MozDef - MozDef: The Mozilla Defense Platform

•    Javascript

---

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

siem elk elk-stack elasticsearch security

OSSEC - Host-based Intrusion Detection System

•    C

---

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

intrusion-detection siem threat-intelligence security-analytics threat-analytics monitoring

sigma - Generic Signature Format for SIEM Systems

•    Python

---

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.

security monitoring siem logging signatures elasticsearch splunk ids sysmon

Apache Metron - Real-time Big Data Security

•    Java

---

Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat intelligence information to security telemetry within a single platform.

security-framework cyber-crime anomoly-detection monitoring security big-data threat-intelligence security-analytics opensoc siem threat-analytics

sagan - Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)

•    C

---

Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)

security ids ips siem log syslog nsm log-monitoring

security-apis - A collective list of public JSON APIs for use in security.

•    

---

A collective list of public JSON APIs for use in security.

awesome-list security siem json-api

THRecon - Threat Hunting Reconnaissance Toolkit

•    PowerShell

---

Collect endpoint information for use in incident response, threat hunting, live forensics, baseline monitoring, etc. * Info pulled from current running processes or their executables on disk.

threat hunt red blue purple team incident response baseline monitor analysis scan log forensics triage recon threat-hunting security soc siem

MalwLess - Test Blue Team detections without running any attack.

•    CSharp

---

MalwLess is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community. These rules can simulate Sysmon or PowerShell events. MalwLess can parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.

blueteam dfir mitre-attack sysmon siem redteam powershell

LogESP - Open Source SIEM (Security Information and Event Management system).

•    Python

---

LogESP is a SIEM (Security Information and Event Management system) written in Python Django. It features a web frontend, and handles log management and forensics, risk management, and asset management. LogESP was designed and built as a security application, and minimalism can be good for security.

siem risk-management risk-assessment vulnerability-management security security-tools secops security-audit web-application asset-management log-management log-analysis log-collector log forensics security-analysis security-awareness syslog log-parser log-monitoring

siemstress - Very basic CLI SIEM (Security Information and Event Management system).

•    Python

---

Siemstress is a lightweight but powerful security information and event management (SIEM) system. It uses a database and a suite of CLI tools for managing log events, and automating event analysis. It comes with four programs: siemparse, siemquery, siemtrigger, and siemmanage. Siemstress is designed to parse data, and organize it into prioritized, manageable streams of relevant information. The goal is a streamlined open source information management system that embodies unix design principles. It should be simple, modular, and useful beyond its original scope.

log syslog log-analysis log-analytics forensics security security-tools log-management log-monitoring log-collector log-analyzer siem security-analysis security-awareness parser parsing command-line cli secops

siem-splunk-connector - Akamai SIEM Connector for Splunk

•    Java

---

Veresion 1.3.0 was a limited release and is no longer available, but 1.4.2 includes all its features. Read on for overview and installation instructions. The sample Splunk connector is a Splunk add-on that captures security events from the Akamai Security Events Collector, which exposes a RESTful API that lets the connector pull events in JSON format. The Splunk add-on converts security events data from JSON into CIM format. The Splunk instance then analyzes high volumes of data by indexing it.

siem splunk