How to Build a SOC With Open Source Solutions?

How to Build a SOC With Open Source Solutions?

by rootsun
August 30, 2020

The SOC is the information security department that continually tracks, analyzes, and enhances the security situation of an enterprise. The goal of the SOC team is, using technological solutions and powerful process management, to identify, evaluate, and respond to cybersecurity issues. Security centers typically have information security experts, engineers, and managers who track all the occurring processes. To order to rapidly resolve security issues, SOC personnel work in close coordination with response teams in the area of incidents.

Because of increased cybersecurity threats, constant alert fatigue, and industrial challenges that make SOCs inadequate. SOC analysts are constantly weary. Routine as well as complicated tasks are automated to increase the time of analyst and speed up the operation. With attackers that are faster every day, cyber-security industry leaders agree that “automation” is a must in today’s cyber-threatening environment.

Human resource

Many organizations, by offering structured training programs for staff who perform internal security functions and other interested parties, tend to create their own SOCs using their own resources. And others combine internally and externally. It is essential to store current workers in order to start developing a strong safety operations team.

Both a lot of skills and experience are required in monitoring, incident management, threat hunting, intrusion detection, reverse engineering, anatomy of malware, etc.


Before a SOC is created, security jobs are often in cluttered and hand-to-hand jobs. Who is doing what job, how problems are solved and documented do not go through a regular process.

With the SOC, workflows for incident management should be built from the beginning of the process to ensure that each phase takes place in a broader approach. Workflows lead to clarifying each team member’s position and responsibilities so that no stone tumbles.


Many organizations want technology tools that will support the visibility strategy and response to events in their networks and fit their budget.

To ensure maximum security coverage of your information systems, a comprehensive combination of tools is needed. Every effective SOC includes the main components SIEM (Security information and event management) system, an incident tracking and management system, intrusion detection and intrusion prevention (IDS/IPS/IDPS) systems, a threat intelligence (CTI) platform, packet capture and analysis tools and automation tools. A SOC team needs to be able to perform following actions with its technology.

  • Network monitoring
  • Endpoint management
  • Asset discovery
  • Threat intelligence
  • Behavioral monitoring
  • Data loss prevention
  • Ticketing systems
  • Policy compliance
  • Incident response

All set open source solutions for SOC


Secure information and event management (SIEM) is a security management approach that combines the SIM (security information management) functions and the SEM (security event management) functions into a single security framework. SIEM tools analyze security warnings created by applications and networks in real-time.

Apache Metron: The Cisco Open SOC framework developed Apache Metron. Like SIEMonster, several open source solutions are also connected in a centralized network. Apache Metron can use standard JSON language to parse and normalize security events for easy analysis. In addition, safety warnings, data enrichment and labeling may be issued.

AlienVault OSSIM: AT&T Cybersecurity provides AlienVault OSSIM, a SIEM Open Source Tool based on its USM solution from AlienVault. AlienVault OSSIM brings many open source projects together as a single package, close to the above entries. AlienVault OSSIM also enables tracking and logging of apps.

MozDef: Built with Mozilla to simplify the handling of safety accidents, MozDef provides scalability and resilience. MozDef will provide event correlation and security warnings with a microservice-based architecture. This can also be incorporated with other third parties.

OSSEC: Technically, OSSEC is an open-source intrusion detection system rather than a SIEM solution. However, it still offers a host agent for log collection and a central application for processing those logs. Overall, this tool monitors log files and file integrity for potential cyber-attacks. It can perform log analysis from multiple networks services and provide your IT team with numerous alerting options.

Wazuh: Indeed Wazuh evolved from another SIEM solution, namely OSSEC, open source. Nevertheless, Wazuh is a special option for itself now. This facilitates the agent-based storage of data and the retrieval of syslogs. Wazuh can also track devices easily on-site. It has a dedicated web interface and detailed guidelines for quick control of IT admin.

Prelude OSS: Prelude OSS offers the Prelude SIEM solution with an open source version. It helps you to work with a large variety of log formats and other resources. It can also normalize event data into a common language, which can support other cybersecurity tools and solutions. Prelude OSS also profits from continuous growth, while retaining the current intelligence threat.

Snort: Snort also offers log monitoring as another open source intrusion detection system; it also carries out in real time network traffic analysis to identify possible dangers. Snort can view traffic or packet dump streams in a log file as well. In addition, output plugins can be used to decide how and where the dataset is saved.

Sagan: Sagan operates almost entirely as a forum for the SIEM device Snort, which is complementary to Sagan and follows the principles of Snort. Sagan is lightweight and can write to databases in snort. It can be another useful resource for those who would like to collaborate with Snort.

ELK Stack: There are free SIEM products in the ELK Stack solution. For instance, ELK can compile logs from almost all data sources using embedded Logstash components. Therefore, this log data can be combined across a wide range of plugins, although manual security rules are necessary. ELK Stack can also display data with a specific portion.

SIEMonster: SIEMonster provides both a free SIEM and a paid solution. As is the case for many of the solutions used, the SIEMonster framework offers a centralized tool management interface for data analysis, threatening intelligence and various open source software. Your organization will host it on a cloud, unlike some other open source SIEM solutions.

B. Intrusion detection and intrusion prevention (IDS/IPS/IDPS) tools

An IDS is an automated system that detects unauthorized access to an information network device. Unauthorized access provides confidentiality, completeness or information.

