<<<<<<< HEAD
=======
This is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture. All of the componenets are used based on Open Source Projects(Availabe at the time of first commit).
af1939888279898ae7e8eae99c618b2d9ee66d57
A fully open-source Security Operations Center (SOC) lab designed for security analysts and SOC practitioners who want to explore, implement, and experiment with a modern SOC architecture — from log collection and normalization all the way through automated threat response.
<<<<<<< HEAD
⚠️ This is an ongoing project. The repository will be updated as new components and phases are added. =======
- Architecture Diagram
- Components used in this Project
- Installation Requirements
- Installation Guide First Phase
- Installation Guide Second Phase
- Installation Guide Beats Agent
- Shuffle Automation Install Guide
- Integration Guide First Phase
- Shuffle Workflow Implementation
- Elastic EDR Implementation
af1939888279898ae7e8eae99c618b2d9ee66d57
- Collect logs and security data into a single centralized platform
- Normalize and parse data for consistent analysis
- Visualize data and build meaningful security analytics dashboards
- Create incidents and cases from security alerts automatically
- Automate threat hunting, playbook execution, and SOC data analytics
- Analyze observables (IPs, hashes, domains) at scale from a single interface
- Actively respond to threats and coordinate with other teams
- Enrich alerts with open-source threat intelligence
- Architecture Diagram
- Components
- Installation Requirements
- Installation Guide — Phase 1
- Installation Guide — Phase 2
- Installation Guide — Beats Agent
- Shuffle Automation Install Guide
- Integration Guide — Phase 1
- Shuffle Workflow Implementation
- Elastic EDR Implementation
All components used in this project are open source.
| Component | Description |
|---|---|
| Elastic SIEM | Core SIEM platform powered by Elasticsearch, Logstash, and Kibana |
| TheHive | Scalable, open-source Security Incident Response Platform for SOCs, CSIRTs, and CERTs — GitHub |
| Cortex | Observable analysis engine — analyze IPs, URLs, hashes, domains one-by-one or in bulk via API — GitHub |
| MISP | Open-source threat intelligence platform for collecting, storing, and sharing cybersecurity indicators — GitHub |
| Component | Description |
|---|---|
| Snort | Leading open-source Intrusion Prevention System (IPS) — snort.org |
| Wazuh | Open-source host security monitoring and log analysis — wazuh.com |
| Dionaea | Honeypot designed to trap malware exploiting exposed services — docs |
| Jupyter Notebook | Interactive computing platform for security analytics and data exploration — jupyter.org |
| IntelOwl | OSINT platform to retrieve threat intelligence data on files, IPs, and domains from a single API — intelowlproject.github.io |
| Atomic Red Team | Library of adversary simulation tests mapped to MITRE ATT&CK — GitHub |
| Shuffle | Open-source SOAR platform for orchestrating security tool workflows — shuffler.io |
| Twitter TI Bot | Custom bot to collect threat intelligence from Twitter/X — Watch Episode |
| Component | Description |
|---|---|
| Elastic EDR | Free and open endpoint security — prevents ransomware, detects advanced threats, and arms responders with context — elastic.co |
To use the Shuffle workflow:
- Follow the Shuffle installation guide
- Once your Shuffle instance is running, watch the full walkthrough video HERE
To deploy Elastic EDR:
- Follow the installation guide from the Index
- Once your Elastic instance is running, watch the full walkthrough video HERE
The lab environment was built on Vultr Cloud. You can follow along on Vultr or use any alternative cloud provider. EKS can also be used to deploy the full setup.
| VM | OS | Instance Type | Notes |
|---|---|---|---|
| Elastic SIEM | Ubuntu 20.04 | t2.medium | t2.large recommended for best performance |
| TheHive | Ubuntu 20.04 | t2.medium | |
| Cortex | Ubuntu 20.04 | t3a.medium | t2.medium also works |
| MISP | Ubuntu 20.04 | t3.micro |
| Port | Source | Purpose |
|---|---|---|
| 22 | Your IP | SSH access to VMs |
| 443 | Your IP | MISP web UI |
| 9200 | Your IP | Elasticsearch API |
| 5601 | Your IP | Kibana web UI |
| 9001 | Your IP | Cortex web UI |
| 9000 | Your IP | TheHive web UI |
| All TCP | Cortex VM IP | Inbound API access |
| All TCP | MISP VM IP | Inbound API access |
| All TCP | TheHive VM IP | Inbound API access |
- Open-source SIEM deployment and configuration
- Security incident case management with TheHive
- Observable enrichment and analysis with Cortex
- Threat intelligence management with MISP
- SOAR workflow automation with Shuffle
- Intrusion detection with Snort and Wazuh
- Endpoint detection and response with Elastic EDR
- Adversary simulation using Atomic Red Team (MITRE ATT&CK)