ELK, SIEM from OpenSource, Open Distro: An Introduction. Infrastructure and Technology Deployment for SOC as a Service (SOCasS)

ELK SIEM Open Distro: An Introduction. Infrastructure and technology deployment for SOC as a Service (SOCasS)



Over the past couple of years, the number of cyberattacks has gone through the roof. These attacks target not only individuals, but also businesses, governments, critical infrastructure, and more. Traditional solutions such as antivirus, firewall, NIDS and NIPS are no longer sufficient due to the complexity and overwhelming number of attacks.



This series of articles was conceived as building a fully open source SIEM counterpart. Details will be presented in the following articles.



Table of contents for all posts.





Over the past couple of years, the number of cyberattacks has gone through the roof. These attacks target not only individuals, but also businesses, governments, critical infrastructure, and more. Traditional solutions such as antivirus, firewall, NIDS and NIPS are no longer sufficient due to the complexity and overwhelming number of attacks.



SIEM (Security Information and Event Management) , , . , .



, SOC, . SOC- , , , . , , . - SOC.



. SOCaaS . , .



100% .



:





, , , , , .



, . Logstash (VPN-). ELK beats wazuh-agent ELK SIEM.



Logstash. Elasticsearch . , .



WAZUH HIDS Wazuh Elasticsearch.



ElastAlert .



MISP, , . , Cortex MISP.



, :



Hardware:



, , .



, .



, , (, , . .… )





Disclaimer :



  • , , - POC . POC.



  • , , . . 8 Vcpu , 32 8 .





:



  • ELK stack: ELK stack- , , : Elasticsearch, Logstash Kibana. Elasticsearch, ELK , , , .



  • Beats: , (, , ). Beats Elasticsearch , Logstash, Kibana.



  • Elastalert: , Elasticsearch. Elasticsearch , . Elasticsearch , , , . , , .



  • Suricata: , (OISF). Suricata (IDS) (IPS), .



  • Open Distro Elasticsearch:



    • (Alerting): , , . Kibana API .
    • (Security): ( Active Directory OpenID), , , , .


  • Praeco: Elasticsearch- ElastAlert, API ElastAlert. Praeco Elasticsearch , Slack, , Telegram HTTP POST, , .



  • Wazuh: , , . , , . Wazuh , . , , .



  • Nessus Essentials: , . , .



  • TheHive: TheHive " , , , , ”.



  • Cortex: Cortex- , TheHive, . Cortex "" , . , IP, URL , . VirusTotal, .



  • MISP : Malware Information and Sharing Platform (MISP) is a threat intelligence platform for sharing, storing and correlating compromise metrics from targeted attacks, threat analysis, financial fraud information, and more. MISP is used today in many organizations to store, share knowledge, collaborate on cybersecurity metrics, and analyze malware to provide better security protection.





Telegram chat on Elasticsearch: https://t.me/elasticsearch_ru




All Articles