Validation Pipeline

Deterministic validation pipeline for endpoint and network telemetry with integrity-bound case artifacts.

System Overview

Scope
Windows endpoint telemetry and Suricata IDS network telemetry
Control Model
Deterministic multi-stage validation pipeline executed prior to analyst investigation
Integrity Model
SHA256 hashing binds evidence artifacts to each validation run

Automation Flow

The pipeline validates telemetry availability, retrieves evidence artifacts, and binds them to an immutable case directory before analyst investigation begins.

SOC Automation Pipeline Diagram

Validation and artifact control workflow prior to analysis.

Control Groups

Validation Controls

  • Endpoint validated before ingestion
  • JSON schema verification
  • Standardised validation queries
  • Execution halts on validation failure

Execution Controls

  • Exit codes enforced across SSH
  • Command allowlist restricts remote execution
  • Orchestration logs capture execution sequence

Integrity Controls

  • SHA256 hashing binds artifacts
  • Timestamped, no-overwrite directories
  • Per-run metadata recorded

Quantified Impact

Endpoint validation Manual workflow: ~8 minutes Automated workflow: ~15 seconds
Log collection Manual workflow: ~4-5 minutes Automated workflow: ~1 minute
Ingestion validation Manual workflow: ~3-4 minutes Automated workflow: ~30 seconds
Total workflow Manual workflow: ~15 minutes Automated workflow: ~1 minute 45 seconds

Repository Components

Two scripts implement the validation and orchestration layers of the pipeline.

Validate-Process.ps1

  • Sysmon + Security queries
  • JSON export and normalisation
  • Controlled exit codes

View on GitHub

run-validation.sh

  • SSH orchestration
  • Artifact retrieval and hash generation
  • Supports endpoint and Suricata validation artifacts

View on GitHub

Case Structure & Integrity Model

Each validation run generates an immutable case directory containing telemetry artifacts and execution metadata.

cases/<case_id>/
  metadata.txt
  orchestration.log
  evidence.hash
  windows/
    process-validation.json
  splunk/
    splunk-validation.csv
    suricata-validation.csv

Scope Discipline

Automated

  • Endpoint validation
  • Suricata alert validation
  • Artifact retrieval
  • Schema validation
  • Integrity hashing
  • Standardised queries

Not Automated

  • Detection engineering
  • Alert logic
  • Scheduled searches
  • SOAR integrations
  • Report writing

Automation enforces consistency; analytical judgment remains manual.

Example Validation Runs

The pipeline validates multiple Sysmon event categories including process creation, DNS queries, WMI persistence events, registry modification events, and file creation events, alongside Suricata alert events. It does not attempt full MITRE technique coverage or automated detection logic.

ART T1059.001 - Command & Scripting Interpreter

Sysmon Event ID 1 recorded PowerShell execution with command-line parameters. Telemetry confirms PowerShell process creation and command invocation.

Workflow time: ~2 minutes

ART T1055 - Process Injection

PowerShell execution invoking unmanaged OpenProcess captured via Sysmon Event ID 1 and validated in Splunk; execution artefact confirmed, memory modification not validated.

Workflow time: ~2 minutes