World's Best SIEM Stack - Build your own Security Stack For FREE!

World's Best SIEM Stack - Build your own Security Stack For FREE! - INTRO

Рет қаралды 104,786

Күн бұрын

Let's discuss the key elements that I believe are a requirement for every SIEM stack. All tools discussed are open source and completely free! Empower your SOC team to be proactive and responsive!
Contact Me: taylor.walton@socfortress.co
Our Blog: / socfortress
Buy Me A Coffee: bit.ly/3woh21M
Security Operations Center as a Service: www.socfortres...
Free For Life Tier: www.socfortres...
Professional Services: www.socfortres...
Discord Channel: / discord
Series Playlist: • World's Best SIEM Stack
----------------------------------------------------------------------------------------------
Wazuh: wazuh.com/
Graylog: www.graylog.org/
Grafana: grafana.com/
OpenCTI: github.com/Ope...
MISP: www.misp-proje...
TheHIVE/Cortex: github.com/The...
Velociraptor: github.com/Vel...
Shuffle: shuffler.io/
InfluxDB: www.influxdata...

Пікірлер: 75

@ashleyhammond7564 2 жыл бұрын

Thanks for taking the time to do this. We don't only need opensource software. We also need open source knowledge. We could probably piece all of this together with you prior videos but this series have the potential to be great.

@dARTh_k3LLy 2 ай бұрын

That's what KZbin was made for... just a guy sharing his knowledge and insights on a certain topic. I can´t tell you how grateful I am you made this video to kick-off your series. Such awesome content.

@zadekeys2194 2 жыл бұрын

Nice video! Would love to see an Ansible Playbook / Docker Compose file that can deploy this... Hint hint nudge nudge :)

@SeannMarylee 2 жыл бұрын

Yes!!!

@magmasunburst9331 Жыл бұрын

I would love to see some real time video of these tools stopping an attack. Anyone know any videos or search terms for that?

@roterteam3r Ай бұрын

set it up and do an adversary simulation on it!

@rahoulrdhopade6367 Жыл бұрын

Hi Taylor, Awesome content. Would it be possible to have this playlist in sequence or listed as Part 1 2 etc so makes it easy to follow along to setup. I am looking to implement this in my home lab.

@Hanacan75 8 ай бұрын

Hello. The best video ever.. Is it possible to add an Open Source Threat Hunting tool to this Stack? Could you give me suggestions for Threat Hunting tools for this integration? Thank you =D

@icguarin23 9 ай бұрын

I appreciate you for this. I am a Senior SOC analyst who is trying to expand my detection engineering skills and this is very helpful.

@stock99 10 ай бұрын

while open source stack is awesome, they are just like any software and could potentially suffered attack. Can you give us a series of video on how to harden or secure the oss siem stack against various attack? The last thing we want is to have a oss systems that sit their suffering vulnerabiliity (eg. due to lack of comprehensive patch management/maintenance) and become the party house for hackers.

@vaibhavjain1in 3 ай бұрын

Hi, I have use OpenSearch in our AWS environment, however, I am unable to do log rollover to warm and cold for cost savings. While our OpenSearch keep breaking due to out of space in hot storage. I have applied ISM to indeces but it fails. I am using lambda function to load logs. Is there anything I should do in our lambda function to make it work? Also I am considering to move away from OpenSearch to Wazuh, whats your feedback on that? Thank you.

@kellyheflin5931 3 ай бұрын

How many VPS machines, and server specifications (vcpu, ram, ssd) are needed for a small network infrastructure? Thank you.

@marcing4287 3 ай бұрын

I have different scenario. What would be best approach if I want to collect the data from MISP and have rule pre-set already in the central place (SIEM) that will include the list of emails as example. If one day MISP feeds me the data including emails that will match with my pre-defined list, the alert I will be alerted

@ghangj 13 күн бұрын

This is amazing information. Thanks for this beauty.

@pnamusha 2 жыл бұрын

Nice!! can you please add a network traffic monitoring component.. perhaps one with suricata and elastic search

@GOTHAM21 Жыл бұрын

Waz-uh, as in What's up... clever name really.

@matthewjohnson1511 Ай бұрын

Are you using or are there any open source endpoint for iOS and android?

