soc-stack

WIP

One-command SOC lab on Proxmox.

GitHub repo → self-hosted · run from source
6
components
5
cross-wirings
~30m
full deploy
MIT
license

WHAT IT DOES

SOC Stack runs one command on a Proxmox VE host and, roughly 30 minutes later, hands you a working Security Operations Center: Wazuh (SIEM/XDR), TheHive + Cortex (case management + SOAR), MISP (threat intel), Zeek + Suricata (NSM + IDS), custom dashboards, and 9 MCP servers, all wired up and talking to each other. Each component runs in its own dedicated LXC.

It is non-interactive by default, idempotent, and emits JSON for agents, so an AI agent can SSH into a Proxmox host and one-shot a SOC. Exit codes are stable (0 success, 1 preflight, 2 validation, 3 component failed, 4 integration failed, 5 mixed state), and re-running with the same flags skips anything already deployed.

Generated credentials are root-only, result JSON is redacted by default, and MCP servers bind to localhost unless you pass --mcp-bind-host 0.0.0.0.

Status: work in progress. v1.0.0 has all 6 components and 5 cross-component integrations verified end-to-end on Proxmox VE, with self-hosted CI on every PR. It is a self-hosted installer, not an MCP server, so there is no AI-client config block: you run it on the host. It is not published to a package registry.

RUNNING IT

Prerequisites: a Proxmox VE 7.x / 8.x / 9.x host with root access, a bridge (default vmbr0) and storage pool (auto-detected), outbound HTTPS, and roughly 12 GB free RAM plus 150 GB free disk for the full stack at the minimal preset. The installer auto-installs jq, curl, wget, and openssl if missing.

Full stack, sensible defaults, one command on the Proxmox host:

$ curl -sSL https://raw.githubusercontent.com/solomonneas/soc-stack/main/install.sh | sudo bash

Custom subset, with bridge and storage pinned:

$ curl -sSL https://raw.githubusercontent.com/solomonneas/soc-stack/main/install.sh | sudo bash -s -- \
    --components wazuh,thehive-cortex,misp \
    --preset standard \
    --bridge vmbr0 --storage local-lvm

Agent-driven, fully non-interactive with structured output:

$ curl -sSL https://raw.githubusercontent.com/solomonneas/soc-stack/main/install.sh | sudo bash -s -- \
    --components all --preset minimal \
    --bridge vmbr0 --storage local-lvm --ip-mode dhcp \
    --json-out /root/soc-stack.json \
    --mcp-config-out /root/mcp-clients.json

After install, /root/soc-stack.json lists every component's LXC VMID, IP, ports, endpoints, and secret file paths (passwords redacted by default), and /root/mcp-clients.json is a paste-ready mcpServers block for your MCP client. Validate first with --dry-run; redeploy a component with --force.

COMPONENTS

Six components, each in its own dedicated LXC. Deploy them independently or together; the orchestrator handles VMID allocation, networking, idempotency, and cross-component wiring. LXC sizes shown are the minimal preset.

wazuh
Wazuh Manager, Indexer, Dashboard 2 vCPU / 2 GB / 30 GB · ports 443, 1514, 1515, 55000
thehive-cortex
TheHive 5.4, Cortex 3.1.8, Elasticsearch 7.17, Cassandra 4.1 2 vCPU / 4 GB / 30 GB · ports 9000, 9001
misp
MISP, MariaDB 10.11, Redis 7, misp-modules 1 vCPU / 2 GB / 20 GB · ports 443
zeek-suricata
Zeek (NSM), Suricata (IDS/IPS) 1 vCPU / 2 GB / 20 GB · ports 47760
dashboards
Bro Hunter + Playbook Forge behind nginx 1 vCPU / 1 GB / 10 GB · ports 80, 5174, 5177
mcp
9 MCP servers (wazuh, thehive, cortex, misp, zeek, suricata, mitre, rapid7, sophos) over SSE via mcp-proxy 1 vCPU / 1 GB / 10 GB · ports 3001-3009

CROSS-COMPONENT WIRING

Configured automatically after all components deploy, so the SOC is integrated rather than six tools sharing a host.

Wazuh → TheHive
Wazuh alerts at level 8+ forward to TheHive as alerts via a custom Python integration.
TheHive ↔ Cortex
TheHive's Cortex connector points at the local Cortex with an org-scoped API key.
MISP → Suricata
Hourly cron pulls Snort/Suricata rules from MISP's restSearch endpoint into Suricata's update.d.
Zeek → Wazuh
A Wazuh agent in the zeek-suricata LXC forwards conn / dns / http / ssl / notice logs to the manager.
MCP ← all peers
Each MCP server's env file is populated with its tool's URL + API key from peer state.