World's Best SIEM Stack - Build your own Security Stack For FREE! - INTRO
Вставка
- Опубліковано 26 вер 2022
- Let's discuss the key elements that I believe are a requirement for every SIEM stack. All tools discussed are open source and completely free! Empower your SOC team to be proactive and responsive!
Contact Me: taylor.walton@socfortress.co
Our Blog: / socfortress
Buy Me A Coffee: bit.ly/3woh21M
Security Operations Center as a Service: www.socfortress.co/
Free For Life Tier: www.socfortress.co/trial.html
Professional Services: www.socfortress.co/ps.html
Discord Channel: / discord
Series Playlist: • World's Best SIEM Stack
----------------------------------------------------------------------------------------------
Wazuh: wazuh.com/
Graylog: www.graylog.org/
Grafana: grafana.com/
OpenCTI: github.com/OpenCTI-Platform/o...
MISP: www.misp-project.org/
TheHIVE/Cortex: github.com/TheHive-Project
Velociraptor: github.com/Velocidex/velocira...
Shuffle: shuffler.io/
InfluxDB: www.influxdata.com/ - Наука та технологія
Thanks for taking the time to do this. We don't only need opensource software. We also need open source knowledge. We could probably piece all of this together with you prior videos but this series have the potential to be great.
I appreciate you taking the time and effort to create this for everyone to benefit without paying a cent. I also like when you broke down the process without feeling boring or dragged out like alot of cyber security courses tend to do.
I appreciate you for this. I am a Senior SOC analyst who is trying to expand my detection engineering skills and this is very helpful.
Taylor, you rock! Awesome content. I will be applying everything here. Thank you for sharing this!
Really awesome and informative.
I'll be following along!
Awesome dude!!! I appreciate the knowledge :) I'll follow the series and implement it fully!
Hi Taylor, Awesome content. Would it be possible to have this playlist in sequence or listed as Part 1 2 etc so makes it easy to follow along to setup. I am looking to implement this in my home lab.
This is going to be awesome, thanks!
Great news !! Do you think your series will be over around January 2023, it's gonna be really helpful for my school project. Many many thanks, keep up the good work ;)
Really good stuff. Thanks.
Great job, you are amazing.
Amazing job!
Good thoughts. Thanks.
I believe the first step is log production, then the second step is log delivery, and then the third step is log receipt or ingestion as the presenter calls that third step.
I would love to see some real time video of these tools stopping an attack. Anyone know any videos or search terms for that?
Nice video! Would love to see an Ansible Playbook / Docker Compose file that can deploy this... Hint hint nudge nudge :)
Yes!!!
Thank you very much
Cool. I look forward to the upcoming videos. Thoughts on SecurityOnion as a SIEM?
Yes, I agree
this is so cool
Thanks for this. Where would you recommend hosting all of these tools?
Nice!! can you please add a network traffic monitoring component.. perhaps one with suricata and elastic search
How about the Agents have to installed at end points host ? is that enough just install Wazuh agents on it or we have to install and config more config or customisation ?
i can't wait new real implementation's video about it.
Great Job,
Thank You
Hi, I wanted to ask about the system specs to implement all of the elements in the last graph. Thanks for any tips.
Do you think choosing the hive for case management is a good idea? As they are going to stop their support in the end of 2022
Hello. The best video ever.. Is it possible to add an Open Source Threat Hunting tool to this Stack? Could you give me suggestions for Threat Hunting tools for this integration? Thank you =D
Sound is much better. Better.
Very good. but it doesn't seem support cloud security really well?
Sir Kindly install on AWS cloud kindly make that video
Is there a video that teaches how to integrate all of this?
while open source stack is awesome, they are just like any software and could potentially suffered attack. Can you give us a series of video on how to harden or secure the oss siem stack against various attack? The last thing we want is to have a oss systems that sit their suffering vulnerabiliity (eg. due to lack of comprehensive patch management/maintenance) and become the party house for hackers.
Nice
Can you provide details on how to achieve true multi-tenancy we are each tenant is a separate customer?
Looking forward to all the future videos on this. Have you set all this up and run it live?