@VideoGigs 2 жыл бұрын

Cool. I look forward to the upcoming videos. Thoughts on SecurityOnion as a SIEM?

@FrenchSparda 2 жыл бұрын

Great news !! Do you think your series will be over around January 2023, it's gonna be really helpful for my school project. Many many thanks, keep up the good work ;)

@garryholmberg6502 8 күн бұрын

Just subscribed!!!

@mit0w 4 ай бұрын

Thanks for this. Where would you recommend hosting all of these tools?

@hspcd Жыл бұрын

Can you provide details on how to achieve true multi-tenancy we are each tenant is a separate customer?

@produktionzn22 3 ай бұрын

Please please please provide recommended system requirements for the full stack…. Please! 😊

@ProySecRedes 4 ай бұрын

Awesome dude!!! I appreciate the knowledge :) I'll follow the series and implement it fully!

@fontanamarcos Жыл бұрын

Taylor, you rock! Awesome content. I will be applying everything here. Thank you for sharing this!

@alansoc 5 ай бұрын

Hi , can you please tell me which is the siem in this architecture , is it wazuh or graylog and wazuh is just an EDR or XDR here ??

@andyshao4254 5 ай бұрын

Very good. but it doesn't seem support cloud security really well?

@richardbennett4365 11 ай бұрын

I believe the first step is log production, then the second step is log delivery, and then the third step is log receipt or ingestion as the presenter calls that third step.

@vpnkusatu3025 Жыл бұрын

How about the Agents have to installed at end points host ? is that enough just install Wazuh agents on it or we have to install and config more config or customisation ? i can't wait new real implementation's video about it. Great Job, Thank You

@mansoorali3516 Жыл бұрын

Sir Kindly install on AWS cloud kindly make that video

@eliasantoniadis8556 2 жыл бұрын

Do you think choosing the hive for case management is a good idea? As they are going to stop their support in the end of 2022

@Furchtfliege 2 жыл бұрын

Really awesome and informative. I'll be following along!

@user-no3ez1cw8p Жыл бұрын

Hi, I wanted to ask about the system specs to implement all of the elements in the last graph. Thanks for any tips.

@adiyavmani1742 Жыл бұрын

how many vm is required to build this?

@richardbennett4365 11 ай бұрын

He switched tee shirts in the middle of the show. 😂😅.

@BlackbeardKNAC 10 ай бұрын

Is there a video that teaches how to integrate all of this?

@georgerobbins5560 10 ай бұрын

Really good stuff. Thanks.

@OmegaKatanaXIII 7 ай бұрын

I appreciate you taking the time and effort to create this for everyone to benefit without paying a cent. I also like when you broke down the process without feeling boring or dragged out like alot of cyber security courses tend to do.

@Malzzoaa 8 ай бұрын

Hello, all this stack can be done through Virtual Box?

@joemorgan2253 7 ай бұрын

Yes but not likely on the same machine. You would need 64GB Ram and 3-5- terra drive of space for the whole project . You would likely want to run this across 2-3 devices or one very hefty machine with the requirements to run all this.

@tracerv0 2 жыл бұрын

Sound is much better. Better.

@TheBlackmanIsGod Жыл бұрын

Uhhhh is this for begginers?!? I’m trying to learn but you’re rolling out other extra knowledge and information I have nonidea about!!! What the hell is a execution bypass flag, never heard of that before today and it seems pretty important…. How can we learn something when we don’t know what we don’t know???

@Gunz_andweed Жыл бұрын

Google.

@TheBlackmanIsGod Жыл бұрын

@@Gunz_andweed ChatGPT > Google

@khaedirsul Жыл бұрын

Great job, you are amazing.

@quikmcw 2 жыл бұрын

Looking forward to all the future videos on this. Have you set all this up and run it live?

@quikmcw Жыл бұрын

@Federico Pacher Not really, he touches on Wazuh a little but then bounces to another product, then to another product, then to another product and is not connecting it all together. So looking at the initial map of things, if you do this complete setup you will have many different things that can all do the same thing, so the whole presentation needs to be clarified because right now it is just clutter AND we don't get any responses to questions!

