Skip to content

RUTHRAN-SEC/SOC-ELK-Sigma

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
Project Tutorial
Project Tutorial
 
 
kibana_dashboard
kibana_dashboard
 
 
logstash_pipeline
logstash_pipeline
 
 
sigma_rules
sigma_rules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

SOC-ELK-Sigma

Docker Elasticsearch Kibana Sigma

Overview

SOC-ELK-Sigma is a professional SOC pipeline built using the ELK Stack (Elasticsearch, Logstash, Kibana) and Sigma rules for threat detection.
It ingests Linux authentication logs, detects attacks like SSH brute force, triggers alerts, and visualizes events in Kibana dashboards.

This project demonstrates real SOC skills, including log ingestion, detection engineering, alerting, and dashboard creation perfect for a junior SOC analyst or detection engineer portfolio.

Features

  • Collects and parses Linux logs via Logstash
  • Stores logs in Elasticsearch for fast search
  • Detects threats using Sigma rules (SSH brute-force example included)
  • Automated alerting in Kibana
  • Visual dashboards for real-time SOC monitoring
  • Fully containerized with Docker for easy deployment

Architecture

[Linux Host Logs] --> [Logstash] --> [Elasticsearch] --> [Kibana Dashboard]
                                \
                                 --> [Sigma Rules Detection]

Screenshots

Failed SSH login attempts:

image

Top attacking IPs:

image

Installation

Prerequisites

  • Docker & Docker Compose installed
  • Linux host with authentication logs (/var/log/auth.log)

Steps

Clone the repository

git clone https://github.com/RUTHRAN-SEC/SOC-ELK-Sigma.git

Move to SOC-ELK-Sigma

cd SOC-ELK-Sigma

Start ELK stack + Logstash

sudo docker-compose down && sudo docker-compose up -d

Access Kibana:

http://localhost:5601

Usage

  • Logs are automatically ingested via Logstash
  • Sigma detection rules are in sigma_rules/
  • Logstash configuration is in logstash_pipeline/logstash.conf
  • Kibana dashboards visualize attacks in real time
  • Alerts are automatically generated for matching detection rules
  • Example Detection (Sigma Rule)

SSH Brute Force Detection

title: SSH Brute Force Detection
description: Detects multiple failed SSH login attempts
logsource:
  product: linux
  service: sshd
detection:
  selection:
    log_message: "Failed password"
  condition: selection
level: high

- Converts to Elasticsearch query via Sigmac
- Triggers alerts in Kibana if threshold exceeded

Contributing

  • Open an issue or pull request for improvements
  • Add more Sigma rules for additional detections
  • Extend dashboards with new visualizations

DONE BY

RUTHRAN-SEC

About

Custom SOC pipeline with ELK stack, Logstash, Sigma rules, and Kibana dashboards for threat detection.

Topics

elasticsearch automation kibana logstash docker-compose alerting elk cybersecurity siem soc containerization blueteam logmanagement threatdetection detectionengineering securitymonitoring bruteforcedetection sigmarules sshsecurity authlogs

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors