traffic, auth, OS events, security tools)
- Configurable event volume and distribution
- Extensible for custom log types
Attack Simulation
- Bash/Python scripts simulating common attack patterns
- Coordinated event chains (reconnaissance β exploitation β exfiltration)
- Educational annotations explaining each step
Detection Examples
- Query templates for common SPL, KQL, PromQL use cases
- Best practices for detection tuning and baseline methodology
- Threat mappings (MITRE ATT&CK) where applicable
Dashboard Gallery
- Sample dashboards (event overview, alerts, anomalies)
- Guided walkthroughs for query building
- Export-ready configurations
Comprehensive Documentation
- Architecture overview
- Lab deployment guide
- Learning roadmap with milestones
- Security & engineering considerations
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SOC Lab Docker Stack β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ€
β Event Generation Layer β Data Collection Layer β
β ββββββββββββββββββββββ β βββββββββββββββββββββββββββββββββ
β β Mock Log Generator β β β Log Forwarder / Aggregator ββ
β β (Python/Bash) β β β (Filebeat, Logstash, etc.) ββ
β β - Web Traffic β β ββββββββββββββ¬βββββββββββββββββββ
β β - Auth Events β β β β
β β - OS Logs β β ββββββββββββββΌβββββββββββββββββββ
β β - Security Alerts β β β Search & Index (Elastic) ββ
β ββββββββββββββββββββββ β β or Data Lake (ADLS) ββ
β β ββββββββββββββ¬βββββββββββββββββββ
ββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ€
β Query & Analysis Layer β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββ β
β β Detection β β Interactive β β Dashboards β β
β β Queries β β Query Tool β β & Visualize β β
β β (SPL/KQL) β β β β β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attack Simulation Scripts βββΊ Event Generator βββΊ Logs βββΊ Detections
Supported platforms: Linux and Windows (via WSL2 + Docker Desktop). macOS has not been verified in CI and is not officially supported.
- Docker & Docker Compose (v20+)
- 4GB+ RAM available
- Git
- Bash (Linux / WSL2) or PowerShell terminal (Windows)
-
Clone the repository
git clone https://github.com/Josperdo/soc-lab-docker.git cd soc-lab-docker -
Configure environment variables
cp .env.example .env # Edit .env as needed for your deployment -
Spin up the lab stack
docker-compose up -d
-
Verify deployment
docker-compose ps # All services should be "Up" -
Access the lab UI
- Dashboard:
http://localhost:5601(or configured port) - Query tool:
http://localhost:9200(or service endpoint)
- Dashboard:
Full deployment instructions, environment setup, and troubleshooting available in docs/SETUP.md
The scripts/ directory contains executable attack simulations that generate detectable events.
./scripts/brute_force_simulation.sh \
--target-user admin \
--attempt-count 50 \
--delay-ms 200This script will:
- Generate failed authentication attempts
- Timestamp and correlate events
- Log activity to the event pipeline
- Create artifact detection opportunities
./scripts/lateral_movement_simulation.sh \
--start-host web-server-01 \
--target-hosts internal-db-01,internal-db-02 \
--tool psexecThis simulates reconnaissance β privilege escalation β lateral movement, with each step logged and detectable.
- scripts/README.md β Full script documentation and attack scenarios
- docs/ATTACK_SCENARIOS.md β Detailed threat models and expected artifacts
Sample detection queries are located in detections/:
detections/
βββ authentication/
β βββ failed_login_spike.spl # Splunk query
β βββ failed_login_spike.kql # KQL (Sentinel/Analytics)
β βββ README.md
βββ lateral_movement/
β βββ psexec_detection.spl
β βββ psexec_detection.kql
β βββ ...
βββ exfiltration/
βββ ...
cat detections/authentication/failed_login_spike.spl- Copy the content from
detections/authentication/failed_login_spike.spl - Paste into your search UI at
http://localhost:5601 - Run the query against the mock log data
- Adjust thresholds and time windows for tuning
Pre-built dashboards are located in dashboards/:
- Import
.jsonfiles via your dashboard UI - Customize visualizations and thresholds
- Export for team sharing
- Learning-first: Every component is documented; understand the "why" behind detections
- Reproducibility: Forkable and runnable in 5 minutes on any machine with Docker
- Realism: Mock logs match real security data structures and event volumes
- Extensibility: Add custom log generators, attack scripts, and detections
- Lab Environment Only: This is not production-grade monitoring. Use for learning and testing only.
- No Persistence: By default, the lab runs in-memory; data is lost on container shutdown. See docs/SETUP.md for persistent storage options.
- No Network Isolation: For simplicity, containers communicate across a shared network. Use network policies and isolation in production.
- Minimal Authentication: The lab uses default credentials for ease of learning. Never expose to the internet without hardening.
- Keep detection rules simple and well-documented for maintainability
- Use MITRE ATT&CK framework for categorizing detections
- Test detection efficacy using the provided attack scripts
- Version control detection queries separately from dashboards
- Reference external threat intelligence (MITRE, CIS, NIST) in detection notes
Deploy the lab's detection library to Microsoft Sentinel β the leading enterprise cloud SIEM β using Terraform and ARM templates.
What's included (terraform/sentinel/):
- Terraform IaC β Log Analytics Workspace + Sentinel onboarding, fully parameterized
- 8 analytics rules β All lab detections as
azurerm_sentinel_alert_rule_scheduledresources with MITRE tactics, entity mappings, and tunable frequency/lookback - 3 SOAR playbooks β ARM Logic App templates for Slack notification, ticket creation (ServiceNow/JIRA pattern), and host isolation
- Data connector guide β Forward lab events via Filebeat β Azure Monitor for end-to-end pipeline experience
cd terraform/sentinel
terraform init
terraform apply -var-file="terraform.tfvars"No live Azure subscription required to study or customize the templates. See docs/SENTINEL_INTEGRATION.md for the full deployment walkthrough.
See docs/roadmap.md for the full capabilities roadmap.
This project is licensed under the MIT License. Feel free to fork, modify, and use for educational purposes.
Created by: John Sperry
Inspired by: Blue team tradecraft, detection engineering best practices, and the open-source security community.
| Guide | Level | Description |
|---|---|---|
| Beginner Guide | Beginner | End-to-end walkthrough: simulate an attack, find events, write your first detection query |
| Intermediate Guide | Intermediate | Build a custom detection from scratch using the full detection engineering methodology |
| Sentinel Integration | Advanced | Deploy all lab detections to Azure Sentinel via Terraform; add SOAR playbooks |
| Attack Scenarios | Reference | MITRE ATT&CK-mapped event chains for each simulation script |
| Alerting Guide | Reference | Alert rule format, notification backends, and response playbooks |
| Compliance Mapping | Reference | CIS Controls v8 and NIST CSF 2.0 mapping for all lab detections |
Other docs:
For issues, questions, or feature requests, please open a GitHub issue.
Happy detecting!