← Back to Projects
// flagship case study

Enterprise Security Monitoring Platform

A unified, production-grade security operations platform spanning five SIEM/NSM tools across a Proxmox VE hypervisor infrastructure. Built to provide layered visibility from network packets to endpoint process telemetry.

★ Flagship Project Production at PostEx Multi-SIEM
500+
Endpoints
100+
Servers
5
SIEM/NSM Tools
40+
Detection Rules

Executive Summary

PostEx required enterprise-grade security visibility across a fintech environment processing high-value financial transactions. I designed and built a layered security monitoring platform that integrates five best-of-breed tools — each providing distinct, complementary visibility layers — all running on a Proxmox VE virtualization infrastructure with Docker containerization for operational flexibility.

The result: full-spectrum visibility from raw network packets (Security Onion + Suricata + Zeek) through host-level telemetry (Wazuh + Elastic Defend) to centralized log correlation and threat hunting (Splunk Enterprise + Elastic SIEM), with all components interconnected for enriched detection and automated response.

Platform Architecture

┌────────────────────────────────────────────────────────────────────┐
│           DATA SOURCES (What Generates Logs)                  │
├────────────────────────────────────────────────────────────────────┤
│  Windows Endpoints (500+)  Linux Servers (100+)  MikroTik/Cisco  │
│  VMware ESXi  Proxmox VMs  Web Apps  VPN Gateways  AD/DC          │
└───────┬─────────────┬─────────────┬─────────────┬───────┘
             │             │             │             │
    ▼             ▼             ▼             ▼
┌────────────┐  ┌───────────┐  ┌────────────┐  ┌────────────┐
│SPLUNK ENT. │  │  WAZUH    │  │ELASTIC FLT │  │SEC. ONION  │
│ Log Index  │  │  SIEM    │  │  + Defend  │  │Suricata    │
│ SPL Rules  │  │  + XDR   │  │  EDR      │  │Zeek/NSM    │
│ Dashboards │  │  FIM/AR  │  │  KQL/EQL  │  │JA3/JA3S    │
└────────────┘  └───────────┘  └────────────┘  └────────────┘
       │                    │                    │
       └────────────────────┬────────────────────┘
                              ▼
              ┌───────────────────────────┐
              │    SOC AUTOMATION (n8n)         │
              │  IP Enrichment (VT/AbuseIPDB)  │
              │  JIRA Ticket Creation           │
              │  Telegram Alert (MTTN <2min)   │
              └───────────────────────────┘

Platform Components

📈 Layer 1: Primary SIEM — Splunk Enterprise

Centralized log aggregation and correlation engine. Primary threat hunting and investigation platform.

📈 Splunk Enterprise 9.x Universal Forwarder (500+ agents) Heavy Forwarder (network/syslog) Deployment Server Core Router Syslog Windows Event Logs (4624/4625/4688/4698) Linux /var/log Syslog + Auditd Infrastructure Monitoring Custom SPL Detection Rules (40+) Security Dashboards Alerting & Notifications
🔌 Layer 2: HIDS/XDR — Wazuh

Host-level detection, file integrity monitoring, vulnerability scanning, and active response.

🔌 Wazuh Manager 4.x Agent Management (500+ agents) Vulnerability Detection File Integrity Monitoring (FIM) Compliance Monitoring (PCI-DSS/GDPR) Active Response Automation Custom Detection Rules (XML)
🟢 Layer 3: EDR/Endpoint — Elastic Fleet + Elastic Defend

Endpoint security monitoring and EDR across 100+ cross-platform servers.

🟢 Elastic Fleet 8.x Elastic Defend Agent (100+ servers) Endpoint Security (Malware Prevention) Windows + Linux + macOS Coverage Kibana SIEM Detection Rules EQL/KQL Detection Logic Centralized Policy Management
📌 Layer 4: NSM — Security Onion

Network-layer visibility. Catches what endpoint tools miss: lateral movement, DNS tunneling, encrypted C2.

📌 Security Onion 2.4 Suricata IDS (Custom Rules) Zeek Protocol Analysis JA3/JA3S TLS Fingerprinting SPAN Port (Core Switch) Elastic Backend
🛠 Infrastructure — Proxmox VE + Docker

Virtualization platform and containerization layer hosting all security tools.

💻 Proxmox VE 7.x Cluster Dedicated Security VMs (VLAN 30) Resource Isolation per SIEM 🛠 Docker Compose Orchestration Containerized Wazuh Stack Containerized ELK Stack TheHive + MISP (Threat Intel)

Detection Coverage Matrix

TacticTechniqueSplunkWazuhElasticSec Onion
Initial AccessT1190 Exploit Public App
ExecutionT1059.001 PowerShell
PersistenceT1053.005 Sched. Task
Defense EvasionT1218 LOLBin Execution
Credential AccessT1110.001 Brute Force
Lateral MovementT1021.001 RDP
C&CT1071.004 DNS Tunneling
ExfiltrationT1041 Exfil over C2

Key Outcomes

  • 500+ endpoints under continuous 24/7 monitoring with automated detection and alerting
  • 100+ cross-platform servers covered by Elastic Fleet + Elastic Defend for EDR visibility
  • Full network-layer visibility via Security Onion SPAN port monitoring — detects encrypted C2 via JA3
  • 40% false positive reduction through systematic audit-mode tuning across all platforms
  • <2 minute MTTN for critical alerts via n8n automation pipeline to Telegram + JIRA
  • First ransomware precursor activity detected and blocked within 3 weeks of initial deployment
  • Financial regulatory compliance — full log retention and audit trail for PCI-DSS requirements

Lessons Learned

  • Tool sprawl is a real risk: Having 5 tools only works if each has a clearly defined, non-overlapping role. Define the visibility layer each tool owns before deployment.
  • Start with Splunk for correlation, Wazuh for endpoint depth: These two together cover 80% of detection use cases. Add Elastic Fleet and Security Onion for the remaining 20%.
  • Proxmox VE with VLAN isolation is essential: Security tools need network isolation from what they monitor. A compromised endpoint should never be able to reach the Wazuh manager directly.
  • Detection-as-code from day one: Store all rules in Git. This enables rollback, peer review, and cross-platform rule translation using Sigma.
All Projects Splunk Case Study Wazuh Case Study Elastic Fleet Case Study Work With Me