update

LICENSE

@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

README.md

@@ -0,0 +1,85 @@
+### TURN ON DARK MODE<p align="left"> <img src="images/Mode-changer.gif" width="150" height="70"> </p>
+## PRESENTED BY <p align="center"> <img src="images/Logo-Transparent for Black BG.png" width="220" height="200"> </p>
+# 🔴SOC-OpenSource
+This is a Project Designed for Security Analysts and all SOC audiences who wants to play with implementation and explore the Modern SOC architecture. All of the componenets are used based on Open Source Projects(Availabe at the time of first commit). 
+
+<ins> **NOTE - This is an Ongoing Project and the repo will be updated as we work on the new additions.** </ins>
+
+This Projects serves below usecases:
+ - **Collect Data** to a Single Place.
+ - **Normalize** and **Parse Data**
+ - **Visualize Data** and prepare meaningful Security Analytics
+ - Create **Incidents/Cases** out of Secuirty Alerts identified based on collected data/logs
+ - **Automate** process of Threat Hunt, Creation of actionable Playbooks, SOC data Analytics
+ - **Automate** the process of analsis observables they have collected, **at scale, by querying a single tool** instead of several
+ - Actively respond to threats and interact with the constituency and other teams
+ - **Enrich** Data feeds with Open Source Threat Intelligence Platoform
+
+# 📑Index:
+ - [Architecture Diagram](#Architecture-Diagram)
+ - [Components used in this Project](#Components)
+ - [Installation Requirements](#Installation-Requirements)
+ - [Installation Guide First Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/install1.md)
+ - [Installation Guide Second Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/installation/install2.md)
+ - [Integration Guide First Phase](https://github.com/archanchoudhury/SOC-OpenSource/blob/main/integration/integration.md)
+ - [Contributing](#Contributing)
+ - [Support](#Support)
+
+# ☸Architecture-Diagram(Ongoing):
+<p align="center"> <img src="images/simpler-soc.png"> </p>
+
+# ☸Components(First Phase of Implementation):
+All of the components used in this projects are Open Source.
+ - **Elastic SIEM**: Open source SIEM platform powered by ElasticSearch, Logstash, Kibana
+ - **TheHive**: [TheHive](https://thehive-project.org/) is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
+    - Official GitRepo of TheHive is **[HERE](https://github.com/TheHive-Project/TheHive)**
+ - **Cortex**: Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
+    - Official GitRepo of Cortex is **[HERE](https://github.com/TheHive-Project/Cortex)**
+ - **MISP**: MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
+   - Official GitRepo of MISP is **[HERE](https://github.com/MISP/MISP)**
+
+# ☸Additional Components(Second Phase of Implementation):
+ - **Snort**: [Snort](https://www.snort.org/) is the foremost Open Source Intrusion Prevention System (IPS) in the world.
+ - **Wazuh**: [Wazuh](https://wazuh.com/) is an open source security monitoring solution which collects and analyzes host security data. It is a fork of the older, better known OSSEC project.
+ - **Honeypot Dionea**: [Dionaea](https://dionaea.readthedocs.io/en/latest/index.html) intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, gaining a copy of the malware.
+ - **Jupyter Notebook**: The Jupyter Notebook is a web-based interactive computing platform. The notebook combines live code, equations, narrative text, visualizations etc.
+   - Official website of Jupyter is **[HERE](https://jupyter.org/)**
+ - **IntelOwl**: [IntelOwl](https://intelowlproject.github.io/) is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale
+ - **Atomic Red Team™**: [Atomic Red Team™](https://github.com/redcanaryco/atomic-red-team) is library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
+ - **Shuffle**: [Shuffle](https://shuffler.io/) is an Open Source SOAR solution for making orchestration easy between security tools.
+ - **Twitter Bot**: We have created Twitter TI bot to collect meaningful intel about anything we care about and thus giving us the related information around them. You can find the episode [HERE](https://youtu.be/onklNNJcfDU)
+
+## Additional Components(Third Phase of Implementation):
+TBD
+
+# 🔽Installation-Requirements: 
+We have created the environment in AWS. You can follow along or choose any other alternative cloud provider. Or ever you can utilize EKS to deploy the full setup.
+## ☁VM Requirements:
+ - MISP- Ubuntu20- t3.micro
+ - Elastic SIEM- Ubuntu20- t2.medium (Best performence can be achived on t2.large)
+ - Cortex- Ubuntu20- t3a.medium (Can work on t2.medium as well)
+ - TheHive- Ubuntu20- t2.medium
+## 🌏Network Rules:
+| Ports | IP Ranges | Comments |
+| --- | --- | --- |
+| 22 | Your IP | SSH to the VMs |
+| 443 | Your IP | Accessing MISP UI on browser|
+| 9200 | Your IP | Accessing ElasticSearch|
+| 5601 | Your IP | Accessing Kibana UI
+| 9001 | Your IP | Accessing Cortex UI|
+| 9000 | Your IP | Accessing TheHive UI|
+| All TCP | Cortex VM IP | Accssing inbound API|
+| All TCP | MISP VM IP | Accssing inbound API|
+| All TCP | TheHive VM IP | Accssing inbound API|
+
+# 🤝Contributing
+We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests. 
+
+# 🔼Enhancements:
+ - As per the architecture document and Components mentioned we will keep on updating this repo with the staged implementation.
+ - All of the required staged implemtation will be added in the Index page, so you can access them easily from there.
+
+# 🙏Support
+ - Please [open an issue on GitHub](https://github.com/archanchoudhury/SOC-OpenSource/issues/new) if you'd like to report a bug or request a feature.
+ - For real DFIR Training, subscribe to my [YouTube Channel](https://www.youtube.com/c/BlackPerl)
+ - If you like to support my creation, <p align="left"><a href="https://www.buymeacoffee.com/BlackPerl"> <img src="images/KULQlzAg.png" width="210" height="60"></p>

