California State Polytechnic University, Pomona - Security Operations Center

Here lies the public directory and documentation of the Student run Security Operations Center at the California Polytechnic State University, Pomona.

Start Here!

• Volunteering Opportunities
  • 📚 Contribute to Our Documentation!
• Splunk
  • What you can do with Splunk:
  • How to setup a Splunk Server
  • How to setup the Splunk Universal Forwarder
  • How to setup a Splunk Deployment Server

SOC Lab Content

• Getting Started (Updated August 2025)
  • Introduction
  • VPN Access Setup
  • Accessing Kamino
• Splunk Lab
  • Overview
  • Lab Structure
  • Setup
  • Tips
  • Task 1 - Setting up Splunk Enterprise Server
  • Task 2 - Forwarding Logs from a Windows Machine to your Splunk Server
  • Task 3 - Forwarding Logs from a Ubuntu Client to your Splunk Server
  • Task 4 - Generating Custom Log Sources
  • Task 5 - Custom Indexes
  • What’s next?
• AD + Splunk Lab
  • Introduction
  • Lab Objectives
  • Requirements
  • Primary Domain Controller
  • Windows Client - 1
• Splunk CTF Lab
  • Overview
  • Lab Structure
  • Option 1 - Simulated Attack Environment with Virtual Machines
  • Easy Challenges
  • Medium Challenges
  • Hard Challenges
  • Option 2 - Importing a Pre-Existing Dataset (Cisco Secure Firewall Threat Defense Intrusion Events)
  • Basic Exploration — Easy
  • Counting & Classifying Intrusions — Medium
  • Network Source / Destination — Medium
  • Suspicious Activity Detection — Hard
  • Conclusion
  • Author & Credits

SOC Write-Up

• Implementation of Missile Map
  • Background
  • Initial Challenges with VPN Log Queries
  • Portal Types Overview
  • Security Concerns with the Legacy Portal
  • Improved Log Fingerprinting for True Successes
  • Missile Map Implementation (Geographic VPN Visualization)
  • Data Anomalies & Lessons Learned
  • Summary
• The First SOC-Syslog Incident
  • Context: What is SOC-Syslog?
  • Problem Description
  • Initial Remediation Attempts
  • Boot Loop Issue
  • Root Cause Analysis
  • Resolution
  • Lessons Learned
• The Fix of SOC-Syslog
  • Overview
  • Initial Problem: Disk Space Exhaustion
  • Phase 1: Emergency Response
  • Phase 2: Permanent Storage Solution
  • Phase 3: Reconfiguring Splunk Forwarder
  • Phase 4: Fixing Log Parsing on Splunk
  • Phase 5: Building a Better Solution
  • Phase 6: Transitioning to Proxmox
  • Phase 7: Expanding Monitoring to Other VMs
  • Final Result
• How the SOC receives alerts?
  • What Are We Monitoring with Alerts?
  • How Are Alerts Configured?