SOC Open Source, ELK- TheHive- Cortex- MISP Complete Setup Guide, Part 1

  Рет қаралды 77,780



Күн бұрын

Пікірлер: 143
@BlackPerl 3 жыл бұрын
Soc Open Source is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture. All of the components are used based on Open Source Projects(Available at the time of first commit). This is Part-1, we will show the base of the model with ELK, TheHive- Cortex-MISP and we will use some dummy data to ingest in ELK. In coming up episodes, we will include more data sources to ELK- Wazuh, Snort, Honeypot and Also we will integrate Atomic Red Team to ELK for Attack Simulation. We will also show how can you automate your flows with Shuffle. So watch this space out! This Project serves below usecases: 👉Collect Data to a Single Place. 👉Normalize and Parse Data 👉Visualize Data and prepare meaningful Security Analytics 👉Create Incidents/Cases out of Security Alerts identified based on collected data/logs 👉Automate process of Threat Hunt, Creation of actionable Playbooks, SOC data Analytics 👉Automate the process of analysis observables they have collected, at scale, by querying a single tool instead of several 👉Actively respond to threats and interact with the constituency and other teams 👉Enrich Data feeds with Open Source Threat Intelligence Platform In this episode, I will cover from scratch how can you install all of the components- Elastic Stack, TheHive, Cortex, MISP and will also show how can you integrate all of these components with each other. This Project can be used to any small/big organizations who wants to create their SOC Set up using Open Source Tools, also by any Security Analysts, Engineers who wants to build a SOC Lab which has all of the components- SIEM, Case Management, Threat Intel Platform, Threat Hunt & Analytics capability and lot more. You will find similar kind of projects online but this is the FIRST TIME we are showing everything bundled up and with full working condition. Just follow along the tutorial to get a high level overview of the end product and get started from the Git Repo Below. 🔗LINKs for your requirements- ------------------------------------------------------------------------------------------------------------------------- 1. Project- WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!! ------------------------------------------------------------------------------------------------------------------------- INCIDENT RESPONSE TRAINING Full Course 👉 DFIR Free Tools and Techniques 👉 Windows and Memory Forensics 👉 Malware Analysis 👉 SIEM Tutorial 👉 Threat Hunt & Threat Intelligence 👉 ⌚ Timelines ------------------------------------------------------------------------------------------------------------------------- 0:00 ⏩ Introduction 1:28 ⏩ Architecture Overview 8:40 ⏩ Overview of the full setup 22:12 ⏩ Install the components 41:30 ⏩ Integrate the components 48:01 ⏩ Summarize 📞📲 FOLLOW ME EVERYWHERE- ------------------------------------------------------------------------------------------------------------------------- ✔ LinkedIn: ✔ You can reach out to me personally in LinkedIn as well- ✔ Twitter: @blackperl_dfir ✔ Git: ✔ Insta: (blackperl_dfir) ✔ Can be reached via SUPPORT BLACKPERL ------------------------------------------------------------------------------------------------------------------------- ╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗ ║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣ ╠╗║╚╝║║╠╗║╚╣║║║║║═╣ ╚═╩══╩═╩═╩═╩╝╚╩═╩═╝ ➡ SUBSCRIBE, Share, Like, Comment ☕ Buy me a Coffee 👉 📧 Sponsorship Inquiries: ------------------------------------------------------------------------------------------------------------------------- 🙏 Thanks for watching!! Be CyberAware!! 🤞
@CosmicSoundMDB Жыл бұрын
when is continuation coming?
@AliRaza-s3x4f Жыл бұрын
Can you please tell me how can I integrate MISP and ELK Security so I can get MISP feeds on ELastic Security?
@rajkumarkumawat3236 3 жыл бұрын
Great guru dev ... Esa content koi. Nhi deta but aap aache se share kr dete ho ...💥💥🙌🙌🙌🙌🙌🙌🙌🙌🙌🙌🙌🙌🙌🙌 thanks 😊
@BlackPerl 3 жыл бұрын
Thank you
@palevelmode 2 жыл бұрын
Finally someone take the initiative!!!
@TrusteestDesiChhora Жыл бұрын
Thank you so much vai bahat helpfull video oll in soliusation thank you so much brother
@yalghaar9936 2 жыл бұрын
Can we install the same setup in local machine in virtual box or VMware ?
@BlackPerl 2 жыл бұрын
Yes, absolutely.
@ses8105 2 жыл бұрын
What VM requierements do i need?
