AI is transforming cybersecurity - from detecting phishing and insider threats to accelerating response. See how Waziuh, the open-source XDR and SIEM, integrates AI to turn raw security data into actionable insights and smarter threat hunting.
![[Tool] Built CyberBlueSOC - Deploy a Full SOC Lab in less than an hour (Open Source)](/static/default.png)
I've been working on solving a problem I kept running into: setting up a SOC lab environment takes forever. Manual configuration of Wazuh, MISP, Velociraptor, Suricata, and other tools can take days. So I built CyberBlueSOC - a containerized platform that deploys 15+ integrated security tools with one command. What's included: - SIEM: Wazuh - Threat Intel: MISP (auto-populated with 280K+ IOCs) - DFIR: Velociraptor, Arkime - SOAR: Shuffle, TheHive/Cortex - Network Detection: Suricata, EveBox -...
Built an integrated SOC training platform for blue teamers who want to practice without spending days on setup. The stack: - SIEM/XDR: Wazuh + OpenSearch - CTI: MISP with automated feed ingestion - DFIR: Velociraptor for endpoint collection - SOAR: Shuffle for automation workflows - NIDS: Suricata + EveBox for event management - PCAP: Arkime with sample captures - Fleet: osquery fleet management - Detection: 523 YARA rules + 3,047 Sigma rules pre-configured Technical approach: - Docker Compose...
Hey everyone, We're using CrowdStrike NG SIEM to collect syslogs from ~50 - 60 Cisco IOS switches and routers. For easier management, we're sending all device logs through a single connector (instead of creating one per device). The issue is - the connector shows as active as long as at least one device is sending logs, so we have no per-device visibility. Our customer wants to know: How can we detect if a specific device stops sending logs (due to shutdown, network loss, etc.) when using one...
I wanted an intermediate layer for my siem like cribl. Are there any good opensource alternatives (or tools that have the free version too). It should aggregate logs and also filter etc. My idea was fluentd+fluentbit or vector, if it is possible. I hope you have better ideas. My endtargets will be crowdstrike siem(maybe), graylog, log storage submitted by /u/Apprehensive-Pair596 [link] [comments]
A brief on myself, I have 2.5 years of experience in cybersecurity, and currently employed in one of product based MNC worked with many security teams within current organisation, few based on requirement and few on situations. I have good amount of experience on security engineering part of cybersecurity, managing and deploying SIEM , SOAR, IAM, AD, security automation and Threat intell platforms. How to look or research to work with startups or small / non tech companies (money is not the...
submitted by /u/BradW-CS [link] [comments]
I'm a SIEM Analyst/Engineer with a bit of BAU across PAM, DLP, Threat and Vuln. Basically, a bit of everything at high level. I've seen a role for a risk analyst. Judging from the description, it's document heavy - the closest thing I can relate to is documenting ServcieNow tickets so everyone knows how it's done and taking care of a risk register for CVEs; based off pen test reports. Is there a lot more to it? I'm not at a skill level where I can "yep, that's a gap - fix it" submitted by...
I don't normally post a lot here, but tried to turn a recent life experience into some useful tips for those struggling with SIEM data. It's a bit light hearted, go easy on me :) https://www.cosive.com/blog/what-i-learned-about-logging-and-detection-strategies-from-moving-house submitted by /u/prescottpym [link] [comments]
Share your honest experience the good, the bad, the ugly ? This will really help me narrow down where I should be spending my time and what to learn, always interested in how you are using it too. submitted by /u/Red_One_101 [link] [comments]
Hello All! I've been working in the field for 5 years now. I have experience in log management, SIEM governance, and cyber operations. Unfortunately, I was laid off about 3 months ago so I've been focusing on applying and getting back into the field. However, I feel a bit stuck on what to do next besides finding a job. I want to up-skill and study but I get mixed opinions on what to do next. My main focus is getting more hands-on technical experience and I've been mainly a cybersecurity analyst...
I monitor a SIEM for a client and have over the last year tried to be very precise about any outside the US connections, as they work in the government/DoD sphere and are thus very sensitive to that. BUt the fact is, geolocation just doesn't really exist, as far as IPs. I have used half-a-dozen different tools, including the one that comes with our SIEM, and they all tell me something different for a single IP. I just looked up and IP that my SIEM says is in the Netherlands, AbuseIPD says its...
Hello everyone, We had a tenant with multiple devices where the sensor was installed around December 2024. However, we couldn't determine which hosts were sending full telemetry (e.g., ProcessRollUp2, DnsRequest, etc.) and which were not. We observed an alert in our SIEM and wanted to double-check the host-level logs, but we didn't find any telemetry even though the sensor had been installed for a long time. Then, suddenly, the hosts started sending full telemetry without any changes on our...
Looking for experiences from companies that have moved off of a Managed SOC/SIEM platform over to NG-SIEM and how your experiences are? We're utilizing Falcon Complete already, and unhappy with one of the larger Managed-SOCs currently. TIA! submitted by /u/socaljayhawk [link] [comments]
Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake. In addition, the tech giant said it's also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol (MCP) server. "With graph-based context, semantic access, and agentic
Running into some frustrating issues with my Varonis → CrowdStrike SIEM integration and hoping to hear if anyone has dealt with the same: Idle mode behavior: the connector is on idle mode all time even tho I see raw logs. Correlation rules: When an alert triggers in Varonis, I expect the mapped correlation rule in CrowdStrike to fire but it doesn't. It's like the rule logic breaks because of missing or mis-mapped fields. • Varonis parser & fields: Some events don't parse cleanly into...
How AI agents will transform security operations from alert-driven chaos to intelligent, autonomous analysis that finally scales to fit our needs.
Folks, So, I was talking to a CISO from an org I'm looking to join and in several instances he kept making references to "enhanced SIEM" as something they need help to build out. I have a pretty good understanding of what SIEMs are and how to use one, but what, generally, do people mean when they say "enhanced SIEM"? Any idea? submitted by /u/cyberdot14 [link] [comments]
I'm the only cybersecurity analyst at my job and we have about 500 endpoints. I want to set up a SIEM and I've been learning Splunk, ELK, and Wazuh. At first I thought about using a third-party SOC for 24/7 monitoring, but then I started thinking... if they do everything, how am I supposed to really get the experience? On the other hand, running a SIEM by myself might be too much since I'm just one person. My questions are: • Should I try to run the SIEM myself or just use a third-party SOC? •...
Hello i have a syslog server where i receive the logs of all my firewalls, i want to improve this solution into a SIEM i already tried WAZUH when i was student i want to try Graylog or ELK which one is recommended and simple to implement ? if there is any recommendations to improve my solution i'am all ears submitted by /u/Far_Personality_9516 [link] [comments]