codes/elk/docker-compose.yml

@@ -0,0 +1,66 @@
+version: "2"
+
+networks:
+  elastic:
+    driver: bridge
+
+volumes:
+  elasticsearch:
+    driver: local
+
+services:
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
+    restart: unless-stopped
+    environment:
+      - "discovery.type=single-node"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "xpack.security.enabled=true"
+      - "xpack.security.authc.api_key.enabled=true"
+      - "ELASTIC_PASSWORD=givepasswd"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - elasticsearch:/usr/share/elasticsearch/data
+    ports:
+      - 0.0.0.0:9200:9200
+    networks:
+      - elastic
+
+  ent-search:
+    image: docker.elastic.co/enterprise-search/enterprise-search:7.15.0
+    restart: unless-stopped
+    depends_on:
+      - "elasticsearch"
+    environment:
+      - "JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ENT_SEARCH_DEFAULT_PASSWORD=givepasswd"
+      - "elasticsearch.username=elastic"
+      - "elasticsearch.password=<GIVE-YOUR_PWD>"
+      - "elasticsearch.host=http://elasticsearch:9200"
+      - "allow_es_settings_modification=true"
+      - "secret_management.encryption_keys=[4a2cd3f81d39bf28738c10db0ca782095ffac07279561809eecc722e0c20eb09]"
+      - "elasticsearch.startup_retry.interval=15"
+    ports:
+      - 0.0.0.0:3002:3002
+    networks:
+      - elastic
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:7.15.0
+    restart: unless-stopped
+    depends_on:
+      - "elasticsearch"
+      - "ent-search"
+    ports:
+      - 0.0.0.0:5601:5601
+    environment:
+      ELASTICSEARCH_HOSTS: http://elasticsearch:9200
+      ENTERPRISESEARCH_HOST: http://ent-search:3002
+      ELASTICSEARCH_USERNAME: elastic
+      ELASTICSEARCH_PASSWORD: <GIVE-YOUR_PWD>
+      XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: "X5rtEXBA3Js1sNMu7VpY4QKIEBpjwzkb231"
+    networks:
+      - elastic

images/image

@@ -0,0 +1 @@
+

installation/install1.md

@@ -0,0 +1,33 @@
+# 🤝HIRE US FOR FULL INSTALLATION🤝
+
+Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
+# Installation Guide(First Phase):
+We will install and configure all of the components First and will move to Integrating them one by one.
+## Elasticsearch-Kibana:
+ - SSH into your VM created for Elastic SIEM
+ - Run below commands to spin up elasticseach and kibana using docker. (Note- If any of the below utilities doesn't exists, use "sudo apt install <package>" )
+ ```bash
+ sudo apt update
+ sudo apt upgrade
+ sudo apt install docker-compose
+ sudo apt install docker.io
+ cd /
+ wget https://raw.githubusercontent.com/archanchoudhury/SOC-OpenSource/main/codes/elk/docker-compose.yml?token=AMFWN76WO6EJP3LVF5DVHNLBWN7KQ
+ sudo docker-compose up -d
+ ```
+  - Run below to check if the host is listening on 9200, 5601 to confirm the service
+ ```bash
+ netstat -ltpnd
+ ```
+  - Now access the Kibana Console from your browser using this- http://Public_IP_ofEc2:5601
+ 
+## TheHive:
+  - You can follow the detailed documentation **[HERE](https://docs.thehive-project.org/thehive/installation-and-configuration/installation/step-by-step-guide/)**
+
+## Cortex
+ - SSH into the EC2 VM created for Cortex
+ - You can follow the detailed documentation **[HERE](https://github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md#elasticsearch-installation)**
+  
+## MISP
+ - You can refer the clear installation Steps [HERE](https://misp.github.io/MISP/INSTALL.ubuntu2004/)
+ - For setting up the MISP for first time, watch the tutorial [HERE](https://youtu.be/gSzop2pKM1I)

