That's what TH-cam was made for... just a guy sharing his knowledge and insights on a certain topic. I can´t tell you how grateful I am you made this video to kick-off your series. Such awesome content.
Thanks for taking the time to do this. We don't only need opensource software. We also need open source knowledge. We could probably piece all of this together with you prior videos but this series have the potential to be great.
I appreciate you taking the time and effort to create this for everyone to benefit without paying a cent. I also like when you broke down the process without feeling boring or dragged out like alot of cyber security courses tend to do.
I believe the first step is log production, then the second step is log delivery, and then the third step is log receipt or ingestion as the presenter calls that third step.
Hi Taylor, Awesome content. Would it be possible to have this playlist in sequence or listed as Part 1 2 etc so makes it easy to follow along to setup. I am looking to implement this in my home lab.
while open source stack is awesome, they are just like any software and could potentially suffered attack. Can you give us a series of video on how to harden or secure the oss siem stack against various attack? The last thing we want is to have a oss systems that sit their suffering vulnerabiliity (eg. due to lack of comprehensive patch management/maintenance) and become the party house for hackers.
Great news !! Do you think your series will be over around January 2023, it's gonna be really helpful for my school project. Many many thanks, keep up the good work ;)
I have different scenario. What would be best approach if I want to collect the data from MISP and have rule pre-set already in the central place (SIEM) that will include the list of emails as example. If one day MISP feeds me the data including emails that will match with my pre-defined list, the alert I will be alerted
Hello. The best video ever.. Is it possible to add an Open Source Threat Hunting tool to this Stack? Could you give me suggestions for Threat Hunting tools for this integration? Thank you =D
How about the Agents have to installed at end points host ? is that enough just install Wazuh agents on it or we have to install and config more config or customisation ? i can't wait new real implementation's video about it. Great Job, Thank You
Hi, I have use OpenSearch in our AWS environment, however, I am unable to do log rollover to warm and cold for cost savings. While our OpenSearch keep breaking due to out of space in hot storage. I have applied ISM to indeces but it fails. I am using lambda function to load logs. Is there anything I should do in our lambda function to make it work? Also I am considering to move away from OpenSearch to Wazuh, whats your feedback on that? Thank you.
@Federico Pacher Not really, he touches on Wazuh a little but then bounces to another product, then to another product, then to another product and is not connecting it all together. So looking at the initial map of things, if you do this complete setup you will have many different things that can all do the same thing, so the whole presentation needs to be clarified because right now it is just clutter AND we don't get any responses to questions!
@@quikmcw so using all these in cooperation would be repetitive? or is it just that its difficult to set up all these together. Ive only been learning cybersecurity for a couple months and trying to learn blue teaming any advice while setting this SIEM stack up.
@gstella2804 Check out kali purple "soc in a box" project. it uses similar components as discussed here and also lists the hardware requirements. SO much learning there.
Yes but not likely on the same machine. You would need 64GB Ram and 3-5- terra drive of space for the whole project . You would likely want to run this across 2-3 devices or one very hefty machine with the requirements to run all this.
Maybe because it sucks? :) ... I mean I'm testing it with Wazuh but Kibana is just so blantantly engieneered past the needs of usefull UI ... and if you ever had an Elastic Cluster fail ... good luck trying to recover it. It's just a pain in the ass to repair ... in the end I prefer OSSEC before it was turned in that Chutuhulu based Monster chained to the ELK stack if you ask me.
Nice, looking forward to this series. Thank you for this. Currently building my own enterprise grade soc in my homelab as well. Could we use a windows event collector to collect all logs from machines and then just deploy 1 wazuh agent instead of deploying a agent on every machine?
In theory yes. Main issue you will start to see is possibly bottlenecking on the log forwarding from the event collector. i.e. You have 100 servers/workstations sending 50 events per sec to the WEC, the WEC is then responsible for forwarding 5000 events per sec to wazuh (you can see how this scales if you extrapolate that out). Also wazuh has the ability to do detection and remediation, so it makes sense to install the agent on each host.
@@octavian15202 So when would you actually use WEC? Is it just a Wazug thing? I've seen a lot of recommendations for deploying a WEC in large environments so you don't have to deploy another agent on all machines
@@getoutmore I would say that's going to be dependent on your business case. If you want to make use of the EDR components of wazuh, you will want to put it on all systems as an agent. If you don't want to use the EDR components, then you could install in on the WEC, you will just need to be sure the agent forwarding from the WEC can figure out the original host that sent the events.