@BlackPerl 2 жыл бұрын
You can check out the git repo. Link is in the description. It has the system requirements
@PaulMisner Жыл бұрын
Can I get thoughts on doing this versus something like Security Onion. Hive and Cortex used to be part of SO, until Hive changed their licensing.
@numanmaavia8575 3 жыл бұрын
Thanks excellent ,informative lecture
@BlackPerl 3 жыл бұрын
Thank you. Keep watching the space, more enhancement are planned
@haitran3765 2 жыл бұрын
I have set up as documented but when start service thehive is still running but no port 9000 appears
@BlackPerl 2 жыл бұрын
Not sure, what issue you are facing. Have use checked the app logs in hive?
@haitran3765 2 жыл бұрын
@@BlackPerl I have checked but can't see that it's not running port 9000, or because I installed the ELK 8X and thehive 4x version, so it's not compatible
@BlackPerl 2 жыл бұрын
@@haitran3765 You can try out a stable version of elk. Also did you verify if hive is running, may be it took diff port. But is the service up?
@md4six 2 жыл бұрын
Your video is fantastic, but with the end of the thehive open source project, and with your new stragebee licensing for version 5 of Thehive where you have limitations on community license, what alternative and recommendation for a soc project. Tell me about this.
@BlackPerl 2 жыл бұрын
I haven't tested it out to understand how the limitations will affect our usecase and functionality. Will check on it.
@handyplazt Жыл бұрын
Great video tutorial and works perfectly, unfortunately for webhook connector in elk you need a subscription to activate it or do you have another tutorial to activate it without subscription?
@kaushalpatel748 2 жыл бұрын
at the connector stage of elasticsearch-thehive webhook gives the error [404] Not Found: /api/cases please help me
@BlackPerl 2 жыл бұрын
Make sure your both instance are reachable from each other and also you have filled the other details properly at the connector page
@kaushalpatel748 2 жыл бұрын
@@BlackPerl i installed both in linux vm locally and the all information i filled correctly and both are reachable in browser still i got same error
@kaushalpatel748 2 жыл бұрын
now it shows The following error was found: error calling webhook, invalid response Details: [400] Bad Request: [Attribute title is missing][Attribute description is missing]
@BlackPerl 2 жыл бұрын
@@kaushalpatel748 There must be indentation error or syntax error
@ShantaNaha-yq4tb 6 ай бұрын
can you please make a video how can i install cortex on ubuntu. I tried so many times and i installed it on my machine but when i run it on browser on port 9001 than it show connection closed. Can you please help?
@BlackPerl 6 ай бұрын
We do it almost everyday in our Live Certification Course. If you are installing it on aws ec2 on ubuntu, please make sure you have a port open on security group for 9001 to your IP. And for local installation, make sure nothing is blocking on local firewall on port 9001
@cyriljohns Жыл бұрын
Thank you very much for sharing this!
@nirikshatk3150 3 жыл бұрын
Thanks for the great content. I have a question , we can create alerts and rules only with paid version of elasticstack, any way to use it for free even after free trial ends?
@BlackPerl 3 жыл бұрын
Thanks for reaching out. Yes, you just need to redeploy the Elastic pod after the lisence gets expired
@1UniverseGames 2 жыл бұрын
Hi, Is there any video how to install SIEM tool on windows or ubuntu from scratch? I can't find a good video to install it, anyone would like to help. Thank you
@BlackPerl 2 жыл бұрын
You can check this video- I have explained some SIEM installations. Also, if you are looking for any specific SIEM tool, let me know.
@1UniverseGames 2 жыл бұрын
@@BlackPerl sorry for get back late. Yes this video seems cover elastic siem ibm one. by any chance can you share a video link which shows splunk one recently. That's would help. Thanks again
@BlackPerl 2 жыл бұрын
@@1UniverseGames OK. Will try to make one
@1UniverseGames 2 жыл бұрын
@@BlackPerl thank you 😊
@vimukthiperera4993 2 жыл бұрын
sir i want to connect filebeat to misp . sir is there are possible way or tutorial to archived that target
@BlackPerl 2 жыл бұрын
You need to use elasticsearch to get logs from filebeat and elasticsearch can be integrated with misp
@rofiko7056 2 жыл бұрын
What about the hardware if I want to build for enterprise 500+ users
@BlackPerl 2 жыл бұрын
It's preferred to use autoscaling to load balance with Elastic running on 5 to 6 nodes. Remaining you can still try to get for 3 to 4 nodes. The highest limit should be as per your need.
@raony6175 2 жыл бұрын
do you think this project is a good open-source alternative to splunk?
