A multi-phase Blue Team lab series — from first alert to validated defense.
Series Introduction
Operation Iron Watch is my core detection engineering project: a hands-on, multi-phase SOC lab built entirely from scratch using physical and virtual infrastructure.
Each operation represents a full cycle of building, testing, breaking, and improving. The series follows a deliberate progression — from basic IDS visibility, to SIEM integration, to a hardened DMZ architecture with a validated detection pipeline. Every gap found in one operation becomes the objective of the next.
This is not a walkthrough of someone else’s lab. Every architecture decision, every detection rule, and every troubleshooting arc is my own — documented with evidence, diagrams, and postmortems.
What This Series Covers
- Network architecture design (LAN, DMZ, WAN segmentation)
- IDS/IPS deployment and tuning (Snort, Suricata)
- SIEM implementation and log pipeline engineering (Graylog, rsyslog)
- Detection rule development and validation (HTTP Flood, SYN Flood, ICMP Flood)
- Attack simulation and gap analysis
- End-to-end incident investigation with evidence collection
- MITRE ATT&CK mapping
Operation
IW01 — First Contact The foundation. Basic IDS deployment, first detection capabilities, initial network visibility.
Deployed Snort IDS for the first time and established baseline detection — proving that attacks hitting the network could be seen. No SIEM, no correlation — just raw alerting and learning how detection works at the packet level.
IW02 — Blind Spots SIEM integration reveals what you can see — and what you can’t.
Introduced Graylog as a SIEM, ingesting Apache2 access logs from the web server. Built a detection rule for HTTP 404 spikes. But when an SSH compromise occurred, it was invisible — because auth.log was never ingested. This gap became the driving objective for IW03.
IW03 — Forging the Shield Full DMZ architecture, hardened log pipeline, and a validated detection suite.
The most substantial operation in the series. Designed and built a three-zone DMZ network with a dedicated firewall VM, physical switch, and Raspberry Pi web server running Apache2 and Suricata IDS. Engineered a complete log pipeline (Suricata EVE JSON → rsyslog → rsyslog relay → Graylog) and developed a DDoS Detection Suite with three validated detection rules covering HTTP Flood (L7), SYN Flood (L4), and ICMP Flood (L3).
Key arcs: IP conflict resolution, rsyslog RainerScript rewrite, Pi clock sync, Suricata EVE parsing via two-extractor chain, and ICMP detection redesign from flow-based to Suricata-rule-based.