*By: Oresti Meta*

Welcome to my DFIR SOC Analyst project. This project is designed to help aspiring SOC Analysts gain hands-on practical experience.

Starting by creating the diagrams that are going to be practiced in this project.

Cybersecurity Monitoring and Response Network Architecture

Attack Diagram

Vultr Virtual Private Cloud (VPC)

The diagrams above represent the infrastructure deployed within a Vultr Virtual Private Cloud (VPC) for monitoring, logging, and incident response activities in a simulated security operations environment.

Components:

Elastic & Kibana Server:

• This server is at the center of the log collection and monitoring framework.

• Elastic collects logs forwarded by agents from managed servers, while Kibana provides a graphical interface for real-time monitoring, log visualization, and alerting.

• Managed alerts are also forwarded to the osTicket Server for ticket generation and incident tracking.

  

  Downloaded and installed Elasticsearch

  

  Downloaded and installed Kibana

Successfully logged in Elastic

osTicket Server:

• This server processes alerts and converts them into tickets, allowing incident tracking and management.
• Tickets generated from alerts on the Elastic & Kibana server are sent here for response and resolution by analysts.

osTicket Dashboard

Fleet Server:

• A central server for managing the agents deployed on various servers (Windows and Kali).
• It collects logs from managed agents and forwards them to the Elastic & Kibana server for further processing.
• Acts as an isolated component, focusing on log collection and agent management.

Managed Windows Server:

• This server has enabled RDP (Remote Desktop Protocol) and is managed within the VPC.
• Logs generated on this server are forwarded via an agent to the Fleet Server.

Managed Kali Server:

• A Kali Linux server, used for security testing and adversary simulations.
• This server is SSH-enabled and also forwards logs via an agent to the Fleet Server for centralized monitoring.

C2 Server (Mythic):

• A Command and Control (C2) server outside of the VPC, used for adversary emulation and attack simulations.
• It interacts with the Attacker Laptop (Kali Linux), providing control for the adversary's operations over the internet.

Mythic Agent

Attacker Laptop (Kali Linux):

• Operates outside the VPC, simulating an external attacker.
• Used for penetration testing and adversary actions controlled via the Mythic C2 server.

SOC Analyst:

• This component represents the Security Operations Center (SOC) analyst who monitors logs and alerts using the Kibana dashboard and manages incidents through the osTicket system.