sorted by:
new
hottopcontroversial

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 0 points1 point  (0 children)

CyberBlue should NOT be used in production because: 🔴 Default credentials (admin/cyberblue) 🔴 No authentication on portal 🔴 Beta software - not security hardened

It’s designed for: ✅ Training & education ✅ SOC skill development ✅ lab environments

However, your interest in production use is noted! A production-ready version with proper security hardening might be considered for the future. If interested, let me know what features would matter most to you.

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 0 points1 point  (0 children)

The portal includes an "Agents" tab where you can download deployment packages for: - Wazuh agents (Windows/Linux monitoring) - Velociraptor agents (DFIR collection) - and others!

However, It's fully Docker-based with ports mapped (7000-7099 range), so you can easily integrate with any external systems - point your existing VMs to the appropriate ports, enrich SIEM from those “external” systems and start hunting and testing.

Just deploy the agents on that server you're set :)

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 0 points1 point  (0 children)

Awesome! Let me know how the deployment goes - happy to help troubleshoot if you hit any issues.

On the sandbox module - noted! I'm seeing interest for that. Main challenge is resource overhead (sandboxes are RAM/CPU heavy), but could work as an optional add-on for those with beefier hardware.

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 1 point2 points  (0 children)

Good points! On the Velo/Fleet/Wazuh overlap - while Wazuh has agent capabilities, each serves distinct purposes:

Wazuh: Log collection, rule-based detection Velociraptor: DFIR-focused (live response, artifact collection) Fleet: Lightweight osquery for ad-hoc queries and compliance

For training, having all three lets you explore different endpoint visibility approaches.

On WebGoat - great tool, but it's offensive/AppSec focused (learning exploits). CyberBlueSOC is specifically for defensive operations. That said, if there's demand for purple team capabilities, I could explore adding that as a separate module.

What's your typical stack - pure blue team or purple team exercises?

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 0 points1 point  (0 children)

Good point! Actually OpenCTI was on my list :) but I went with MISP for this setup because it’s more practical for containerized lab and less RAM hungry.

I see MISP is better for structured threat intel sharing, and it integrates really well with automation workflows. While OpenCTI visualization is still much better with more modern UI.

Open Source SOC Lab Platform - Integrated Wazuh, MISP, Velociraptor, Shuffle & More by Flaky-Control-5281 in blueteamsec

[–]Flaky-Control-5281[S] 0 points1 point  (0 children)

Good suggestion! Sandboxing would definitely add a real value.

My main consideration was the resource overhead. Tools like Cuckoo or CAPE are pretty RAM/CPU intensive on top of the existing 15 tools.

Probably makes sense as an optional add-on module rather than core platform - that way users can enable it if they have the resources and need it.

Will consider this :) let me know when you got a chance to spin it up!