S³ Stack Architecture: End-to-End Security Data Flow

[+] Status: Complete [+] Origin: Portfolio Project [+] Date: 2026.02
>> TECH_STACK:
[Wazuh][TheHive][Cortex][MISP][Zeek][Suricata][Elasticsearch][Docker][Proxmox][Ubuntu][MCP][Python]
Open Source

S³ Stack monorepo with MCP servers, playbooks, and deployment automation

View Repository Star on GitHub

This is the architecture deep-dive for a production Security Operations Center built entirely with open-source tools. While the companion project page covers the deployment and institutional value, this page focuses on one thing: how data moves through the stack from the moment a packet hits the wire to the moment an analyst closes an incident case.

What makes this architecture distinctive is the AI integration layer. Nine MCP (Model Context Protocol) servers expose every tool in the stack to LLM-powered assistants. The result is a SOC where natural language is a first-class interface, and an AI can query alerts, create cases, run enrichment, and check threat intel in a single conversation.

7 Integrated VMs
9 MCP Servers
6 Pipeline Stages
<60s Packet to Case

Each tool serves a specific role in the data flow pipeline:

Zeek
Protocol Analyzer

Parses network traffic into structured JSON logs: HTTP requests, DNS queries, TLS handshakes, file transfers. Provides deep metadata that signature-based tools miss.

Suricata
Signature-Based NIDS

Matches network packets against thousands of known attack signatures. Outputs eve.json alerts for confirmed threats like exploit attempts and malware downloads.

Wazuh
SIEM / XDR

Central nervous system. Collects logs from all endpoints and NIDS sensors, correlates events against MITRE ATT&CK rules, generates alerts, and triggers escalation workflows.

TheHive
Incident Response Platform

Case management hub. Receives high-severity alerts from Wazuh, organizes them into investigation cases with tasks, observables, and analyst assignments.

Cortex
Observable Analysis Engine

Runs automated enrichment on extracted indicators (IPs, hashes, domains). Queries VirusTotal, AbuseIPDB, and other sources via containerized analyzer plugins.

MISP
Threat Intelligence Platform

Stores and correlates Indicators of Compromise across threat feeds. Answers the critical question: have we seen this indicator before, and in what context?

Wazuh Indexer
Search and Storage

Elasticsearch fork that stores all SIEM data long-term. Powers the dashboard queries and provides the searchable archive for historical analysis.

MCP Servers (x9)
AI Integration Layer

Model Context Protocol servers that expose every SOC tool to LLM-powered assistants. Natural language becomes a first-class interface for security operations.

Follow a suspicious packet from the wire to a closed case. Every arrow represents an automated, API-driven handoff with no manual intervention required.

🌐
Network Traffic
Raw packets via SPAN port
Mirror
👁
Zeek + Suricata
NIDS: signatures + protocol analysis
Detection Layer
JSON logs
🛡
Wazuh SIEM
Correlate, decode, alert
Correlation Layer
API/9000
🐝
TheHive
Case creation and triage
Response Layer
API/9001
🧠
Cortex
Automated enrichment
Analysis Layer
IoC Lookup
🔎
MISP
Threat intel correlation
Intelligence Layer
🤖 MCP Integration Layer: AI assistant can query any stage via natural language

Here is what happens when a compromised endpoint attempts a Command and Control callback:

1
Network Capture

The NIDS VM receives mirrored traffic via the SPAN port. Suricata matches the outbound connection against its ET Open ruleset and flags it as a known C2 signature. Simultaneously, Zeek logs the full connection metadata: source IP, destination IP, port, duration, bytes transferred, and TLS certificate details.

2
SIEM Ingestion and Correlation

A Wazuh Agent on the NIDS box reads the Suricata eve.json and Zeek conn.log files, ships them to the Wazuh Manager via TCP/1514. The Manager decodes the logs, matches them against MITRE ATT&CK rules (T1071: Application Layer Protocol), and generates a high-severity alert. The alert is indexed in the Wazuh Indexer for long-term storage and dashboard visibility.

3
Automated Escalation

The custom-w2thive.py script on the Wazuh Manager detects the alert exceeds the severity threshold. It transforms the alert into TheHive's expected JSON schema and POSTs it to the TheHive API on port 9000. TheHive creates a new alert entry, ready for analyst review.

4
Investigation and Enrichment

An analyst (or the AI assistant via MCP) promotes the alert to a full case. TheHive extracts observables: the destination IP, domain, and any file hashes. These observables are sent to Cortex, which runs containerized analyzers against VirusTotal, AbuseIPDB, and the local MISP instance. Enrichment reports flow back into the case automatically.

5
Threat Intelligence Correlation

MISP checks the observables against its threat feed database. The destination IP appears in three separate threat reports linked to a known APT group. This context is attached to the TheHive case, giving the analyst (or AI) the full picture: what happened, how bad it is, and who else has seen it.

