Field Notes · June 2026

Enterprise SOC Home Lab

An enterprise-inspired home lab combining segmented network infrastructure, Active Directory, endpoint telemetry, network IDS, centralized monitoring, and security automation.

WazuhOPNsenseSuricataSysmonActive Directory

Executive Summary

I built the Enterprise SOC Home Lab to develop cybersecurity and Network Engineering skills on infrastructure I configure, monitor, test, and troubleshoot directly. The environment combines physical networking equipment, Proxmox virtualization, segmented VLANs, Active Directory, Windows and Linux systems, endpoint telemetry, network intrusion detection, and centralized security monitoring.

Wazuh is the primary SIEM/XDR platform. Sysmon provides detailed Windows endpoint telemetry, while Suricata runs on OPNsense for network intrusion detection. Both telemetry paths are integrated into Wazuh for centralized monitoring and analysis. A dedicated Kali Linux environment supports controlled attack simulation within an isolated VLAN.

Architecture Overview

Executive SOC home lab architecture showing the Internet and modem feeding OPNsense, UniFi switching, Proxmox workloads, wireless infrastructure, Cisco lab switching, and Sysmon and Suricata telemetry flowing into Wazuh. — Executive view of the currently deployed network, compute, and security telemetry paths.

Technical Architecture

Technical SOC home lab architecture showing management addressing, Proxmox virtual machines, VLANs 10 through 70, MoCA and UniFi network paths, telemetry flows into Wazuh, Kali detection validation, and future technologies marked as not deployed. — Technical view of management addressing, VLAN segmentation, workloads, physical network paths, telemetry flow, and the not-yet-deployed roadmap.

Objectives

Develop practical experience with enterprise-inspired network segmentation and firewall policy.
Operate Active Directory, Windows Server, Windows 11, and Linux systems in a controlled environment.
Centralize Sysmon endpoint telemetry and Suricata network alerts in Wazuh.
Monitor network activity with Suricata on OPNsense.
Practice controlled attack simulation from an isolated Kali Linux environment.
Explore repeatable Security Operations and automation with n8n.

Hardware Overview

Dell PowerEdge T440: primary compute platform for virtualized lab workloads.
Intel N100 firewall appliance: dedicated OPNsense routing and security platform.
UniFi Switch Lite infrastructure: switching and VLAN connectivity.
Cisco Catalyst switching: physical platform used for CCNA studies and practical networking exercises including switching, VLANs, trunking, spanning tree, EtherChannel, routing concepts, and network troubleshooting.
UniFi U6 Mesh and U6+: wireless infrastructure for segmented network access.

Virtualization Architecture

Proxmox hosts the lab’s virtual systems, including Windows Server, Windows 11, Kali Linux, and security workloads. Active Directory provides the lab’s Windows identity and domain environment. OPNsense remains on dedicated hardware so routing, firewall policy, and Suricata monitoring are separated from the primary virtualization host.

This design lets me work across server administration, identity, networking, endpoint monitoring, and network security without presenting the environment as a production enterprise deployment.

VLAN Architecture

VLAN	Purpose	Subnet
10	Management	`10.10.10.0/24`
20	Servers	`10.10.20.0/24`
30	Workstations	`10.10.30.0/24`
40	Attack	`10.10.40.0/24`
50	Home	`10.10.50.0/24`
60	Guest	`10.10.60.0/24`
70	IoT	`10.10.70.0/24`

OPNsense handles inter-VLAN routing and firewall administration. The design separates management, server, workstation, attack, household, guest, and IoT traffic so access policies and troubleshooting can be approached by trust boundary and use case. DHCP, DNS, switching, and wireless connectivity are part of the lab’s networking practice.

Security Tooling

Wazuh: primary SIEM/XDR platform for centralized security monitoring.
Sysmon: deployed on Windows endpoints, with its detailed process and system telemetry integrated into Wazuh.
Suricata: running on OPNsense, with network IDS alerts integrated into Wazuh.
Action1: endpoint management within the lab environment.
n8n: used for security automation initiatives and workflow development.
Active Directory: identity and Windows domain services for administration and security testing.

Detection & Monitoring Capabilities

Windows endpoints send Sysmon telemetry to Wazuh, and Suricata sends network IDS alerts from OPNsense to the same centralized monitoring platform. The collected data supports investigation of authentication activity, process creation, PowerShell execution, service installation events, broader endpoint activity, and network IDS alerts.