Uhhhh is this for begginers?!? I’m trying to learn but you’re rolling out other extra knowledge and information I have nonidea about!!! What the hell is a execution bypass flag, never heard of that before today and it seems pretty important…. How can we learn something when we don’t know what we don’t know???
@@DominiqueVocat Be open about it and make a video showing all the good things the other tools you know can do it. Explain, with details, why they are better then the open source alternatives. While you're at it, check other open source solutions as well, maybe there are even better options out there, not covered in this video. This is a channel that focus on open source tools, why would someone talk about proprietary software here? I respect your opinion, but you're not doing any good here. Not for you and not for the owner or the viewers of this channel. Think about it.
@@FabioVascoGomes Everyone is entitled to express their views. Perhaps a lot of individuals aren't even aware that employing the Cribl solution will allow them to lower their Splunk costs. Just a different point of view.
That's what TH-cam was made for... just a guy sharing his knowledge and insights on a certain topic. I can´t tell you how grateful I am you made this video to kick-off your series. Such awesome content.
Thanks for taking the time to do this. We don't only need opensource software. We also need open source knowledge. We could probably piece all of this together with you prior videos but this series have the potential to be great.
I appreciate you for this. I am a Senior SOC analyst who is trying to expand my detection engineering skills and this is very helpful.
I appreciate you taking the time and effort to create this for everyone to benefit without paying a cent. I also like when you broke down the process without feeling boring or dragged out like alot of cyber security courses tend to do.
I believe the first step is log production, then the second step is log delivery, and then the third step is log receipt or ingestion as the presenter calls that third step.
Hi Taylor, Awesome content. Would it be possible to have this playlist in sequence or listed as Part 1 2 etc so makes it easy to follow along to setup. I am looking to implement this in my home lab.
I would love to see some real time video of these tools stopping an attack. Anyone know any videos or search terms for that?
set it up and do an adversary simulation on it!
This is amazing information. Thanks for this beauty.
while open source stack is awesome, they are just like any software and could potentially suffered attack. Can you give us a series of video on how to harden or secure the oss siem stack against various attack? The last thing we want is to have a oss systems that sit their suffering vulnerabiliity (eg. due to lack of comprehensive patch management/maintenance) and become the party house for hackers.
Nice video! Would love to see an Ansible Playbook / Docker Compose file that can deploy this... Hint hint nudge nudge :)
Yes!!!
Taylor, you rock! Awesome content. I will be applying everything here. Thank you for sharing this!
Awesome dude!!! I appreciate the knowledge :) I'll follow the series and implement it fully!
Good thoughts. Thanks.
Great news !! Do you think your series will be over around January 2023, it's gonna be really helpful for my school project. Many many thanks, keep up the good work ;)
Really awesome and informative.
I'll be following along!
This is going to be awesome, thanks!
Nice!! can you please add a network traffic monitoring component.. perhaps one with suricata and elastic search
Just subscribed!!!
Really good stuff. Thanks.
How would you update this for 2024? Any changes? DFIR-IRIS instead of theHive perhaps?
Very good. but it doesn't seem support cloud security really well?
Sound is much better. Better.
I have different scenario. What would be best approach if I want to collect the data from MISP and have rule pre-set already in the central place (SIEM) that will include the list of emails as example. If one day MISP feeds me the data including emails that will match with my pre-defined list, the alert I will be alerted
Great job, you are amazing.
Hello. The best video ever.. Is it possible to add an Open Source Threat Hunting tool to this Stack? Could you give me suggestions for Threat Hunting tools for this integration? Thank you =D
How many VPS machines, and server specifications (vcpu, ram, ssd) are needed for a small network infrastructure? Thank you.
Thanks for this. Where would you recommend hosting all of these tools?
Please please please provide recommended system requirements for the full stack…. Please! 😊
Is there a video that teaches how to integrate all of this?
Cool. I look forward to the upcoming videos. Thoughts on SecurityOnion as a SIEM?
Amazing job!
Do you think choosing the hive for case management is a good idea? As they are going to stop their support in the end of 2022
Are you using or are there any open source endpoint for iOS and android?
Can you provide details on how to achieve true multi-tenancy we are each tenant is a separate customer?
How about the Agents have to installed at end points host ? is that enough just install Wazuh agents on it or we have to install and config more config or customisation ?
i can't wait new real implementation's video about it.
Great Job,
Thank You
Hi, I have use OpenSearch in our AWS environment, however, I am unable to do log rollover to warm and cold for cost savings. While our OpenSearch keep breaking due to out of space in hot storage. I have applied ISM to indeces but it fails. I am using lambda function to load logs. Is there anything I should do in our lambda function to make it work? Also I am considering to move away from OpenSearch to Wazuh, whats your feedback on that? Thank you.