@BlackPerl 2 жыл бұрын
Elastic SIEM is the alternative of splunk. This project has further capability which SOC needs and SIEM is only part of it
@bhabyzhark4603 2 жыл бұрын
can you achieve this setup on a local machine using oracle virtual box instead of aws?
@BlackPerl 2 жыл бұрын
Sure, we can do that. The vms will be on local machine and you should have a higher end machine to configure all.
@bhabyzhark4603 2 жыл бұрын
@@BlackPerl 8 cores 16t cpu & 32gb ram can run this setup?
@BlackPerl 2 жыл бұрын
@@bhabyzhark4603 Yes, it should run, but will work slow. Since Elastic needs 4gb ram, TheHive is also same, cortex and MISP can manage with 2 gb each.
@bhabyzhark4603 2 жыл бұрын
@@BlackPerl what ubuntu os should i use? is it the desktop image or the server image?
@BlackPerl 2 жыл бұрын
@@bhabyzhark4603 Anything should work. Ubuntu 18 is preferred
@bataviaproductions6537 2 жыл бұрын
can i replace elastic siem with wazuh?
@BlackPerl 2 жыл бұрын
Yes, you can
@bataviaproductions6537 2 жыл бұрын
@@BlackPerl thanks for reply sir
@1231super 2 жыл бұрын
The docker compost file is not available anymore! Could you upload it again?
@BlackPerl 2 жыл бұрын
Yes the file has been removed since it was having our custom codes. You can still get it from Elastic git repo
@1231super 2 жыл бұрын
@@BlackPerl will it still work when I follow the tutorial if I use the one from the Elastic repo?
@BlackPerl 2 жыл бұрын
@@1231super Yes it will work. Because, it's just yo create the Elastic stack. It's the same config. Nothing extra. You can alternatively install Kibana and elasticsearch separately. That is also easy. Steps are given in Elastic Repo
@1231super 2 жыл бұрын
@@BlackPerl thanks! I used the elk-stack compose from another user on git. I will follow the tutorial now. Thanks for your work on this project :)
@bdcirt6125 2 жыл бұрын
H, Archan! To create connectors for the hive, a license is required for the elasticsearch, right?
@BlackPerl 2 жыл бұрын
Yes correct
@GoGoStitch 2 жыл бұрын
Hello, i have a problem for bringing the hive instance up. There is a weird error that i cant solve can you help me with this problem?
@BlackPerl 2 жыл бұрын
What is the problem or error you see?
@GoGoStitch 2 жыл бұрын
@@BlackPerl i cannot download the hive because it says the certificate is expired a secure handshake couldnt be done.
@BlackPerl 2 жыл бұрын
@@GoGoStitch Try a diff version of hive. Either the latest version or the stable version of hive4 should work. You can get this from TheHive official website
@GoGoStitch 2 жыл бұрын
@@BlackPerl yes thanks! but i have now a different error now with the hive service. I cant get the service up, because it says that there is a bad setting in the service which why it wont start. do u have encounter this error before?
@BlackPerl 2 жыл бұрын
@@GoGoStitch This seems odd. I didn't face this error
@hibaoueslati1481 2 жыл бұрын
Have you changed the link of ELK compose it is 404 not found
@hibaoueslati1481 2 жыл бұрын
here is the link that you have put it
@BlackPerl 2 жыл бұрын
Yes, it has been deprecated
@usmanshah260 2 жыл бұрын
hey, how much RAM and HDD are required for each of the components ?
@BlackPerl 2 жыл бұрын
Please check the git repo. Everything is mentioned
@adiyavmani1742 Жыл бұрын
in my elasticsearchnyml file securty is enabled, after that i am not able to open cortex web interface . It is showing elasticsearch connection refused
@TheSplash1983 2 жыл бұрын
Hi BlackPerl. Thanks for the great content. I have a question for you. Can I run this project only on one instance in AWS? Let's say on t3a.xlarge?
@BlackPerl 2 жыл бұрын
Thank you. There might be little problem since some of the components uses elasticsearch at their backend. So it might clash with our Elastic siem. But if you can compile the full environment in docker/kubernetes, it will be awesome and can be deployed on a single host.
@abhishekchaurasia1060 3 жыл бұрын
Thanks for this amazing video, just a quick help required, not able to find the ELK yml code on your git repository
@BlackPerl 3 жыл бұрын
Thanks for the feedback. Yes, I have removed our custom code from git, and enabled a freelance service. So if you are interested, let me know. Basic Elastic code can be found in Elastic git repo, I believe.
@ameer526690 Жыл бұрын
Hello, Do you have a latest version of GitHub for open source soc solution ?
