Security operations,
simplified and unified
simpliSOC is a production-ready, open-source SOC stack built on Wazuh, IRIS, and Shuffle. Real-time threat detection, automated incident management, and a custom integrator that ties it all together — deployed in one stack.
Built on proven open-source tools
simpliSOC orchestrates four battle-tested platforms into a single cohesive security pipeline, with a custom integrator as the connective tissue.
Wazuh
SIEM · XDRThe detection engine. Ingests syslog from firewalls, endpoints, VMware, and Windows AD. Applies 50+ custom rules across 9 appendix categories with correlation chaining.
- Real-time log correlation & alerting
- IOC / CDB list matching (IP, domain, hash)
- Custom decoders for FortiGate & VMware ESXi
- OpenSearch indexing with dashboard
SOC Integrator
Custom · FastAPIThe brain of the pipeline. A FastAPI service with 5 background workers that continuously syncs Wazuh alerts to IRIS, enforces dedup policies, refreshes IOC feeds, and monitors log health.
- Alert deduplication with per-rule cooldowns
- Severity mapping & rule-based filtering
- IOC feed refresh (Feodo, URLhaus, ThreatFox)
- Log-loss & system health monitoring
IRIS
IRP · Case MgmtIncident response platform where analysts triage, investigate, and close security cases. Alerts from Wazuh land here automatically, enriched with context and severity classification.
- Structured case & alert management
- IOC/asset tracking within cases
- Custom alert detail page with ICT time display
- REST API for automated case lifecycle
Shuffle
SOARSecurity orchestration, automation, and response. Trigger playbooks from IRIS cases or Wazuh alerts — enrich with VirusTotal, notify via LINE/email, or auto-block IPs.
- Visual no-code workflow builder
- VirusTotal & threat intel enrichment
- Webhook triggers from Wazuh & IRIS
- Notification via LINE, Slack, PagerDuty
From raw log to resolved case
A fully automated pipeline from log ingestion through detection, enrichment, and incident management — with a human analyst in the loop where it counts.
Ingest
Syslog over UDP from FortiGate firewalls, VMware ESXi hosts, Windows agents with Sysmon, and Windows AD domain controllers.
Detect
Wazuh decodes, correlates, and matches events against 50+ custom rules and live IOC CDB lists updated every cycle from threat feeds.
Route
SOC Integrator polls Wazuh indexer, deduplicates, applies exceptions, maps severity, and creates enriched alerts in IRIS — idempotently.
Respond
Analysts triage cases in IRIS. Shuffle playbooks automate enrichment, notifications, and optional containment actions via API.
Component flow in detail
How services, threat feeds, and notification channels connect — what talks to what, and over which protocol.
decoders · 50+ rules"]:::siem OS[("OpenSearch indexer")]:::siem subgraph I["SOC Integrator (FastAPI)"] direction TB SYNC["Wazuh→IRIS sync
dedup · severity"]:::integ IOC["IOC refresh
writes CDB lists"]:::integ HM["Log-loss + health"]:::integ end IR["IRIS-web
case management"]:::resp SH["Shuffle SOAR
(optional)"]:::resp subgraph N["Notifications"] direction TB LINE[LINE]:::notif SLK[Slack]:::notif PD[PagerDuty]:::notif EM[Email]:::notif end S -->|syslog UDP| WZ F -->|HTTPS pull| IOC IOC -->|CDB reload| WZ WZ -->|alerts| OS OS -->|REST poll| SYNC SYNC -->|create alert| IR IR -->|webhook| SH SH --> LINE SH --> SLK SH --> PD SH --> EM IR -->|on case| PD
Coverage across your full estate
Rules organized across three appendix groups covering perimeter, infrastructure, endpoint, and correlation scenarios.
IOC / Threat Intel
CDB list matches on malicious IPs, domains, and file hashes sourced from Feodo Tracker, URLhaus, and ThreatFox — auto-refreshed.
FortiGate Firewall & IPS
RDP brute-force, port scanning, DoS detection, IPS alerts, and policy violations on FortiGate firewall logs.
FortiGate VPN
IPsec and SSL-VPN tunnel monitoring — failed negotiations, certificate errors, and abnormal session patterns.
Windows AD & Auth
Failed logins on privileged accounts, password spraying, account lockouts, and suspicious Kerberos/NTLM activity.
VMware ESXi
SSH enable detection, failed host logins, hypervisor warnings, and management plane anomalies from ESXi syslog.
Log Monitor & Sysmon
Log-loss alerting when no events arrive within threshold, plus Sysmon endpoint telemetry: process creation, network connects, registry changes.
Correlation Rules (C1–C3)
Multi-stage detectionCross-source correlation spanning firewall, VPN, endpoint, and identity — catching lateral movement, credential stuffing, and multi-vector attacks that individual rules miss.
What makes simpliSOC production-ready
Smart deduplication
Per-rule cooldowns suppress repeated alerts from the same host/user tuple. No alert storms — analysts see signal, not noise.
Live IOC feeds
Feodo Tracker, URLhaus, and ThreatFox feeds refresh automatically. Wazuh CDB lists are updated without restarts — new IOCs take effect immediately.
Alert exceptions
Suppress IRIS ticket creation for known-legitimate activity via REST API — no rule changes, no restarts. Exceptions are stored in DB and applied on the next sync.
Severity triage
Wazuh rule levels map to IRIS severity buckets: critical ≥12, high ≥8, medium ≥5. Configurable minimum threshold keeps low-noise events out of IRIS.
Log-loss monitoring
Automatic alerting when no log events arrive within a configured window — catch silent failures, disconnected agents, or network outages before they become blind spots.
API-first design
Full REST API with Swagger UI on every integrator endpoint. Manual syncs, exception management, IOC refresh, and health checks — all scriptable without a restart.
No vendor lock-in.
No per-alert pricing.
simpliSOC is assembled entirely from open-source components — Wazuh, IRIS-web, and Shuffle are all free, community-backed, and production-proven. The custom integrator is the only proprietary layer, and it's yours.
- Deploy on-premise or private cloud — your data never leaves your infrastructure
- Docker Compose deployment — full stack up in minutes with a single script
- Extend detection rules in XML — no proprietary query language to learn
- Integrate with existing tooling via REST — PagerDuty, Slack, LINE, email
Built in the open, written up too
The engineering decisions, field reports, and lessons behind simpliSOC — published on Simplico's blog.
Building a SOC from Scratch: A Real-World Wazuh + IRIS-web Field Report
A commit-by-commit account of building a production SOC using Wazuh 4.x, IRIS-web, and a custom FastAPI integrator — the bugs no one puts in architecture diagrams.
How We Built a Real Security Operations Center With Open-Source Tools
Behind-the-scenes look at building a production SOC for a mid-sized enterprise — what worked, what broke, and the engineering decisions that actually mattered.
Wazuh Decoders & Rules: The Missing Mental Model
Where do fields come from — the rule, the decoder, or the log? A clear guide to how Wazuh decoding and rule matching actually work, with no guesswork.
Building a Tier-1 SOC Analyst Agent: Wazuh + Claude + Shuffle in Production
Why "AI for SOC" mostly doesn't work — and what does. Production failure modes, cost economics, and what LLM agents actually accomplish in real SOC workflows.
Ready to secure your operations?
Talk to us about deploying simpliSOC in your environment — on-premise, private cloud, or hybrid. We'll assess your log sources and threat coverage needs.