├── LICENSE
├── README.md
├── code
└── readme.md
├── images
├── KULQlzAg.png
├── Logo-Transparent for Black BG.png
├── Mode-changer.gif
├── Part3.png
├── SIEM-3.png
├── hive-cortex.PNG
├── hive-misp.PNG
├── image
├── shuffle-workflow.PNG
└── simpler-soc.png
├── installation
├── Shuffle-install.md
├── beats.md
├── elastic-edr.md
├── install1.md
└── install2.md
├── integration
└── integration.md
└── modifed
└── test.md
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ### TURN ON DARK MODE 
2 | ## PRESENTED BY 
3 | # 🔴SOC-OpenSource
4 | This is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture. All of the componenets are used based on Open Source Projects(Availabe at the time of first commit).
5 |
6 | **NOTE - This is an Ongoing Project and the repo will be updated as we work on the new additions.**
7 |
8 | This Projects serves below usecases:
9 | - **Collect Data** to a Single Place.
10 | - **Normalize** and **Parse Data**
11 | - **Visualize Data** and prepare meaningful Security Analytics
12 | - Create **Incidents/Cases** out of Security Alerts identified based on collected data/logs
13 | - **Automate** process of Threat Hunt, Creation of actionable Playbooks, SOC data Analytics
14 | - **Automate** the process of analsis observables they have collected, **at scale, by querying a single tool** instead of several
15 | - Actively respond to threats and interact with the constituency and other teams
16 | - **Enrich** Data feeds with Open Source Threat Intelligence Platoform
17 |
18 | # 📑Index:
19 | - [Architecture Diagram](#Architecture-Diagram)
20 | - [Components used in this Project](#Components)
21 | - [Installation Requirements](#Installation-Requirements)
22 | - [Installation Guide First Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/install1.md)
23 | - [Installation Guide Second Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/install2.md)
24 | - [Installation Guide Beats Agent](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/beats.md)
25 | - [Shuffle Automation Install Guide](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/Shuffle-install.md)
26 | - [Integration Guide First Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/integration/integration.md)
27 | - [Shuffle Workflow Implementation](#Shuffle-Workflow-Implementation)
28 | - [Elastic EDR Implementation](#EDR-Implementation)
29 | - [Contributing](#Contributing)
30 | - [Support](#Support)
31 |
32 | # ☸Architecture-Diagram(Ongoing):
33 | 
34 |
35 | # ☸Shuffle-SOAR workflow(Ongoing):
36 | 
37 |
38 | ## ☸Shuffle-Workflow-Implementation
39 | - For utilizing Shuffle workflow please first refer the installation guideline from Index.
40 | - Once you have your shuffle instance up and running, please refer to this video [HERE](https://youtu.be/Nb9_ahZMC5U) for full walkthrough.
41 |
42 | # ☸Adding EDR to Stack(Ongoing):
43 | 
44 |
45 | ## ☸EDR-Implementation
46 | - Please Refer the installation guideline from Index.
47 | - Once you have your Elastic instance up and running, please refer to this video [HERE](https://youtu.be/fXLsY_eZoeE) for full walkthrough.
48 |
49 | # ☸Components(First Phase of Implementation):
50 | All of the components used in this projects are Open Source.
51 | - **Elastic SIEM**: Open source SIEM platform powered by ElasticSearch, Logstash, Kibana
52 | - **TheHive**: [TheHive](https://thehive-project.org/) is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
53 | - Official GitRepo of TheHive is **[HERE](https://github.com/TheHive-Project/TheHive)**
54 | - **Cortex**: Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
55 | - Official GitRepo of Cortex is **[HERE](https://github.com/TheHive-Project/Cortex)**
56 | - **MISP**: MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
57 | - Official GitRepo of MISP is **[HERE](https://github.com/MISP/MISP)**
58 |
59 | # ☸Additional Components(Second Phase of Implementation):
60 | - **Snort**: [Snort](https://www.snort.org/) is the foremost Open Source Intrusion Prevention System (IPS) in the world.
61 | - **Wazuh**: [Wazuh](https://wazuh.com/) is an open source security monitoring solution which collects and analyzes host security data. It is a fork of the older, better known OSSEC project.
62 | - **Honeypot Dionea**: [Dionaea](https://dionaea.readthedocs.io/en/latest/index.html) intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, gaining a copy of the malware.