@rohanpanchal4232 2 жыл бұрын
Hi Sir, I have stuck between cortex and the hive setup can you pls send us a document for implementing this server.
@BlackPerl 2 жыл бұрын
Hey, have you checked the git documents? What exact error you are facing?
@kader8815 Жыл бұрын
how many ressource i need to run this project ( 16 RAM good ? )
@raonyjose532 2 жыл бұрын
link to download elasticsearch and kibana docker is not working, error 404
@BlackPerl 2 жыл бұрын
The custom code has been removed from repo. You can find the same code in Elastic official repo.
@horijanrai1640 4 ай бұрын
sir is it offline or online ????
@devashishsingh1 2 жыл бұрын
How do you manage the upgrades and least storage consumption without impacting performance? Another thing is since Elasticsearch has to be a subscribed one, it's no longer open source anymore.
@k-beauty06 4 ай бұрын
is there any part where we need credit card details or pay for something
@VictorOliveira-gf8fr 2 жыл бұрын
Hi Archan, I'm trying to assemble the Elastic SIEM solution in my local environment, but I'm having difficulties making the integrations because the opensource version doesn't support connectors. Is there any way I can generate these alerts and integrations for free?
@BlackPerl 2 жыл бұрын
Hi Victor, Thanks for reaching out. Unfortunately, Elastic SIEM doesn't offer connectors and integration on free tier. You can still try with ElastAlert which might be helpful.
@BlackPerl 2 жыл бұрын
Also you can try Wazuh in the place of Elastic SIEM.
@lautaronahuel6413 2 жыл бұрын
Excellent thanks! Could you activate the automatic subtitles option in this video?
@BlackPerl 2 жыл бұрын
Thank you. Sure, will do it
@magueritemichima6818 9 ай бұрын
Interestting topic but it would be interessting to include an open source NGFW ( next generation firewall)
@BlackPerl 9 ай бұрын
It's just a prototype. Feel free to contribute and raise PR
@rohanpanchal4232 2 жыл бұрын
Sir can you let us know how to configure cortex?
@BlackPerl 2 жыл бұрын
I believe I have explained the steps in this video. You can refer the git repo too for a written steps. Are you looking for anything else in specific?
@madhankumar7847 2 жыл бұрын
Hi BlackPerl, this video is amazing.. and i installed and configured the ELK, thehive, cortex, and MISP, now i can able to create automatic ticket in thehive but cortex and MISP part is not working.. i am not get alert.. i am struggling more than 20days..Kindly help me ASAP
@BlackPerl 2 жыл бұрын
What issue you are facing on Cortex and misp?
@madhankumar7847 2 жыл бұрын
@@BlackPerl "worker cannot be run" this error showing in cortex.. Any possible to contact you with screen share..
@BlackPerl 2 жыл бұрын
@@madhankumar7847 Sorry, don't have bandwidth for screenshare session. But will see if this error can be generated from my end to troubleshoot the issue
@madhankumar7847 2 жыл бұрын
@@BlackPerl any update??
@nafeeskhan007 2 жыл бұрын
nice tutorial. deeply described. Why dont you include Wazuh in it??
@BlackPerl 2 жыл бұрын
Thanks, Will do for next tutorial..
@emrea1570 2 жыл бұрын
@@BlackPerl im a noob on this. one question, what is alienvault in this archicture. Is wazuh and alienvault doing the same thing?
@BlackPerl 2 жыл бұрын
@@emrea1570 Alienvault is basically kind of siem but we are not using that here. We are using Elastic siem. Alternatively, wazuh can also be used as open idps solution in replace of Elastic siem
@emrea1570 2 жыл бұрын
@@BlackPerl okej, Thanks for the answer🙏! is it possible to do your solution as a virtuel SOC and a In-house SOC.?
@BlackPerl 2 жыл бұрын
@@emrea1570 It can be done for both
@mohomedarfath4780 3 жыл бұрын
how enable ssl in cortex
@BlackPerl 3 жыл бұрын
You can use openssl for self signed cert or buy one from a CA.
@nabiladouani7781 2 жыл бұрын
I recommend using a reverse proxy in front of it to handle SSL
@BlackPerl 2 жыл бұрын
@@nabiladouani7781 good idea
@brunoduquenoy3362 2 жыл бұрын
Great content ! Many thanks !
@JaeVoris 2 жыл бұрын
Nice video, how do we install it all? Step by step instructions?