An IPS a security tool capable of detecting inappropriate actions of network and/or program operations. A system of intrusion prevention may respond in real time to this by blocking or preventing such activities.

Snort: Snort is the best known open source IDPS solution for Windows and Unix, which provides intruders review, packet monitoring and full-fledged intrusion prevention capabilities in real-time.

Suricata: Suricata is an IDPS and network security control engine with a high performance network. Since it is multi-threaded, the processing load on a sensor is balanced in one instance.

OSSEC: This system combines log analysis, file integrity management, Windows registry tracking, central implementation of policy, identification of rootkits, real-time warnings, and active response.

Security Onion: Security Onion is an open source intrusion detection tool, network monitoring protection system, and log management distribution for corporate security in Linux.

Bro Network Security Monitor: Bro is a network security open source platform that details network activity and can be used on a scale. It provides a robust forum for more general traffic analysis, which includes incident identification, threat detection which monitoring for its security features.

Vistumbler: Vistumbler is a Windows wireless scanner. Vistumbler’s main objective is to map and view access points around you using the collected wireless and GPS data.

Smoothwall Express: Smoothwall Express is an open source firewall that features an easy-to-use Web interface and a separate, stable Linux operating system. Functionality involves LAN, DMZ and wireless network support, filtering content in real time and filtering HTTPS.

Untangle NG Firewall: NG Firewall is a next generation of network applications that simultaneously monitor network traffic. Such applications are connected by a growing GUI, database and reporting.

ClamAV: ClamAV is an open source framework for antivirus mail gateway scanning and is available on Windows, OS X, Linux and BSD applications.

C. Incident response tools

An incident may cause the activities, facilities or functions of an entity to be interrupted or disrupted. Incident response is a term that defines an organization’s activities in the detection, analysis and correction of hazards to prevent future events.

GRR Rapid Response: The GRR Rapid Response of Google consists of two parts: a GRR client that is deployed to an investigated network and a GRR server that assists analysts in enforcing actions and in processing the data that are gathered.

Cyphon: Cyphon provides resources to capture, process, triage and incidents to analysts. It collects data, such as message logs, APIs which email — which makes it easy to analyze and collect as many or as little details as you want.

Volatility: Volatility is a forensic memory system that helps analysts in memory dumps to analyze and explore information.

SIFT (Sans Investigative Forensics Toolkit) Workstation: SIFT Workstation is an Ubuntu toolkit with all analysis systems required to conduct comprehensive digital forensic work.

The Hive Project: The Hive Project is a free open source IR framework that allows many researchers to perform incident investigations at the same time. This helps analysts to produce new role assignment updates and display events and warnings from various sources including SIEM alerts.

D. Malware analysis tools

Malware analysis means the study or process of assessing how a specific malware sample such as virus, worm, trojan horse, rootkit or backdoor can work, and the possible effect of that malware.

Cuckoo Sandbox: Cuckoo Sandbox is a free malware analyse tool that automates the task of analyzing any malicious file under Windows, macOS, Linux, and Android.

YARA: YARA is the name of the main method used for the analysis and identification of malware. It offers a regulatory method for generating malware family definitions based on textual or binary patterns.

GRR: Google Rapid Response’s goal is to provide rapidly scalable support to forensics and investigation, so analysis can be conducted remotely and analyzed promptly.

The REMnux: The REMnux project provides a lightweight, malicious software Linux distribution for malware analysts.

Bro: Bro is a free and open-source software network analysis framework.

E. Threat intelligence tools

Security analyzers scrutinize vast volumes of data to identify patterns and trends that provide actionable information about possible threats when analyzing cyber threats. The resultant knowledge of existing and future forms of threats is cyber threatening intelligence. By using intelligence on cyber threats, businesses gain a more detailed understanding of suspected bad actors in order to be able to proactively detect, plan and hopefully avoid cyber attacks and attempts to hack them.

Tools can use cyber threat intelligence to track and react to problems by quickly contrasting observed behavior with identified threats and flagged risks not captured by manual surveillance. Using a threat-intelligence tool will enhance your network safety and is important to keep your safety operations secure and vigilant.

MISP: MISP (Malware information sharing platform) is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

TIH: TIH (Threat-Intelligence-Hunter) is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well-known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own set of indicators.

QTek/QRadio: QRadio is a tool/framework designed to consolidate cyber threats intelligence sources. The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources.

Machinae Security Intelligence Collector: Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints.

SOCRadar Community Edition: SOCRadar is a unified threat intelligence platform that tracks changes and risks on your digital assets, provides proactive protection to companies and provides information about attacks in the cyber world.

F. Web application firewalls

Filters, tracks and blocks HTTP traffic from and to the web server using a network application firewall. A WAF differentiates itself from a traditional firewall as a WAF can filter the contents of other web applications while traditional firewalls act as a security gateway between the servers.

ModSecurity: ModSecurity is an open source, cross-platform web application firewall (WAF) module. It enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

NAXSI: NAXSI is an acronym that stands for Nginx Anti Xss & Sql Injection. Its ultimate goal is to prevent any attacker from leveraging web vulnerabilities.

WebKnight: WebKnight is Open Source Web Application Firewall (WAF) for IIS.

Shadow Daemon: Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.