installation/install2.md

@@ -0,0 +1,9 @@
+# 🤝HIRE US FOR FULL INSTALLATION🤝
+Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
+
+# Installation Guide(Second Phase):
+We will install and configure all of the components First and will move to Integrating them one by one.
+## Snort
+ - You can follow the installation guide [HERE](https://www.snort.org/)       
+## Cowrie Honeypot
+ - You can follow the installation guide [HERE](https://github.com/cowrie/cowrie)       

integration/integration.md

@@ -0,0 +1,82 @@
+# 🤝HIRE US FOR FULL IMPLEMENTATION🤝
+Contact Info: archan.fiem.it@gmail.com, hk.sainaga@gmail.com
+
+# Integration Guide:
+We will Integrate all of the components as per the architecture diagram
+
+## ELK-TheHive:
+  - First, let’s create a webhook destination in ELK. 
+
+| Key | Value |
+| --- | --- |
+| Content-Type | application/json |
+| Authorization | Bearer API-KEY |
+  - To generate an authorization key we need to access to TheHive web application and login as an admin and create a new user and create API key for that user. You should provide Org-Admin Role for the user
+  - Once Done, please test the connector with below-
+```bash
+{
+"title" : "My Auto case",
+"description" : "A VPN user has connected from a foreign country"
+"tlp" : 3,
+"tags" : [“automatic”, “creation”]
+}
+```
+  - Once you run above, you should see a successful case created on TheHive Console.
+
+## TheHive-Cortex:
+  - Login to Cortex UI and Create a user. Give it Org-Admin Role and create a API key for that user.
+  - SSH to the EC2 where TheHive is running and adjust the configuration file here- /etc/thehive/application.conf
+  ```bash
+  cortex {
+    servers: [
+      name: "Cortex1"
+      url: "http://Cortex-VM-IP:9001"
+      auth {
+        type: "bearer"
+        key: "PASTE YOUR NEWLY CREATED KEY"
+      }
+    ]
+  }
+  ```
+  - Restart Hive Service and refresh the browser. Go to About> You will see Cortex is OK Status. Like below:
+
+<p align="center"> <img src="../images/hive-cortex.PNG"> </p>
+
+## TheHive-MISP:
+  - Login to the MISP UI and go to Administration > List Auth Key
+  - You need to create a new key, so hit **Add Authentication Key** Button > You can give some IP to secure the connection > Submit
+  - Copy the key and store it (NOTE- Once you close the Window, MISP will musk the key and you won't be able to see it again)
+  - SSH to the EC2 where TheHive is running and adjust the configuration file here- /etc/thehive/application.conf
+ ```bash
+ misp {
+    interval: 1m
+    servers: [
+      name: "MISP"
+      url: "http://MISP-VM-IP/"
+      auth {
+        type: "key"
+        key: "PASTE YOUR NEWLY CREATED KEY"
+      }
+      wsConfig
+      wsConfig.ssl.loose.acceptAnyCertificate: true #Add This line to bypass the cert check 
+    ]
+  }
+ ```
+ - Restart Hive Service and refresh the browser. Go to About> You will see MISP is OK Status. Like below:
+
+<p align="center"> <img src="../images/hive-misp.PNG"> </p>
+
+## Cortex-MISP
+  - Login to MISP UI
+  - You need to create a new key, so hit **Add Authentication Key** Button > You can give some IP to secure the connection > Submit
+  - Copy the key and store it (NOTE- Once you close the Window, MISP will musk the key and you won't be able to see it again)
+  - Login to Cortex UI and go to Organization > Analyzers > Search for MISP > Click Enable
+  - Provide below-
+
+| Key | Value |
+| --- | --- |
+| Name | As you like |
+| url | MISP IP |
+| key | newly Created API Key |
+| cert_check | False |
+  - Refresh the Cortex web UI and you will see MISP is appreaing in the New Analysis section after choosing a Observable