Security Playbooks | MITRE ATT&CK Red & Blue Team Labs for SOC Analysts
Security Playbooks is an open-source, educational repository designed for cybersecurity professionals.
It focuses on delivering realistic, MITRE ATT&CK–aligned attack scenarios, detection engineering content, and hands-on labs to help users build practical skills in threat hunting, incident response, and adversary simulation within controlled environments.
The project aims to bridge the gap between theoretical knowledge and real-world security operations by providing structured, reproducible, and practical cybersecurity workflows.
Security Playbooks is a structured, MITRE ATT&CK–aligned learning and simulation platform that models real-world Security Operations Center (SOC) workflows. It provides hands-on playbooks, detection rules, and lab scenarios.
By integrating attack simulations with detection engineering and incident response processes, the platform enables end-to-end security operations — from log ingestion and rule execution to investigation, enrichment, and response.
Security Playbooks follows a simplified enterprise SOC detection pipeline to simulate how real-world security operations function.
[Data Sources]
- Sysmon Logs
- Windows Event Logs
- Network Traffic (PCAP)
- Threat Intelligence Feeds
↓
[Ingestion & Parsing Layer]
- log_loader.py
- sysmon_parser.py
↓
[Detection Engine]
- Sigma / YARA / Suricata Rules
- rule_loader.py
↓
[Detection Pipeline]
- detection_pipeline.py
- pipeline.yaml
↓
[Enrichment Layer]
- VirusTotal / AbuseIPDB integrations
↓
[SOAR / Response Engine]
- isolate_host.py
- block_ip.py
- disable_user.py
↓
[Playbook Execution Engine]
- playbook_parser.py
- executor.py
↓
[Outputs & Reporting]
- reports/
- metrics/
- dashboards/- Detection Rules – Ready-to-use Sigma, YARA, and Suricata rules for threat detection
- Attack Scenarios – MITRE ATT&CK–based simulations (phishing, malware, lateral movement)
- Hands-on Labs – Practical exercises with PoC scripts for controlled environments
- Log Analysis Examples – Sample logs, outputs, and visual artifacts
- Documentation & Tools – Quick Start guides, architecture docs, and helper scripts
This playbook assumes a realistic enterprise environment and adversary behavior. It is designed for educational and lab purposes only.
- Target Environment: Windows Active Directory (Enterprise Network)
- Log Sources:
- Windows Event Logs (Security, Sysmon)
- Network Traffic (PCAP)
- Endpoint Detection & Response (EDR) telemetry
- Adversary Profile: APT-like actor executing common enterprise attacks
- Attack Surface: Endpoints, domain controllers, user workstations
- Attack Vectors Covered:
- Command & scripting interpreter execution (T1059)
- Phishing and social engineering (T1566)
- Malware execution and lateral movement
- Assumptions:
- Logging and monitoring are enabled (Sysmon, Security Logs)
- SIEM or log aggregation is available
- Scenarios run in isolated lab environments only
- Goals:
- Demonstrate detection engineering and threat hunting workflows
- Provide hands-on lab exercises for portfolio and learning purposes
This repository contains multiple playbook-style scenarios:
| Scenario | Type | MITRE ATT&CK | Playbook File |
|---|---|---|---|
| PowerShell Execution | T1059 | Command & Scripting Interpreter | T1059_PowerShell_Execution.md |
| Malware Analysis | Malware | Various | malware_analysis/README.md |
| Phishing Simulation | Social Engineering | T1566 | phishing_simulation/README.md |
Security Playbooks is intended for cybersecurity professionals who want to practice, analyze, and understand real-world cyber threats in a structured and controlled environment.
