Opensource SIEM and SOAR solution based on Elastic Security solution integrated with multiple SOC components all in one inside docker.
This project doesn't meant for producation environments, Just use it for testing purposes or personal practices just like a POC environment.
Each component is deployed in a docker container and the diagram below should be explaining how the workflow looks like.
| Component Name | Description |
|---|---|
| Elastic Search | NoSQL Database for logs storing and searching |
| Kibana | Quering data from elasticsearch and visualizing |
| Elastic Security | Elastic integration will act as an IPS/IDS |
| Shuffle | SOAR System for connecting components and automation |
| TheHive | Case management system for incident response |
| Cortex | Have analyzers and observables |
| MISP | Threat intelligence feed |
| Nginx | Web server used as reverse proxy to each component |
You don't need to install any packages before starting installation, Just a fresh installed ubuntu server. The minimum requirements to run the full stack:
| RAM | CPU | Disk |
|---|---|---|
| 10 GB | 4 Cores | 100 GB |
- Modify the
.envfile with your own credentials and urls to be accessed of each component. - Start running
deploy.shscript to initiate containers building, It might take some time depends in the resources and network connection.
chmod 750 deploy.sh
./deploy.sh- After script finishes the installation, run
docker-compose psand make sure that all containers are in UP status. - When the deployment is done you will need to generate API tokens for MISP and Cortex to be integrated with TheHive , And use Shuffle to connect and automate between the elastic security and the rest of the components.
- For example the Generated tokens should be added in
cortex/application.conf,thehive/application.conffor the two components.
- For example the Generated tokens should be added in
If you need to deploy this in a production environment or any kind of help, Contact me on telegram @dh4ze