This project demonstrates the real-time setup of a Security Operations Center (SOC) using only free and open-source software. It simulates core SOC functions including log collection, analysis, incident response, and threat intelligence, integrating TheHive, Cortex, MISP, and the ELK Stack.
Figure 1: SOC Real-Time Lab Architecture Overview
| Tool | Purpose |
|---|---|
| TheHive | Incident response platform |
| Cortex | Automated analysis and response engine |
| MISP | Threat intelligence platform |
| ELK Stack (Elasticsearch, Logstash, Kibana) | Log aggregation and visualization |
To replicate this SOC Real-Time Lab setup on your own infrastructure:
-
Deploy TheHive v4
- Use OpenJDK 8 and Cassandra as backend.
-
Integrate Cortex and MISP
- Use Cortex for automated response.
- Feed MISP threat intel into TheHive.
-
Connect to ELK Stack
- Forward logs to Logstash.
- Visualize alerts and incidents via Kibana.
-
Verify Alerts and Automation
- Test ingestion of fake IOCs (Indicators of Compromise).
- Trigger Cortex analyzers and observe incident handling.
See notes/troubleshooting.md for resolving common issues.
SOC-Real-Time-Lab/
├── architecture/ # SOC design diagram
├── config/ # Config files (TheHive, Cortex, MISP)
├── screenshots/ # UI screenshots of the tools
├── notes/ # Troubleshooting notes
├── LICENSE # MIT License
├── .gitignore # Ignore system files
└── README.md # Project summary and instructions
This project is licensed under the MIT License.
Adesh R
Cybersecurity Enthusiast | Hands-on SOC & Threat Intelligence Projects
GitHub: adeshrr