Role: Cybersecurity Engineer Intern
Duration: 8 Weeks
Project Type: End-to-End Security Monitoring and Automation with Open Source Tools
During this internship, I developed a complete open-source Security Operations Center (SOC) stack designed for real-time threat detection, enrichment, and automated response. The project was implemented in a simulated enterprise environment and combined multiple tools across SIEM, EDR, SOAR, and threat intelligence domains to achieve comprehensive monitoring and automation.
A detailed SOC architecture diagram representing the integration of various components in the pipeline.
- Installed and configured Wazuh 4.12 on an Ubuntu server.
- Deployed agents on both Linux and Windows endpoints.
- Collected system logs, audit logs, and database logs from MariaDB and PostgreSQL.
- Configured custom log forwarding using
rsyslogand JSON exporters for structured parsing.
- Integrated MISP and VirusTotal to enrich alerts with external intelligence.
- Supported enrichment for file hashes, IP addresses, and even filenames.
- Alerts in Wazuh were automatically cross-referenced against these sources to provide added context and threat severity indicators.
- Developed automated workflows in Shuffle (v1.4.0) to process security alerts.
- Parsed Indicators of Compromise (IOCs) using JSONPath.
- Queried MISP and VirusTotal for enrichment and sent alerts via Slack and email when a match was found.
- Helped reduce manual effort and improved response time to potential threats.
- Deployed Velociraptor for endpoint telemetry and forensic investigation.
- Queried endpoints for process activity, registry changes, startup scripts, and persistence mechanisms.
- Enabled live threat hunting and anomaly detection directly from the SOC.
- Monitored authentication logs (
/var/log/auth.log) for brute-force attempts. - Automatically blocked offending IP addresses using Fail2Ban.
- Integrated these alerts into Wazuh for centralized monitoring.
- Used Atomic Red Team to simulate real-world attack techniques (e.g., credential dumping).
- Validated Wazuh’s detection rules and confirmed alert generation for mapped MITRE ATT&CK techniques.
- Fine-tuned detection rules for high-fidelity alerts and low false positives.
- Built detailed dashboards using Kibana for:
- Endpoint activity (Linux and Windows)
- Threat intelligence matches
- Brute-force detections
- Red team simulation alerts and their correlation
- SIEM: Wazuh
- EDR: Velociraptor
- SOAR: Shuffle
- Threat Intelligence: MISP, VirusTotal
- Active Defense: Fail2Ban
- Simulated Attacks: Atomic Red Team
- Databases Monitored: MariaDB, PostgreSQL
- Languages & Tools: Python, Bash, Sysmon, Kibana
- Developed a fully functional SOC prototype using entirely open-source components.
- Achieved end-to-end automation from threat detection to response, integrating Wazuh with Shuffle.
- Gained hands-on experience across the SOC pipeline—SIEM tuning, SOAR workflows, threat hunting, and EDR telemetry.
- Designed dashboards that communicate key insights, threat activity, and mitigation coverage to both technical and non-technical stakeholders.
With the core project complete, I plan to expand this lab into a long-term personal learning and demonstration platform:
| Focus Area | Next Steps |
|---|---|
| Project Expansion | Refactor the lab for modularity, making it easier to replicate or share |
| Containerization | Dockerize all major components for simplified deployment and scalability |
| Advanced Visualization | Explore integrations with Grafana and enhanced Kibana dashboards |
| Automation Workflows | Create bidirectional Shuffle workflows for actions like automatic blocking |
| Alert Triage | Integrate TheHive or Cortex for structured alert and IOC management |
| Behavioral Detection | Deepen Velociraptor integration to build behavioral baselines |
| Red Team Testing | Simulate advanced multi-stage attack chains using MITRE ATT&CK |
| Community Contribution | Publish setup guides and walkthroughs to give back to the community |
| Skill Development | Prepare for certifications like CompTIA Security+, SOC Level 2, and more |
This internship provided a transformative learning experience. It not only strengthened my interest in blue teaming and detection engineering, but also introduced me to the broader ecosystem of SOC operations. Working hands-on with open-source tools allowed me to understand the complexities of threat detection and incident response from both technical and operational perspectives.
Asmit Desai
LinkedIn Profile
Open to collaborations, mentorship, or opportunities in cybersecurity.