63 | - **Jupyter Notebook**: The Jupyter Notebook is a web-based interactive computing platform. The notebook combines live code, equations, narrative text, visualizations etc.
64 | - Official website of Jupyter is **[HERE](https://jupyter.org/)**
65 | - **IntelOwl**: [IntelOwl](https://intelowlproject.github.io/) is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale
66 | - **Atomic Red Team™**: [Atomic Red Team™](https://github.com/redcanaryco/atomic-red-team) is library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
67 | - **Shuffle**: [Shuffle](https://shuffler.io/) is an Open Source SOAR solution for making orchestration easy between security tools.
68 | - **Twitter Bot**: We have created Twitter TI bot to collect meaningful intel about anything we care about and thus giving us the related information around them. You can find the episode [HERE](https://youtu.be/onklNNJcfDU)
69 |
70 | ## ☸Additional Components(Third Phase of Implementation):
71 | - **Elastic EDR**: [Elastic EDR](https://www.elastic.co/endpoint-security/) prevents ransomware and malware, detects advanced threats, and arms responders with vital context. It’s free and open, ready for every endpoint.
72 |
73 | # 🔽Installation-Requirements:
74 | We have created the environment in AWS. You can follow along or choose any other alternative cloud provider. Or ever you can utilize EKS to deploy the full setup.
75 | ## ☁VM Requirements:
76 | - MISP- Ubuntu20- t3.micro
77 | - Elastic SIEM- Ubuntu20- t2.medium (Best performence can be achived on t2.large)
78 | - Cortex- Ubuntu20- t3a.medium (Can work on t2.medium as well)
79 | - TheHive- Ubuntu20- t2.medium
80 | ## 🌏Network Rules:
81 | | Ports | IP Ranges | Comments |
82 | | --- | --- | --- |
83 | | 22 | Your IP | SSH to the VMs |
84 | | 443 | Your IP | Accessing MISP UI on browser|
85 | | 9200 | Your IP | Accessing ElasticSearch|
86 | | 5601 | Your IP | Accessing Kibana UI
87 | | 9001 | Your IP | Accessing Cortex UI|
88 | | 9000 | Your IP | Accessing TheHive UI|
89 | | All TCP | Cortex VM IP | Accssing inbound API|
90 | | All TCP | MISP VM IP | Accssing inbound API|
91 | | All TCP | TheHive VM IP | Accssing inbound API|
92 |
93 | # 🤝Contributing
94 | We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests.
95 |
96 | # 🔼Enhancements:
97 | - As per the architecture document and Components mentioned we will keep on updating this repo with the staged implementation.
98 | - All of the required staged implemtation will be added in the Index page, so you can access them easily from there.
99 |
100 | # 🙏Support
101 | - Please [open an issue on GitHub](https://github.com/archanchoudhury/SOC-OpenSource/issues/new) if you'd like to report a bug or request a feature.
102 | - For real DFIR Training, subscribe to my [YouTube Channel](https://www.youtube.com/c/BlackPerl)
103 | - If you like to support my creation, 
104 |
--------------------------------------------------------------------------------
/code/readme.md:
--------------------------------------------------------------------------------
1 | This is a test
2 |
--------------------------------------------------------------------------------
/images/KULQlzAg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/KULQlzAg.png
--------------------------------------------------------------------------------
/images/Logo-Transparent for Black BG.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/Logo-Transparent for Black BG.png
--------------------------------------------------------------------------------
/images/Mode-changer.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/Mode-changer.gif
--------------------------------------------------------------------------------
/images/Part3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/Part3.png
--------------------------------------------------------------------------------
/images/SIEM-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/SIEM-3.png
--------------------------------------------------------------------------------
/images/hive-cortex.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/hive-cortex.PNG
--------------------------------------------------------------------------------
/images/hive-misp.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/hive-misp.PNG
--------------------------------------------------------------------------------
/images/image:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/images/shuffle-workflow.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/shuffle-workflow.PNG
--------------------------------------------------------------------------------
/images/simpler-soc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlackPerl-DFIR/SOC-OpenSource/de37a2315aebf48d3b4c36b76cc6bf35d8e41419/images/simpler-soc.png
--------------------------------------------------------------------------------
/installation/Shuffle-install.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL INSTALLATION🤝
2 |
3 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
4 | # Shuffle Installation Guide:
5 | - You can check the full installation guide from [HERE](https://github.com/frikky/Shuffle/edit/master/.github/install-guide.md)
6 | - SSH into the VM which you have spinned up for installing Shuffle
7 | - Make sure you have [Docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) installed.