@BlackPerl 2 жыл бұрын
Thanks. You will find them in github. Link is there in the description area
@577Pradeep 3 жыл бұрын
buddy watched the whole video now ..can you make another video where u ingest malicious test data to elastic and show the flow among other products...please
@BlackPerl 3 жыл бұрын
Yes, we will do. It's just part1. More episodes are planned. We will utilise Elastic and Thehive from now on. I hope you got the idea of MISP and Cortex. Let me know otherwise
@577Pradeep 3 жыл бұрын
@@BlackPerl thanks buddy
@vimukthiperera4993 2 жыл бұрын
sir can i send theHive alerts to opencti
@julionasmon Жыл бұрын
bro, why Installation Guide pages is different with this videos? 😄
@anthonymukwaya 2 жыл бұрын
Great content. Thank you. I keep getting a " ERROR 404: Not Found." error everytime i try to download the "docker-compose.yml" file.
@BlackPerl 2 жыл бұрын
Yes, the custom code has been removed from git. It's just to keep our propitory information intact and we take it as freelance project. You can still check Elastic official repo for base docker code. Otherwise, you can install elasticsearch and kibana seperately. If you need installation help, do reach out.
@anthonymukwaya 2 жыл бұрын
@@BlackPerl understood. Thank you
@vasudevanayak4439 Жыл бұрын
i believe this is outdated. any chance to update this ?
@577Pradeep 3 жыл бұрын
Good one mate
@BlackPerl 3 жыл бұрын
Thank you
@vinyldown8490 2 жыл бұрын
I was waiting for a full tutorial on Elastic and installing all of this. Too bad you are skipping this part
@BlackPerl 2 жыл бұрын
Thanks for your feedback. Detailed tutorial would have been a very long episode. You can check out the step by step process for the same in my github anyway.
@vinyldown8490 2 жыл бұрын
@@BlackPerl Ι can understand it, but that would be helpful. I am trying to build my lab and I find it hard...
@BlackPerl 2 жыл бұрын
@@vinyldown8490 Understood. Let me know what issue you are facing. We can connect over LinkedIn. Please reach out to Archan Choudhury.
@vinyldown8490 2 жыл бұрын
@@BlackPerl Thank you, but I am not really interested in hiring someone for it. I prefer doing it by myself :)
@BlackPerl 2 жыл бұрын
@@vinyldown8490 Not an issue. It's not about hiring, but since he has done these kind of many projects, if you face difficulties, he might help solving them. Has done for same for many.
@meryemb1324 3 ай бұрын
to create rules in ELK it is not free
@sumit2308 3 жыл бұрын
Archan you are champ!!!!
@BlackPerl 3 жыл бұрын
Thank you!!
@jimneshjimnesh2106 11 ай бұрын
please share the github link
@ctnguyenvn2178 2 жыл бұрын
please enable subtitle @@
@BlackPerl 2 жыл бұрын
Sure, will do
@ctnguyenvn2178 2 жыл бұрын
@@BlackPerl thank bro.
@pauloramos40 Жыл бұрын
@aseemk1605 3 жыл бұрын
@BlackPerl 3 жыл бұрын
Thank you
@wizcactus2223 3 жыл бұрын
Make a video of obj/streams in pdf in Hindi.
@BlackPerl 3 жыл бұрын
Thanks for the suggestion. But doing video in hindi appears difficult for now.
@MoonSlayer007 3 жыл бұрын
@CCap-ir4ik 6 ай бұрын
Honestly whatever you have shown in the video is not there in the repository. Its dubious and misleading. Sorry to say this.
@BlackPerl 6 ай бұрын
Sorry to hear this from you. The repository private codes and steps have been removed to maintain proprietary information.
@meryemb1324 3 ай бұрын
ELK isn't 💯 open source
SOC Automation Project (Home Lab) | Part 1
Рет қаралды 34 М.
Рет қаралды 3,3 МЛН
Une nouvelle voiture pour Noël 🥹
Рет қаралды 9 МЛН
人是不能做到吗?#火影忍者 #家人  #佐助
Рет қаралды 20 МЛН
MISP Install - 1 Million (+) Free IoCs in 10 Minutes!
Taylor Walton
Рет қаралды 53 М.
TheHive, Cortex & MISP Installation Using Docker Compose - Virtual Lab Building Series: Ep10
Open Source Incident Response Platform - Your SOC Needs This!
Taylor Walton
Рет қаралды 35 М.
SOC 101: Real-time Incident Response Walkthrough
Рет қаралды 208 М.
Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide)
Gerald Auger, PhD - Simply Cyber
Рет қаралды 237 М.
Google’s Quantum Chip: Did We Just Tap Into Parallel Universes?
this Cybersecurity Platform is FREE
John Hammond
Рет қаралды 598 М.