- SOC Analysts – Perform alert triage, log analysis, and incident investigation
- Threat Hunters – Conduct hypothesis-driven hunts and analyze adversary behavior
- Blue Team Engineers – Build, test, and optimize detection rules (Sigma, YARA, Suricata)
- Cybersecurity Professionals – Gain hands-on experience and develop practical expertise
- Red Teamers (Lab Use Only) – Emulate adversary techniques in controlled, isolated environments
Security Playbooks supports a range of practical cybersecurity workflows and real-world scenarios:
- Alert Investigation & Triage – Analyze and validate alerts generated by SIEM and EDR platforms
- Threat Hunting Operations – Execute structured hunts based on known tactics, techniques, and procedures (TTPs)
- Detection Engineering & Validation – Develop, test, and refine detection logic against simulated threats
- Incident Response Simulation – Follow structured procedures to investigate and respond to security incidents
- Adversary Emulation (Lab Only) – Reproduce attacker techniques to validate defensive capabilities
- Training & Skill Development – Strengthen technical skills through hands-on, scenario-based exercises
All detection rules and scenarios in this repository are designed to be testable, reproducible, and verifiable.
Each detection follows a structured validation process:
- Attack Simulation
- Log Generation
- Detection Execution
- Alert Verification
- Analysis & Tuning
[Simulated Attack]
↓
[Log Generated]
↓
[Detection Pipeline Execution]
↓
[Rule Triggered]
↓
[Test Validation]
↓
[Metrics Collection]- Windows 10 / 11
- Linux (Ubuntu 20.04+, Debian-based distros)
- macOS (Intel & Apple Silicon)
- Python 3.11+
- pip 23+
- Virtual environment recommended
- Sysmon (Windows logging)
- Suricata (Network IDS)
- YARA (Malware pattern matching)
- Sigma CLI (Rule conversion)
- Wireshark / tcpdump (PCAP analysis)
- Python libraries (installed via requirements.txt and dev-requirements.txt)
# Clone repository
git clone https://github.com/secwexen/security-playbooks.git
cd security-playbooks
# Create virtual environment
python -m venv venv
source venv/bin/activate # Linux/Mac
venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Install dev dependencies
pip install -r dev-requirements.txt
# To quickly test the project, run:
python labs/lab2_log_analysis/parser.py examples/malware_log_example.txtFor full details, refer to the Quick Start file.
For complete command information, refer to the RUN COMMANDS file.
- Wiki — Full Documentation
- Repository Structure
- Quick Start
- Examples
- Roadmap & Milestones
- Contributing Guidelines
- Changelog
- Security Policy
Copyright © 2026 secwexen.
This project is licensed under the MIT License.
See the LICENSE file for full details.
The contents of this repository, including scripts, scenarios, and detection rules, are provided for educational, research purposes only.
For full details, see DISCLAIMER.
Contributions and suggestions are welcome!
- Fork the repository and create a feature or fix branch (e.g.
feature/your-featureorfix/bug-name). - Make your changes and add relevant tests.
- Ensure all tests pass (
pytest) and code style checks (e.g.make lint). - Open a pull request referencing related issues/discussion when possible.
- All PRs must pass CI checks before merging.
Please open an issue before submitting major changes or new features.
See CONTRIBUTING for detailed contribution guidelines.
This document outlines the planned development path for the Security Playbooks repository, including short‑term improvements, medium‑term expansions, and long‑term strategic goals.
Planned improvements include:
- expanded ATT&CK-mapped playbooks
- enhanced detection rules (Sigma, YARA, Suricata)
- structured SOC and incident response workflows
- automation-ready playbooks (SOAR integration)
- lab and simulation scenarios
- standardized schemas for machine-readable playbooks
- alignment with security frameworks (NIST, CIS, ISO)
For the full roadmap and upcoming features, see ROADMAP.
Security Playbooks is currently in Active Development stage.
- Check out Issues for tasks and ideas.
- Join Discussions to share feedback and proposals.
- If you find this project valuable, consider giving it a star.
- Contribute code, documentation, or testing — see CONTRIBUTING for details.
For guidance on safe usage and reporting vulnerabilities, see SECURITY.md.