top of page

Building a Fully Custom Home SOC: Security Onion + Custom SIEM + Docker Cloud on a Raspberry Pi

  • Writer: Zachary Jordan
    Zachary Jordan
  • Dec 4, 2025
  • 4 min read

In an era where cybersecurity operations are increasingly automated, abstracted, and outsourced, I wanted to return to the roots of what makes a truly effective defender: visibility, telemetry, control, and hands-on engineering. Commercial SIEM tools hide too much behind glossy dashboards. Cloud-based SOCs mask the mechanics of detection and response. And most cybersecurity analysts never get the chance to architect the system they work inside.

So I built my own Security Operations Center from scratch — at home.

Using a Raspberry Pi, Docker-containerized services, a custom SIEM interface, and a hardened deployment of Security Onion, I engineered a fully operational SOC designed for threat hunting, packet capture, behavioral analytics, and log correlation. The result is a compact, low-power, fully autonomous detection environment capable of replicating the workflow of a professional SOC in miniature form.

Why Build a Home SOC?

A real security engineer should understand the full stack:

  • Network ingestion

  • Packet analysis

  • Host-level telemetry

  • Threat hunting logic

  • Correlation rules

  • Log normalization

  • SIEM visualization

  • Automation pipelines

Most analysts only know the interface — not the engine.I wanted to know the engine.

By building everything myself, I gained total control over:

  • Data flow

  • Sensor placement

  • Alert logic

  • Storage strategy

  • Dashboard customization

  • Automation and orchestration

The experience is valuable not just for defensive skills, but for understanding how attackers think and how detection pipelines can be bypassed, overloaded, or evaded.

Hardware Foundation: Raspberry Pi as a Micro SOC

Most people underestimate the Raspberry Pi.It’s small, silent, low-power — but with the right tuning, it’s a perfectly capable platform for:

  • Packet capture

  • Log aggregation

  • Dockerized microservices

  • Lightweight machine learning analytics

  • Security Onion sensor deployment

The Pi becomes a compact SOC node, ideal for:

  • Home lab monitoring

  • IoT honeypots

  • Threat intel collection

  • Adversary emulation

  • Custom detection rule testing

To optimize performance, I ran:

  • Overclocked CPU settings for higher throughput

  • USB-to-Ethernet adapters for dual-NIC ingestion

  • SSD-based external storage for packet retention

  • RAM tuning for Zeek and Suricata

This achieved stable packet inspection at home network speeds.


Deploying Security Onion

Security Onion is the backbone of the system — a full SOC platform integrating:

  • Zeek (network security monitoring)

  • Suricata (IDS/IPS)

  • TheHive (case management)

  • Wazuh (endpoint telemetry, optional)

  • Elasticsearch (log and packet analytics)

  • Kibana (visualization)

I deployed a lightweight sensor configuration, forwarding logs and PCAP metadata into a custom storage/analysis pipeline running on Docker.

Key enhancements included:

  • Custom Suricata rules for detecting local threats

  • Zeek scripting to identify behavioral anomalies in IoT devices

  • Honeypot-style beacon detection

  • Custom log enrichment and tagging

Security Onion served as the sensor suite and ingestion point, while Docker handled the SIEM logic.

Docker Cloud: The Custom SIEM Engine

Instead of relying solely on Security Onion’s built-in stack, I engineered a custom SIEM interface inside Docker. This allowed me to:

  • Decouple ingestion from analytics

  • Run separate microservices for parsing, correlation, and visualization

  • Build my own dashboard views

  • Write custom correlation logic

  • Integrate ML-based anomaly detection

  • Use modern lightweight visualization frameworks

My Docker stack included:

✔ Logstash pipeline (custom parsers)

To normalize SO logs into a more flexible schema.

✔ Elasticsearch clusters

Lightweight, distributed, tuned for Raspberry Pi architecture.

✔ Custom-built SIEM web interface

Written to:

  • Display correlated alerts

  • Visualize event relationships

  • Show network maps

  • Generate timeline analysis

  • Provide quick access to full PCAP from flagged alerts

✔ Automated alerting services

Built-in logic sent notifications via Telegram and email when critical indicators appeared.

This is what transformed the system from a simple home IDS into a full-fledged Security Operations Center.

Threat Hunting & Use Cases

With the system live, I performed:

✔ IoT behavioral analysis

Detecting devices phoning home to questionable endpoints.

✔ Internal lateral movement testing

Using Kali and Metasploit to verify detection coverage.

✔ Custom rule development

Writing Zeek and Suricata rules for unique network patterns.

✔ Honeypot packet watching

Creating fake vulnerable services to study unauthorized scanning.

✔ Anomaly detection experiments

Running lightweight ML models to identify deviations from baseline traffic.

The system proved capable of reliably detecting:

  • Port scans

  • Brute force attempts

  • Suspicious DNS traffic

  • Beaconing behavior

  • Unexpected SMB traffic

  • MITM attempts

  • Local device compromise patterns

Why This Matters

Most cybersecurity professionals never build a SIEM. They never configure Zeek manually. They never see the network at packet level. They never architect a SOC pipeline.

By creating one myself, I gained:

  • Full-stack understanding of security operations

  • Deep insight into detection engineering

  • Hands-on experience in correlation logic

  • Networking mastery

  • Custom dashboard building

  • Automation and orchestration experience

  • Real-world threat hunting skills

This project represents:

Not just a home lab — but a functional miniature SOC, engineered from the ground up.

It demonstrates the ability to:

  • Design

  • Deploy

  • Tune

  • Automate

  • And operate a complete cybersecurity monitoring environment.

    Conclusion

    This project wasn’t about building something "cool."It was about proving that real security expertise comes from creation, not consumption.

    What I built is a fully operational SOC using:

    • Security Onion

    • Custom SIEM pipelines

    • Docker microservices

    • A Raspberry Pi

    • Custom dashboards and detection logic

    All engineered by hand, end to end.

    It showcases innovation, technical mastery, and the ability to architect systems that most analysts only read about.

 
 
 

Comments

bottom of page