A manufacturing company with multiple plants and OT/IT convergence needed a cost-effective Security Operations Center to gain visibility into threats and respond to incidents. They chose an open source SOC implementation to control costs while achieving 24/7 detection capability.
Scope: Log sources from firewalls, endpoints, servers, and key OT systems; SIEM and log aggregation; detection rules; incident response runbooks. Success criteria: critical log sources ingested, at least 20 detection rules deployed and tuned, team trained on triage and response.
We designed the architecture (Wazuh + Elastic Stack + Suricata), deployed in a phased approach, and created detection rules aligned to MITRE ATT&CK. Deliverables included:
| Component | Deliverable |
|---|---|
| Log aggregation | Elasticsearch + Logstash; connectors for firewall, Windows, Linux, key apps |
| SIEM / correlation | Wazuh manager; rules for auth failures, lateral movement, malware, data exfil |
| Network detection | Suricata IDS; rules tuned to reduce false positives |
| Runbooks | Incident response playbooks for top 10 scenarios |
During tuning we identified misconfigurations (e.g. excessive logging, missing log sources) and helped the client fix them. No vulnerability scan was in scope; the engagement focused on building detection and response.
"We now have 24/7 visibility and detected a breach attempt in the first week."— IT Director, Manufacturing
Prioritizing high-value log sources and a small set of high-fidelity rules accelerated time-to-value. For similar organizations: start with authentication, network, and critical app logs; plan for tuning; invest in runbooks and training.
Get a free security assessment and see how we can bring your security posture to manageable levels.