6
Resolution

With full context in hand, the analyst documents findings, assigns response tasks (isolate host, block IP at firewall, scan for lateral movement), and closes the case. The IoCs are exported back to MISP to strengthen future detection. Total elapsed time from packet to enriched case: under 60 seconds.

Nine MCP servers transform the entire SOC stack into a conversational interface. Each server wraps a platform's REST API into structured tools that any LLM can invoke.

wazuh-mcp Wazuh SIEM

Query alerts, search events, check agent status

thehive-mcp TheHive

Create cases, manage tasks, search history

cortex-mcp Cortex

Run analyzers, retrieve enrichment reports

misp-mcp MISP

Search IoCs, correlate threat intel, query feeds

zeek-mcp Zeek Logs

Search connection logs, DNS queries, HTTP metadata

suricata-mcp Suricata

Query signature alerts, rule management

elastic-mcp Elasticsearch

Raw index queries, historical data search

sigma-mcp Sigma Rules

Search and convert detection rules across formats

pcap-mcp Packet Capture

Retrieve and analyze stored network captures

// What This Looks Like in Practice

💬 "Show me critical alerts from the last 4 hours with MITRE mapping"
AI → wazuh-mcp → Wazuh API → filtered, enriched alert list
💬 "Create a case for this IP and run VirusTotal + AbuseIPDB analysis"
AI → thehive-mcp (create case) → cortex-mcp (run analyzers) → enriched case
💬 "Have we seen this file hash in any threat feeds?"
AI → misp-mcp → MISP search → matching events with APT attribution
Integration Design Wazuh-to-TheHive Bridge
Problem: Wazuh generates hundreds of alerts daily, but only high-severity events warrant full incident investigation in TheHive
Solution: Built a custom Python script (custom-w2thive.py) on the Wazuh Manager that filters alerts by severity threshold, transforms them to TheHive's JSON format, and POSTs them via API. Analysts see pre-triaged alerts ready for case promotion.
Result: Eliminated manual alert copy-paste between platforms. High-priority events arrive in TheHive within seconds of detection.
Architecture Choice Dual NIDS Strategy: Zeek + Suricata
Problem: Signature-based detection catches known threats but misses novel attacks. Protocol analysis catches anomalies but generates noise without context.
Solution: Deployed both tools on the same SPAN port. Suricata handles signature matching while Zeek provides deep protocol metadata. Both output JSON logs consumed by a local Wazuh Agent, giving the SIEM two complementary views of every packet.
Result: Coverage spans both known signatures and behavioral anomalies. Correlation in Wazuh combines both data streams for richer alert context.
AI Integration 9 MCP Servers for Full-Stack AI Access
Problem: SOC analysts juggle 5+ web dashboards during investigations. Context switching between tools slows triage and increases cognitive load.
Solution: Built MCP servers for each platform (Wazuh, TheHive, Cortex, MISP, plus supporting tools). Each server exposes the platform's API as structured tools that any LLM can invoke through the Model Context Protocol.
Result: An AI assistant can query alerts, create cases, run enrichment, and check threat intel in a single conversation. Analysts stay in one interface.
Data Flow Zero-Gap Alert Pipeline
Problem: Security data sitting in isolated tools creates blind spots. An alert in Wazuh means nothing if the analyst cannot quickly check threat intel or run enrichment.
Solution: Designed the stack so data flows in one direction without manual intervention: Network Traffic to NIDS to SIEM to IR to Analysis to Threat Intel. Each transition is API-driven and automated.
Result: A suspicious packet on the wire can become an enriched, contextualized incident case in under 60 seconds with no human intervention required.
Security Architecture
  • Multi-tier SOC design
  • Defense-in-depth strategy
  • API-driven integration
  • Data flow optimization
Network Security
  • SPAN/mirror port config
  • Dual NIDS deployment
  • Protocol analysis
  • Signature management
SIEM Engineering
  • Log correlation rules
  • MITRE ATT&CK mapping
  • Alert threshold tuning
  • Custom decoder writing
Incident Response
  • Case management workflows
  • Observable enrichment
  • Threat intel correlation
  • Automated triage
AI/MCP Integration
  • MCP server development
  • API abstraction layers
  • Tool-use patterns
  • Natural language interfaces
Infrastructure
  • Proxmox virtualization
  • VLAN segmentation
  • JVM tuning
  • Docker orchestration
Complete
  • Full SOC stack deployed and integrated
  • Dual NIDS (Zeek + Suricata) monitoring network
  • Wazuh SIEM with MITRE ATT&CK correlation
  • Automated Wazuh-to-TheHive alert escalation
  • Cortex enrichment with external analyzers
  • MISP threat intel feeds active
  • 9 MCP servers providing AI access to all tools
  • End-to-end data flow validated