Engineering Artifact Index
Case Studies
The full engineering artifact index for SignalFoundry. Every case study, every documented incident, and every piece of infrastructure work that produced the pipeline is indexed here — because this is where the depth lives. A reviewer skeptical of the pipeline's scope can see the full range of documented work in one place. No curated short list, no sanitized post-mortems. Every artifact is built from the session logs, proof files, and actual work on disk.
0
Cases Processed
211
Detection Rules
0
Artifacts Indexed
0
Data Loss Events
Case Disposition Funnel
324,074 alerts → 8,574 escalations
~88% auto-closed · 0 reconciliation mismatches · 0 data loss events
System & Flagship
Flagship System
SignalFoundry
The flagship triage pipeline behind HawkinsOps. Policy-driven Wazuh ingest, deterministic triage, mandatory redaction, evidence pack assembly, reconciliation, and gated publish. The engine behind every artifact on this page.
View system page →
Detection Inventory
Detection Coverage
The full detection surface: 211 rules across 10 MITRE ATT&CK tactics plus 10 IR playbooks. Each detection is repo-counted, technique-mapped, and routed into SignalFoundry's triage and evidence pipeline.
View detection surface →
System Architecture
Signal Architecture — AutoSOC System Model
Full system diagram: ingest, triage, redaction, pack, reconcile, gate, publish. Signal routing, state boundaries, failure domains, and gating contracts documented end to end.
Read →
Deep Dive — 2026-03
March 2026 System Hardening & Pipeline Evolution
How I built, broke, and recovered a SOC automation pipeline processing ~50,000 alerts during the March 2026 window. What that revealed about detection quality, system trust, and operational reliability.
Read →
Incident Response & Recovery
Incident / IR — 2026-04-07
Production Race Condition Recovery
TOCTOU race condition in queue-cap enforcement at 505,836-file scale. Diagnosed from production tracebacks, fixed with 4 guard sites across 2 files, confirmed under live load with 1,056 files vanishing during sort — zero unhandled exceptions. Pipeline recovered from sub-ten-second crashes to 80+ minutes sustained.
Read →
Incident Response — 2026-03-13
Pipeline Fault Recovery — Two Failure Domains, One Session
Poller retry logic failed on URLError. Reconciliation scoped against the wrong directory set. Two independent defects surfaced simultaneously, both diagnosed and fixed in one session. Pipeline restored to SUCCESS.
Read →
Incident Response
IR Case: Level 12 FIM Alert — Triage to BENIGN
Full IR lifecycle on a Level 12 Wazuh File Integrity Monitoring alert on the primary endpoint. Triaged and closed as BENIGN in 35 minutes, with evidence trail, PowerShell validation, and rule-tuning recommendations.
Read →
Incident Response
IR Playbook Library
10 structured analyst playbooks built around a consistent 7-section template: detection, triage, investigation, containment, eradication, recovery, documentation. MITRE ATT&CK coverage and handoff-quality escalation logic.
Read →
Vulnerability Response
CVE-2025-55130 — Detect to Remediation
Critical Node.js CVE detected by Wazuh during live monitoring, triaged, patched via winget, and verified closed. Full detect-to-remediation cycle in one operational cycle with complete evidence trail.
Read →
Incident / RCA — 2026-03-23
Hotfix RCA: Triage Quality Chart Renderer
Function-order bug silently breaking scheduled chart rendering. Assert-CanonicalPath called before its declaration. Fix: reorder. Validation: EXIT=0, 30 data points, 104KB artifact. Parent pipeline confirmed successful.
Read →
Infrastructure — 2026-03-23
AutoSOC Infrastructure Cutover
Production migration of the AutoSOC pipeline from two legacy roots to a single canonical path. Preflight gating returned legacy refs = 0. Five Task Scheduler tasks retargeted. Proof document signed.
Read →
Detection Engineering
Detection Engineering
Sigma Detection Library
Platform-agnostic ATT&CK coverage: logsource schema, false-positive filters, technique tagging, and multi-platform portability across 103 Sigma rules spanning 10 MITRE tactics.