Controlled testing originates from the Kali system on the dedicated attack VLAN. I use that activity to validate detections, identify visibility gaps, and develop Threat Hunting skills by comparing endpoint and network evidence in Wazuh. This is a controlled learning environment rather than enterprise-scale monitoring coverage.

Attack Simulation Environment

Kali Linux provides the attack simulation platform on VLAN 40. Keeping attack infrastructure on a dedicated VLAN supports controlled testing and reinforces segmentation, routing, firewall, and monitoring concepts. Testing remains limited to systems I own and administer inside the lab.

Lessons Learned

VLAN tagging mistakes can prevent clients from reaching the intended DHCP scope, making switch-port configuration an essential part of troubleshooting apparent addressing failures.
Trunk and access port mismatches require validating the full path between endpoints, switch uplinks, access points, and OPNsense rather than troubleshooting each device in isolation.
Migrating from Netgear switching to UniFi switching required revalidating VLAN assignments, tagged uplinks, and access-port behavior instead of assuming configurations would translate directly between platforms.
Running Suricata on OPNsense reduced the need to maintain a separate sensor VM and kept network inspection alongside the firewall and routing configuration.
Segmentation improves isolation but introduces operational dependencies across VLAN tagging, DHCP, DNS, routing, and firewall policy that must be documented and tested together.
Combining Sysmon endpoint telemetry with Suricata network alerts provides more investigative context than relying on either telemetry source alone.

Operational Evidence

The screenshots below document the currently deployed virtualization, network segmentation, switching, intrusion detection, and server hardware. Select an image to open the full-resolution view.

Proxmox VE inventory showing the T440 node and Active Directory, Windows workstation, SIEM, and Kali virtual machines. — **Proxmox Virtualization Inventory** Proxmox VE hosting lab workloads including Active Directory, Windows workstation, Kali attack simulation, and Wazuh monitoring systems.

OPNsense Suricata alerts table showing network scan and suspicious DNS alerts on monitored interfaces. — **OPNsense Suricata IDS Alerts** Suricata running on OPNsense generating IDS alerts from monitored network traffic, including scan and suspicious DNS activity.

UniFi Network settings showing wireless networks and VLAN mappings for management, home, guest, IoT, workstation, and server networks. — **UniFi VLAN and Wireless Segmentation** UniFi Network configuration showing segmented wireless and network mappings for management, home, guest, IoT, workstation, and server VLANs.

UniFi managed device inventory listing two switches, two wireless access points, and a Cloud Key. — **UniFi Managed Device Inventory** Managed UniFi switching, wireless access points, and Cloud Key infrastructure used for centralized network administration.

UniFi core switch port map showing the upstairs switch uplink, U6 Mesh access point, MagicJack, Cloud Key, and OPNsense uplink. — **UniFi Core Switch Port Mapping** Core switch port view showing uplinks, PoE devices, Cloud Key connectivity, MagicJack, and OPNsense firewall uplink.

UniFi upstairs switch port map showing Cisco Catalyst, T440 server, U6+ access point, SPAN test port, iDRAC, and MoCA uplink connections. — **UniFi Upstairs Switch Port Mapping** Upstairs switch port view showing Cisco Catalyst lab switch, Dell PowerEdge T440 server, U6+ access point, iDRAC management, MoCA uplink, and SPAN testing port.

Dell iDRAC memory overview for the PowerEdge T440 showing installed memory capacity and DIMM details. — **Dell iDRAC Hardware Overview** Dell iDRAC hardware management view showing the PowerEdge T440 platform used as the primary Proxmox compute host.

Wazuh dashboard evidence remains planned future content and is not included in the current evidence set.

Future Improvements

Add Zeek as a network visibility enhancement.
Evaluate OpenCTI and MISP for threat intelligence workflows.
Continue developing n8n security automation workflows.
Explore Microsoft Sentinel and additional Entra ID and hybrid identity projects.
Develop Splunk familiarity as an area of future interest.
Expand documented Detection Engineering and Threat Hunting exercises as the lab evolves.
Build Active Directory attack-and-defend scenarios.
Develop Sigma-based detections and validation exercises.
Publish documented Threat Hunting case studies.
Add additional automation workflows through n8n.