8 | ```bash
9 | sudo apt get update
10 | sudo apt upgrade
11 | sudo apt install docker.io
12 | sudo apt install docker-compose
13 | ```
14 | - Download Shuffle
15 | ```bash
16 | git clone https://github.com/frikky/Shuffle
17 | cd Shuffle
18 | ```
19 | - Run docker-compose.
20 | ```
21 | sudo docker-compose up -d #Wait till the process is completed, shuffle-database folder will now be created.
22 | ```
23 | - Fix prerequisites for the Opensearch database (Elasticsearch):
24 | ```bash
25 | sudo chown 1000:1000 -R shuffle-database
26 | ```
27 | - Restart docker-compose.
28 | ```
29 | sudo docker-compose restart
30 | ```
31 | - Once done verify your service by checking below
32 | ```bash
33 | sudo docker ps
34 | sudo docker logs follow
35 | ```
36 | - From your browser access- https://Public-IP:3443
37 |
--------------------------------------------------------------------------------
/installation/beats.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL INSTALLATION🤝
2 |
3 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
4 | # Beat Agent Installation Guide:
5 | - You can follow the installation guide [HERE](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html)
6 | - Below are the details steps involved
7 | ```bash
8 | curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.X.X-amd64.deb
9 | sudo dpkg -i filebeat-7.X.X-amd64.deb
10 | ```
11 | - Change the filebeat config files at /etc/filebeat/filebeat.yml
12 | - Start the filebeat service
13 | ```bash
14 | sudo system start filebeat
15 | ```
16 | - Now check your Kibana Console under filebeat* index
17 |
--------------------------------------------------------------------------------
/installation/elastic-edr.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL INSTALLATION🤝
2 |
3 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
4 |
5 | # EDR Installation Guide:
6 | - Now we’re ready to install Elastic EDR First, navigate to the “Fleet” dashboard by clicking on the link under the management tab located on the side menu.
7 |
8 | 
9 |
10 |
11 | - From the fleet management menu, click “add agent”. Now it’s likely that you’ll be requested to add an integration policy before you can install agents, just follow the wizard and keep the defaults.
12 |
13 | 
14 |
15 | - We’re going to use the “Enroll in Fleet” option to install the EDR.
16 |
17 | 
18 |
19 | - First, download the Elastic Agent onto your Windows/Linux Host.
20 | - Once you have the agent downloaded, keep the default policy selected under the Agent policy.
21 | - Now we have to Add Agent. Click on the Button and follow the steps from console.
22 |
23 | 
24 |
25 | - If all has gone right, you should see the agent has been successfully enrolled via the fleet dashboard.
26 |
27 | 
28 |
29 | - We’re not done yet however, we need to check that data is being ingested correctly into ElasticSearch from our agent. You can do this by navigating to the Data Streams tab. You should see this populated with endpoint data. If there is no data here, check your fleet settings by clicking the settings cog in the top right corner. Ensure that your ElasticSearch settings are properly set to the correct IP and not set to LocalHost.
30 |
31 | 
32 |
--------------------------------------------------------------------------------
/installation/install1.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL INSTALLATION🤝
2 |
3 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
4 | # Installation Guide(First Phase):
5 | We will install and configure all of the components First and will move to Integrating them one by one.
6 | ## Elasticsearch-Kibana:
7 | - SSH into your VM created for Elastic SIEM
8 | - Refer **[Elastic Official Repo](https://github.com/elastic/elasticsearch)** for installation of the Elastic Stack(Elastic Search- Kibana)
9 | - Reach out to us for usage of custom docker code.
10 |
11 | - Run below to check if the host is listening on 9200, 5601 to confirm the service
12 | ```bash
13 | netstat -ltpnd
14 | ```
15 | - Now access the Kibana Console from your browser using this- http://Public_IP_ofEc2:5601
16 |
17 | ## TheHive:
18 | - You can follow the detailed documentation **[HERE](https://docs.thehive-project.org/thehive/installation-and-configuration/installation/step-by-step-guide/)**
19 |
20 | ## Cortex
21 | - SSH into the EC2 VM created for Cortex
22 | - You can follow the detailed documentation **[HERE](https://github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md#elasticsearch-installation)**
23 |
24 | ## MISP
25 | - You can refer the clear installation Steps [HERE](https://misp.github.io/MISP/INSTALL.ubuntu2004/)
26 | - For setting up the MISP for first time, watch the tutorial [HERE](https://youtu.be/gSzop2pKM1I)
27 |
--------------------------------------------------------------------------------
/installation/install2.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL INSTALLATION🤝
2 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
3 |
4 | # Installation Guide(Second Phase):
5 | We will install and configure all of the components First and will move to Integrating them one by one.
