• Stars
    star
    480
  • Rank 91,562 (Top 2 %)
  • Language
  • License
    Creative Commons ...
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture.

TURN ON DARK MODE

PRESENTED BY

🔴SOC-OpenSource

This is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture. All of the componenets are used based on Open Source Projects(Availabe at the time of first commit).

NOTE - This is an Ongoing Project and the repo will be updated as we work on the new additions.

This Projects serves below usecases:

  • Collect Data to a Single Place.
  • Normalize and Parse Data
  • Visualize Data and prepare meaningful Security Analytics
  • Create Incidents/Cases out of Security Alerts identified based on collected data/logs
  • Automate process of Threat Hunt, Creation of actionable Playbooks, SOC data Analytics
  • Automate the process of analsis observables they have collected, at scale, by querying a single tool instead of several
  • Actively respond to threats and interact with the constituency and other teams
  • Enrich Data feeds with Open Source Threat Intelligence Platoform

📑Index:

☸Architecture-Diagram(Ongoing):

Shuffle-SOAR workflow(Ongoing):

Shuffle-Workflow-Implementation

  • For utilizing Shuffle workflow please first refer the installation guideline from Index.
  • Once you have your shuffle instance up and running, please refer to this video HERE for full walkthrough.

Adding EDR to Stack(Ongoing):

☸EDR-Implementation

  • Please Refer the installation guideline from Index.
  • Once you have your Elastic instance up and running, please refer to this video HERE for full walkthrough.

☸Components(First Phase of Implementation):

All of the components used in this projects are Open Source.

  • Elastic SIEM: Open source SIEM platform powered by ElasticSearch, Logstash, Kibana
  • TheHive: TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
    • Official GitRepo of TheHive is HERE
  • Cortex: Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
    • Official GitRepo of Cortex is HERE
  • MISP: MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
    • Official GitRepo of MISP is HERE

Additional Components(Second Phase of Implementation):

  • Snort: Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world.
  • Wazuh: Wazuh is an open source security monitoring solution which collects and analyzes host security data. It is a fork of the older, better known OSSEC project.
  • Honeypot Dionea: Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, gaining a copy of the malware.
  • Jupyter Notebook: The Jupyter Notebook is a web-based interactive computing platform. The notebook combines live code, equations, narrative text, visualizations etc.
    • Official website of Jupyter is HERE
  • IntelOwl: IntelOwl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale
  • Atomic Red Team™: Atomic Red Team™ is library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
  • Shuffle: Shuffle is an Open Source SOAR solution for making orchestration easy between security tools.
  • Twitter Bot: We have created Twitter TI bot to collect meaningful intel about anything we care about and thus giving us the related information around them. You can find the episode HERE

☸Additional Components(Third Phase of Implementation):

  • Elastic EDR: Elastic EDR prevents ransomware and malware, detects advanced threats, and arms responders with vital context. It’s free and open, ready for every endpoint.

🔽Installation-Requirements:

We have created the environment in AWS. You can follow along or choose any other alternative cloud provider. Or ever you can utilize EKS to deploy the full setup.

☁VM Requirements:

  • MISP- Ubuntu20- t3.micro
  • Elastic SIEM- Ubuntu20- t2.medium (Best performence can be achived on t2.large)
  • Cortex- Ubuntu20- t3a.medium (Can work on t2.medium as well)
  • TheHive- Ubuntu20- t2.medium

🌏Network Rules:

Ports IP Ranges Comments
22 Your IP SSH to the VMs
443 Your IP Accessing MISP UI on browser
9200 Your IP Accessing ElasticSearch
5601 Your IP Accessing Kibana UI
9001 Your IP Accessing Cortex UI
9000 Your IP Accessing TheHive UI
All TCP Cortex VM IP Accssing inbound API
All TCP MISP VM IP Accssing inbound API
All TCP TheHive VM IP Accssing inbound API

🤝Contributing

We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests.

🔼Enhancements:

  • As per the architecture document and Components mentioned we will keep on updating this repo with the staged implementation.
  • All of the required staged implemtation will be added in the Index page, so you can access them easily from there.

🙏Support

More Repositories

1

DFIR-Tools

This is the One Stop place where you can find almost all of your Tools of Requirements in DFIR
53
star
2

Davy-Jones-Locker

Getting FREE Cyber Security Resources have been a challenge always. Access Davy-Jones-Locker to get all what you might need to upskill yourself and create an impact in the InfoSec Community
50
star
3

MSDT_CVE-2022-30190

This Repository Talks about the Follina MSDT from Defender Perspective
YARA
37
star
4

Detection-Rule-Dump

This is the One Stop place where you can several Detection Rules which can help you to kick start your journey on SIEM, SOC work.
19
star
5

Threat-Hunting

This Repository gives the best and possible strategies against hunting the ransomware
Jupyter Notebook
18
star
6

IR-Flash

Automated Script to capture forensic evidences (logs) from an Windows EndPoint.
9
star
7

Cloud-MITRE-Mapping

This has been created for them who wants to create Detection Usecases leveraging MITRE but don't know from where to start from.
8
star
8

Power-Forensics

Power-Forensics is the Best Friend for Incident Responders to perform IR and collect evidences for Linux based host
Shell
7
star
9

archanchoudhury

6
star
10

Cuckoo-Script

Explanation and quick steps for building Cuckoo Sandbox on a Multilayered Virtualization Environment
Shell
4
star
11

Confluence-CVE-2022-26134

This repository talks about Zero-Day Exploitation of Atlassian Confluence, it's defense and analysis point of view from a SecOps or Blue Team perspective
4
star
12

IR-with-Alexa

I will walk you through the process of creating an automation around doing basic Incident Response in AWS with the help of Alexa. Let's say, you have your own Ec2 instance running in AWS which is hosting your website, and one day you found it is down due to some reason (may be an attack?!), so you just need to instruct Your Alexa Device (Echo Dot, or anything else you have with you) to revive your server, and she will do the job for you.
Python
1
star