@gstella2804 10 ай бұрын

@@quikmcw so using all these in cooperation would be repetitive? or is it just that its difficult to set up all these together. Ive only been learning cybersecurity for a couple months and trying to learn blue teaming any advice while setting this SIEM stack up.

@quikmcw 10 ай бұрын

@@gstella2804you need to watch the series of these videos and figure it all out to understand what they are doing.

@joemorgan2253 7 ай бұрын

@gstella2804 Check out kali purple "soc in a box" project. it uses similar components as discussed here and also lists the hardware requirements. SO much learning there.

@michaelkuo671 2 жыл бұрын

Why not using ELK Stack? Could any one give a comment for ELK open source on SIEM module?

@arthurlongshanks Жыл бұрын

He doesn't like Kibana for visualizations he prefers Grafana. Likewise he prefers Wazuh agents for EDR instead of Beats.

@simons.5442 Жыл бұрын

Maybe because it sucks? :) ... I mean I'm testing it with Wazuh but Kibana is just so blantantly engieneered past the needs of usefull UI ... and if you ever had an Elastic Cluster fail ... good luck trying to recover it. It's just a pain in the ass to repair ... in the end I prefer OSSEC before it was turned in that Chutuhulu based Monster chained to the ELK stack if you ask me.

@boolve 11 ай бұрын

Good thoughts. Thanks.

@enderst81 2 жыл бұрын

This is going to be awesome, thanks!

@Erishadlar Жыл бұрын

Interesting

@DJ29Joesph 2 жыл бұрын

Nice

@edgardavidgiradovalencia9065 Жыл бұрын

The best

@mmahrusqusaeri1326 2 жыл бұрын

this is so cool

@prudencewheeler100 Жыл бұрын

Yes, I agree

@eliasantoniadis8556 2 жыл бұрын

Amazing job!

@getoutmore 2 жыл бұрын

Nice, looking forward to this series. Thank you for this. Currently building my own enterprise grade soc in my homelab as well. Could we use a windows event collector to collect all logs from machines and then just deploy 1 wazuh agent instead of deploying a agent on every machine?

@octavian15202 2 жыл бұрын

In theory yes. Main issue you will start to see is possibly bottlenecking on the log forwarding from the event collector. i.e. You have 100 servers/workstations sending 50 events per sec to the WEC, the WEC is then responsible for forwarding 5000 events per sec to wazuh (you can see how this scales if you extrapolate that out). Also wazuh has the ability to do detection and remediation, so it makes sense to install the agent on each host.

@getoutmore 2 жыл бұрын

@@octavian15202 So when would you actually use WEC? Is it just a Wazug thing? I've seen a lot of recommendations for deploying a WEC in large environments so you don't have to deploy another agent on all machines

@octavian15202 2 жыл бұрын

@@getoutmore I would say that's going to be dependent on your business case. If you want to make use of the EDR components of wazuh, you will want to put it on all systems as an agent. If you don't want to use the EDR components, then you could install in on the WEC, you will just need to be sure the agent forwarding from the WEC can figure out the original host that sent the events.

@bhargavpatel1980 2 жыл бұрын

For once, the software is actually really useful

@DominiqueVocat 2 жыл бұрын

nice. and if you want to spend money on licenses instead of salaries then you could replace 6-7 items in this stack with splunk and maybe cribl :-D

@FabioVascoGomes 2 жыл бұрын

Why would you watch and comment this video for if you prefer to pay licensing for some proprietary/closed source solution? Nonsense to say the least.

@DominiqueVocat 2 жыл бұрын

@@FabioVascoGomes i like your open mindedness

@FabioVascoGomes 2 жыл бұрын

@@DominiqueVocat Be open about it and make a video showing all the good things the other tools you know can do it. Explain, with details, why they are better then the open source alternatives. While you're at it, check other open source solutions as well, maybe there are even better options out there, not covered in this video. This is a channel that focus on open source tools, why would someone talk about proprietary software here? I respect your opinion, but you're not doing any good here. Not for you and not for the owner or the viewers of this channel. Think about it.

@blueteaming 2 жыл бұрын

@@FabioVascoGomes Everyone is entitled to express their views. Perhaps a lot of individuals aren't even aware that employing the Cribl solution will allow them to lower their Splunk costs. Just a different point of view.