6 | ## Snort
7 | - You can follow the installation guide [HERE](https://www.snort.org/)
8 | ## Cowrie Honeypot
9 | - You can follow the installation guide [HERE](https://github.com/cowrie/cowrie)
10 |
--------------------------------------------------------------------------------
/integration/integration.md:
--------------------------------------------------------------------------------
1 | # 🤝HIRE US FOR FULL IMPLEMENTATION🤝
2 | Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
3 |
4 | # Integration Guide:
5 | We will Integrate all of the components as per the architecture diagram
6 |
7 | ## ELK-TheHive:
8 | - First, let’s create a webhook destination in ELK.
9 |
10 | | Key | Value |
11 | | --- | --- |
12 | | Content-Type | application/json |
13 | | Authorization | Bearer API-KEY |
14 | - To generate an authorization key we need to access to TheHive web application and login as an admin and create a new user and create API key for that user. You should provide Org-Admin Role for the user
15 | - Once Done, please test the connector with below-
16 | ```bash
17 | {
18 | "title" : "My Auto case",
19 | "description" : "A VPN user has connected from a foreign country"
20 | "tlp" : 3,
21 | "tags" : [“automatic”, “creation”]
22 | }
23 | ```
24 | - Once you run above, you should see a successful case created on TheHive Console.
25 |
26 | ## TheHive-Cortex:
27 | - Login to Cortex UI and Create a user. Give it Org-Admin Role and create a API key for that user.
28 | - SSH to the EC2 where TheHive is running and adjust the configuration file here- /etc/thehive/application.conf
29 | ```bash
30 | cortex {
31 | servers: [
32 | name: "Cortex1"
33 | url: "http://Cortex-VM-IP:9001"
34 | auth {
35 | type: "bearer"
36 | key: "PASTE YOUR NEWLY CREATED KEY"
37 | }
38 | ]
39 | }
40 | ```
41 | - Restart Hive Service and refresh the browser. Go to About> You will see Cortex is OK Status. Like below:
42 |
43 | 
44 |
45 | ## TheHive-MISP:
46 | - Login to the MISP UI and go to Administration > List Auth Key
47 | - You need to create a new key, so hit **Add Authentication Key** Button > You can give some IP to secure the connection > Submit
48 | - Copy the key and store it (NOTE- Once you close the Window, MISP will musk the key and you won't be able to see it again)
49 | - SSH to the EC2 where TheHive is running and adjust the configuration file here- /etc/thehive/application.conf
50 | ```bash
51 | misp {
52 | interval: 1m
53 | servers: [
54 | name: "MISP"
55 | url: "http://MISP-VM-IP/"
56 | auth {
57 | type: "key"
58 | key: "PASTE YOUR NEWLY CREATED KEY"
59 | }
60 | wsConfig
61 | wsConfig.ssl.loose.acceptAnyCertificate: true #Add This line to bypass the cert check
62 | ]
63 | }
64 | ```
65 | - Restart Hive Service and refresh the browser. Go to About> You will see MISP is OK Status. Like below:
66 |
67 | 
68 |
69 | ## Cortex-MISP
70 | - Login to MISP UI
71 | - You need to create a new key, so hit **Add Authentication Key** Button > You can give some IP to secure the connection > Submit
72 | - Copy the key and store it (NOTE- Once you close the Window, MISP will musk the key and you won't be able to see it again)
73 | - Login to Cortex UI and go to Organization > Analyzers > Search for MISP > Click Enable
74 | - Provide below-
75 |
76 | | Key | Value |
77 | | --- | --- |
78 | | Name | As you like |
79 | | url | MISP IP |
80 | | key | newly Created API Key |
81 | | cert_check | False |
82 | - Refresh the Cortex web UI and you will see MISP is appreaing in the New Analysis section after choosing a Observable
83 |
--------------------------------------------------------------------------------
/modifed/test.md:
--------------------------------------------------------------------------------
1 | This is a test file
2 |
--------------------------------------------------------------------------------