Building a Modern Cybersecurity Monitoring & Response System

A Practical Architecture Using Wazuh, SOAR, and Threat Intelligence

Why most security projects fail before they start

Many organizations want “better security”, but what they usually get is:

Too many alerts, no action
Expensive tools nobody understands
Security dashboards that look good but don’t protect anything
A system that depends on a few individuals’ knowledge

The real problem is not tools.
It’s system design.

This article explains how we design a production-ready cybersecurity monitoring & response system—one that is practical, auditable, and automatable—and why this architecture works in the real world.

The real objective (not marketing buzzwords)

The goal is not “installing SIEM” or “using AI”.

The real objectives are:

Detect real threats, not noise
Know who must respond, and when
React fast before damage spreads
Keep evidence for audit & investigation
Stay flexible and vendor-neutral

This is a system engineering problem, not a product selection problem.

The architecture philosophy

We deliberately separate responsibilities.

Detection ≠ Automation ≠ Escalation ≠ Investigation

Each part must do one job extremely well.

The core stack we use (and why)

System architecture overview

graph TD
    A["Endpoints / Servers / Cloud"] --> B["Wazuh Agent"]
    B --> C["Wazuh Manager (SIEM/XDR)"]
    C --> D["Shuffle SOAR"]
    D -->|Create / Update Incident| E["DFIRTrack"]
    D -->|SEV-1 / SEV-2| F["PagerDuty"]
    D -->|Automated Response| G["Firewall / DNS / IAM / EDR"]

    F --> H["On-call Engineer"]

This diagram shows how detection, automation, escalation, and investigation are cleanly separated but tightly integrated.

1. Detection layer — Wazuh

Wazuh acts as the security sensor network:

Collects logs from:
- Firewall
- DNS
- IDS / IPS
- VPN
- Servers & endpoints
Normalizes events
Applies correlation rules

Wazuh answers:
“Something suspicious happened. What is it?”

We do not overload Wazuh with business logic.
Its job is detection, not decision-making.

2. Automation & decision layer — SOAR (Shuffle)

Once something is detected, we need logic:

Is this serious?
Is this known malicious?
Should we block, alert, or just log?

This is where SOAR comes in.

Shuffle allows us to build explicit security playbooks:

Threat-intelligence enrichment
Severity calculation
Conditional response
System-to-system orchestration

Shuffle answers:
“What should we do next?”

This is where engineering experience matters most.

3. Guaranteed human response — PagerDuty

Automation is powerful—but humans are still responsible.

PagerDuty ensures:

The right person is notified
Escalation happens if no one responds
Response time is measurable (SLA)

PagerDuty answers:
“Who is responsible right now?”

This is the difference between alerts and accountability.

4. Investigation & audit trail — DFIRTrack

Every serious event becomes an incident:

Evidence
Timeline
Decisions
Actions taken

DFIRTrack provides:

Incident records
Asset tracking
Investigation notes
Audit readiness

DFIRTrack answers:
“What happened, exactly?”

This is essential for compliance, post-incident review, and trust.

How real use cases are implemented

Example 1: DNS communication to malicious domains

Problem
Malware almost always uses DNS to “phone home”.

System behavior

DNS logs are collected
Domain is compared against live threat-intelligence feeds
If malicious:
- Incident is created
- Endpoint is identified
- Firewall/DNS block is applied
- On-call engineer is notified (if severity is high)

This detects attacks before data is stolen.

Example 2: IDS / IPS traffic to known attacker IPs

Problem
Some attacks bypass endpoint security.

System behavior

IDS/IPS logs are analyzed
Destination IP matches known attacker infrastructure
Correlated with asset criticality
Automated containment or escalation

This avoids “signature spam” and focuses on real risk.

Example 3: VPN login success from outside Thailand

Problem
A successful login can still be an attack.

System behavior

VPN authentication logs analyzed
GeoIP enrichment applied
If login is successful from unexpected country:
- Risk score increases
- Incident created
- Optional forced verification or temporary block

This detects credential theft, not just brute force.