@Federico Pacher Not really, he touches on Wazuh a little but then bounces to another product, then to another product, then to another product and is not connecting it all together. So looking at the initial map of things, if you do this complete setup you will have many different things that can all do the same thing, so the whole presentation needs to be clarified because right now it is just clutter AND we don't get any responses to questions!
@@quikmcw so using all these in cooperation would be repetitive? or is it just that its difficult to set up all these together. Ive only been learning cybersecurity for a couple months and trying to learn blue teaming any advice while setting this SIEM stack up.
@@gstella2804you need to watch the series of these videos and figure it all out to understand what they are doing.
@gstella2804 Check out kali purple "soc in a box" project. it uses similar components as discussed here and also lists the hardware requirements. SO much learning there.
Hi , can you please tell me which is the siem in this architecture , is it wazuh or graylog and wazuh is just an EDR or XDR here ??
The best
how many vm is required to build this?
Nice, looking forward to this series. Thank you for this. Currently building my own enterprise grade soc in my homelab as well. Could we use a windows event collector to collect all logs from machines and then just deploy 1 wazuh agent instead of deploying a agent on every machine?
In theory yes. Main issue you will start to see is possibly bottlenecking on the log forwarding from the event collector.
i.e. You have 100 servers/workstations sending 50 events per sec to the WEC, the WEC is then responsible for forwarding 5000 events per sec to wazuh (you can see how this scales if you extrapolate that out).
Also wazuh has the ability to do detection and remediation, so it makes sense to install the agent on each host.
@@octavian15202 So when would you actually use WEC? Is it just a Wazug thing? I've seen a lot of recommendations for deploying a WEC in large environments so you don't have to deploy another agent on all machines
@@getoutmore I would say that's going to be dependent on your business case. If you want to make use of the EDR components of wazuh, you will want to put it on all systems as an agent.
If you don't want to use the EDR components, then you could install in on the WEC, you will just need to be sure the agent forwarding from the WEC can figure out the original host that sent the events.
Interesting
Hello, all this stack can be done through Virtual Box?
Yes but not likely on the same machine. You would need 64GB Ram and 3-5- terra drive of space for the whole project . You would likely want to run this across 2-3 devices or one very hefty machine with the requirements to run all this.
Waz-uh, as in What's up... clever name really.
Why not using ELK Stack? Could any one give a comment for ELK open source on SIEM module?
He doesn't like Kibana for visualizations he prefers Grafana.
Likewise he prefers Wazuh agents for EDR instead of Beats.
Maybe because it sucks? :) ... I mean I'm testing it with Wazuh but Kibana is just so blantantly engieneered past the needs of usefull UI ... and if you ever had an Elastic Cluster fail ... good luck trying to recover it. It's just a pain in the ass to repair ... in the end I prefer OSSEC before it was turned in that Chutuhulu based Monster chained to the ELK stack if you ask me.
He switched tee shirts in the middle of the show. 😂😅.
Uhhhh is this for begginers?!? I’m trying to learn but you’re rolling out other extra knowledge and information I have nonidea about!!!
What the hell is a execution bypass flag, never heard of that before today and it seems pretty important….
How can we learn something when we don’t know what we don’t know???
Google.
@@Gunz_andweed ChatGPT > Google
For once, the software is actually really useful
nice. and if you want to spend money on licenses instead of salaries then you could replace 6-7 items in this stack with splunk and maybe cribl :-D
Why would you watch and comment this video for if you prefer to pay licensing for some proprietary/closed source solution? Nonsense to say the least.
@@FabioVascoGomes i like your open mindedness
@@DominiqueVocat Be open about it and make a video showing all the good things the other tools you know can do it. Explain, with details, why they are better then the open source alternatives. While you're at it, check other open source solutions as well, maybe there are even better options out there, not covered in this video. This is a channel that focus on open source tools, why would someone talk about proprietary software here? I respect your opinion, but you're not doing any good here. Not for you and not for the owner or the viewers of this channel. Think about it.
@@FabioVascoGomes Everyone is entitled to express their views. Perhaps a lot of individuals aren't even aware that employing the Cribl solution will allow them to lower their Splunk costs. Just a different point of view.
SIEM is not pronounced like "seem". It's pronounced like "SIM", like the game.
No its not. Sim sounds stoopid. Say Seem.