Read →
Detection Engineering
Wazuh Rule Blocks — Authored and Validated
29 Wazuh rule blocks across 25 XML files authored for SOC triage patterns, bundled for deployment, and validated with reproducible commands from repo root.
Read →
Detection Engineering — 2026-04-08
Wazuh Windows Telemetry Remediation
Three-phase restoration of Windows process creation telemetry: alert-level threshold, broken indexer pipeline, and unconfigured Sysmon — all diagnosed and fixed. 2,120+ Security 4688 alerts and 143 Sysmon EID 1 events indexed with full telemetry.
Read →
Detection Validation
Wazuh Detection Harness
A Python tool that queries the Wazuh Indexer REST API after Atomic Red Team tests and reports, per technique, whether detection rules actually fired. Pass/fail reporting with evidence artifacts.
Read →
Detection Engineering — 2026-03-24
Splunk Detection Rule Audit — Four Noise Sources
Audited every Splunk detection rule against 283,976 events. Found four ways the rules would flood a real analyst with noise: empty CommandLine fields, no failed-logon baseline, missing sourcetype coverage, rex extraction fragility.
Read →
Detection Engineering
Migrating Legacy Detection Rules from Python 2 to Python 3
Legacy SOC environments still carry Python 2-era scripts in detection content. Migration write-up covering string handling, urllib-to-requests, and test parity for detection logic that must not change behavior across the port.
Read →
Threat Hunting
Threat Hunting — 2026-03-24
Live Splunk Threat Hunt — EventID 4688
Rex-based field extraction built from scratch, parent-process exclusion logic, and Codex AI tool spawning pwsh.exe 375x — correctly classified as tool behavior vs. LOLBin abuse through temporal and volume profiling.
Read →
Threat Hunting
When AI Tooling Looks Like a LOLBin
Live Splunk hunt on EventID 4688: codex.exe spawning pwsh.exe 375x per session, indistinguishable from LOLBin abuse until parent-process path told the real story. Temporal fingerprint vs. adversary tradecraft.
Read →
Infrastructure & Hardening
Enterprise Security
Enterprise Security Hardening — Flagship
14 attack categories were invisible; we fixed the audit pipeline. 22 audit subcategories hardened to 96% coverage, 11 MITRE ATT&CK techniques unblocked, CommandLine logging enabled. The canonical hardening write-up.
Read →
Security Hardening — 2026-03-29
Audit Policy Baseline Assessment
Windows Advanced Audit Policy baseline against Microsoft Security Baseline. 27 subcategories audited — 14 matched, 9 superset, 12 hardened beyond baseline, zero regressions. Security log expanded from 20 MB to 1 GB. Earlier sibling to the Enterprise Security flagship above.
Read →
Lab Infrastructure
Cowrie Honeypot + Wazuh + Grafana
Minimal, auditable Docker Compose deployment: Cowrie SSH/Telnet honeypot feeds attacker session data to Wazuh Indexer, visualized on a Grafana dashboard provisioned from code.
Read →
Lab Proof
Honeypot (Wazuh) Sanitized Alert Proof
Source data exported from a private Wazuh manager, sanitized, and published to GitHub on a scheduled pipeline. Reproducible attacker-session evidence without exposing lab internals.
Read →
SOC Operations
PP_SOC Integration — Live Detection Workflow
Transition from a verified static rule library to a running production-sim SOC workflow: active agent coverage, 15,052 alerts in 24 hours, CVE remediation verified end to end.
Read →
Context
About these artifacts
These aren't sanitized post-mortems written weeks after the fact. Every artifact indexed above is documented from session logs and proof files that exist on-system from the actual work — preflight output, pipeline logs, scheduler metadata, Splunk queries — all real and reviewable.
The SignalFoundry project processes a live queue of Wazuh security alerts across a home lab environment. The artifacts on this page capture the operational and engineering decisions made while keeping that system running and improving its detection capability.