Why this is a learning environment, and I say so
Let me be straight about what this is before I describe it. The networking in my lab runs my house for real. The SOC stack does not protect a company. It's a deliberate learning environment I stood up to understand how blue-team tooling fits together and to start building the muscle of actually working alerts, instead of just reading about them.
That distinction matters, because the gap between “I installed a SIEM” and “I can run one” is wide, and I'm somewhere in the middle of it. I'd rather tell you that plainly than pretend the dashboards make me an analyst. What I have done is build the pipeline end to end and start living in it. What I'm learning is the part that doesn't come from an install guide.
The pieces, and how they actually fit
The thing that didn't click until I built it is that these aren't separate products. They're layers of one pipeline: something has to see events, something has to collect and correlate them, something has to let me go look closer, and something has to turn a real one into a case. Each tool is one of those jobs.
Suricata is the network's eyes. It runs on the Proxmox host and listens on the bridge that every VLAN crosses, so it sees traffic across the whole lab, not just one segment. It matches that traffic against tens of thousands of rules and writes what it finds out to a log that gets shipped onward. This is detection at the wire level: it doesn't care what a machine says it's doing, only what's actually on the network.
Wazuh is the hub, and the part I spend the most time in. It's a SIEM, which in practice means it's where everything lands. Agents on the hosts send their logs and file-integrity events. The firewall, the switch and the router send their syslog. Suricata's findings flow in. Wazuh takes all of that, runs it against its own rules, and turns a pile of raw events into something you can search and alert on in one place. If the lab has a brain, this is it.
Velociraptor is for when an alert makes you want to walk over to a machine and look. It's endpoint detection and response: agents sit on the hosts (and a Windows agent on my own PC), and from one console I can ask questions across all of them at once. What processes are running, what changed, what's where it shouldn't be. Wazuh tells me something looks off on a host; Velociraptor is how I go onto that host and find out.
TheHive and Cortex are the case-management layer, and the part I'm furthest behind on. The idea is that when an alert is real, it stops being a line in a dashboard and becomes a case you investigate and document, with Cortex pulling in reputation data from services like VirusTotal automatically. I'll be honest: TheHive 5 has been the most stubborn piece to keep running, it wants a whole Cassandra and Elasticsearch stack underneath it, and right now I run Cortex more than I run TheHive. That's a true state of things, not a tidy one.
AdGuard sits a little to the side as my DNS filter, but it earns its place here because DNS is one of the most useful things to watch. A lot of bad behaviour shows up first as a device asking for a domain it has no business asking for.
The part nobody warns you about: volume
Here's what installing the stack didn't teach me, and running it did. A SIEM with default rules doesn't hand you a clean list of threats. It hands you a firehose. Looking at my own dashboard, the low-severity bucket alone is in the six figures over a single day, and the medium bucket is in the thousands. Almost all of it is noise: normal behaviour that a rule technically matches.
The actual skill, the one I'm slowly building, is separating signal from that. A high alert count isn't a sign the lab is under attack. It's a sign the rules aren't tuned to my environment yet, and tuning them, deciding what's normal here so the abnormal can stand out, turns out to be most of the job. I understood “alert fatigue” as a phrase before. Now I understand it as a thing that happens to you by Tuesday.
A real one, worked honestly
A useful example, because it's a real alert from my own lab and not a textbook one. Suricata flagged a DNS query from a device on my home VLAN to a .pw domain, tagged as likely hostile. That's exactly the kind of thing the whole stack exists to surface.
So I walked it. Which device made the request, from the DHCP leases. What the domain actually was. Whether it was a one-off or a pattern. Whether the device had any other noise around it. It turned out to be benign, a piece of software phoning a low-reputation domain rather than anything malicious, but that's not the point. The point is that the loop, see it in Suricata, pivot in Wazuh, identify the host, decide if it's worth more, is the loop an analyst runs all day, and the first few times I ran it I was slow and unsure which thread to pull first. I'm less slow now. That's the whole reason the lab exists.
What building it taught me, and what running it is teaching me
Standing the stack up taught me how the parts connect, where the data flows, and a healthy respect for how much infrastructure sits under a single TheHive instance. That part I can do.
Running it is teaching me the harder thing, and the thing I actually want for the work I'm aiming at: that the tools are the easy 20 percent. The triage, the tuning, the judgement about what deserves attention and what's just the network being the network, that's the 80 percent, and it doesn't come from an install. It comes from sitting with the alerts.
This is a home lab and I'm a learner in it, and I'm not going to dress that up. But it's a real pipeline with real traffic running through it, and working it by hand, including the parts where I'm still slow, is the only way I know to build the instinct the certificates point at but can't give you. The setup and notes (sanitized) are on my GitHub.