Yes, I agree
Hi , can you please tell me which is the siem in this architecture , is it wazuh or graylog and wazuh is just an EDR or XDR here ??
Looking forward to all the future videos on this. Have you set all this up and run it live?
@Federico Pacher Not really, he touches on Wazuh a little but then bounces to another product, then to another product, then to another product and is not connecting it all together. So looking at the initial map of things, if you do this complete setup you will have many different things that can all do the same thing, so the whole presentation needs to be clarified because right now it is just clutter AND we don't get any responses to questions!
@@quikmcw so using all these in cooperation would be repetitive? or is it just that its difficult to set up all these together. Ive only been learning cybersecurity for a couple months and trying to learn blue teaming any advice while setting this SIEM stack up.
@@gstella2804you need to watch the series of these videos and figure it all out to understand what they are doing.
@gstella2804 Check out kali purple "soc in a box" project. it uses similar components as discussed here and also lists the hardware requirements. SO much learning there.
Hi, I wanted to ask about the system specs to implement all of the elements in the last graph. Thanks for any tips.
Waz-uh, as in What's up... clever name really.
Sir Kindly install on AWS cloud kindly make that video
how many vm is required to build this?
this is so cool
Hello, all this stack can be done through Virtual Box?
Yes but not likely on the same machine. You would need 64GB Ram and 3-5- terra drive of space for the whole project . You would likely want to run this across 2-3 devices or one very hefty machine with the requirements to run all this.
He switched tee shirts in the middle of the show. 😂😅.
The best
Why not using ELK Stack? Could any one give a comment for ELK open source on SIEM module?
He doesn't like Kibana for visualizations he prefers Grafana.
Likewise he prefers Wazuh agents for EDR instead of Beats.
Maybe because it sucks? :) ... I mean I'm testing it with Wazuh but Kibana is just so blantantly engieneered past the needs of usefull UI ... and if you ever had an Elastic Cluster fail ... good luck trying to recover it. It's just a pain in the ass to repair ... in the end I prefer OSSEC before it was turned in that Chutuhulu based Monster chained to the ELK stack if you ask me.
Nice, looking forward to this series. Thank you for this. Currently building my own enterprise grade soc in my homelab as well. Could we use a windows event collector to collect all logs from machines and then just deploy 1 wazuh agent instead of deploying a agent on every machine?
In theory yes. Main issue you will start to see is possibly bottlenecking on the log forwarding from the event collector.
i.e. You have 100 servers/workstations sending 50 events per sec to the WEC, the WEC is then responsible for forwarding 5000 events per sec to wazuh (you can see how this scales if you extrapolate that out).
Also wazuh has the ability to do detection and remediation, so it makes sense to install the agent on each host.
@@octavian15202 So when would you actually use WEC? Is it just a Wazug thing? I've seen a lot of recommendations for deploying a WEC in large environments so you don't have to deploy another agent on all machines
@@getoutmore I would say that's going to be dependent on your business case. If you want to make use of the EDR components of wazuh, you will want to put it on all systems as an agent.
If you don't want to use the EDR components, then you could install in on the WEC, you will just need to be sure the agent forwarding from the WEC can figure out the original host that sent the events.
Nice
Interesting
Uhhhh is this for begginers?!? I’m trying to learn but you’re rolling out other extra knowledge and information I have nonidea about!!!
What the hell is a execution bypass flag, never heard of that before today and it seems pretty important….
How can we learn something when we don’t know what we don’t know???
Google.
@@Gunz_andweed ChatGPT > Google
nice. and if you want to spend money on licenses instead of salaries then you could replace 6-7 items in this stack with splunk and maybe cribl :-D
Why would you watch and comment this video for if you prefer to pay licensing for some proprietary/closed source solution? Nonsense to say the least.
@@FabioVascoGomes i like your open mindedness
@@DominiqueVocat Be open about it and make a video showing all the good things the other tools you know can do it. Explain, with details, why they are better then the open source alternatives. While you're at it, check other open source solutions as well, maybe there are even better options out there, not covered in this video. This is a channel that focus on open source tools, why would someone talk about proprietary software here? I respect your opinion, but you're not doing any good here. Not for you and not for the owner or the viewers of this channel. Think about it.
@@FabioVascoGomes Everyone is entitled to express their views. Perhaps a lot of individuals aren't even aware that employing the Cribl solution will allow them to lower their Splunk costs. Just a different point of view.
For once, the software is actually really useful
SIEM is not pronounced like "seem". It's pronounced like "SIM", like the game.
No its not. Sim sounds stoopid. Say Seem.