Suricata + Sysmon + Elastic Pipeline Setup and SOC IR Report Inquiry

The poster built a two-node lab with Kali Linux on a segmented network, a Windows 10 victim machine on LAN, and pfSense for network segmentation. Suricata monitors the boundary, while Sysmon and Elastic Agent on the victim feed logs into Elasticsearch/Kibana. They plan to run attack simulations (discovery commands, encoded PowerShell, registry persistence, scheduled tasks, and Nmap scans) and write one incident response (IR) report per scenario. The post asks how real-world SOC IR reports are structured, including the balance of raw log data vs. timelines, audience (technical vs. SOC leads), and what distinguishes an analytically strong report.