🛡️ CyberBlueSOC Platform

⚠️ EDUCATIONAL & TESTING ENVIRONMENT ONLY ⚠️

🎓 Learning & Training Platform - Deploy 15+ integrated security tools for cybersecurity education and testing

CyberBlue is a comprehensive, containerized cybersecurity LEARNING PLATFORM that brings together industry-leading open-source tools for SIEM, DFIR, CTI, SOAR, and Network Analysis.

📘 Get the CyberBlueSOC Installation & User Guide v1.0

🚀 Want to deploy CyberBlueSOC step-by-step in less than 60 minutes?
Download the Free 36-Page Installation and User Guide that walks you through setup and key configurations. 👉 Access it here: cyberblue.co

🚨 IMPORTANT SECURITY NOTICE

⚠️ THIS IS A LEARNING/TESTING ENVIRONMENT ONLY ⚠️

🔴 CRITICAL WARNINGS - READ BEFORE INSTALLING:

• 🔴 NO SECURITY GUARANTEES - No warranties, not suitable for processing real sensitive data or monitoring production systems
• 🔴 DEFAULT CREDENTIALS - All tools use well-known default passwords (admin/cyberblue, etc.)
• 🔴 NO AUTHENTICATION - Portal has authentication removed for ease of lab access
• 🔴 DEVELOPMENT BUILD - This is beta software for learning purposes

✅ APPROPRIATE USE CASES:

• 🎓 Cybersecurity training courses and certifications
• 🧪 Security tool evaluation and testing
• 🏫 Academic institutions and research labs
• 💻 Home lab environments (isolated from production)
• 📚 SOC analyst skill development
• 🎯 Capture-the-flag (CTF) and training exercises

❌ NEVER USE THIS PLATFORM FOR:

• ❌ Processing any sensitive, confidential, or production data

⚖️ Legal Disclaimer:

This software is provided "AS IS" for educational purposes. No warranty or guarantee of security. Users are solely responsible for ensuring appropriate use in isolated lab environments. Not liable for any damages or security incidents resulting from use or misuse of this platform.

---

🎯 About CyberBlue

CyberBlue is an open-source, all-in-one cybersecurity training platform that provides hands-on experience with industry-standard security tools. Built specifically for educational purposes, it allows students, security professionals, and enthusiasts to learn SOC operations, threat hunting, incident response, and security automation in a safe, isolated environment.

🌐 Website-NotUpYet: https://cyberblue.co
📖 Documentation: Available in this repository
🎓 Purpose: Educational and training use
📜 License: MIT (Open Source)
⚠️ Version: 1.0-beta (Initial Release)

What It Does:

CyberBlue transforms Blue Team cybersecurity tool deployment into a like one-command solution. Built with Docker Compose and featuring a beautiful web portal, it provides enterprise-grade security tool access in minutes, not days - perfect for learning and practicing security operations.

🌟 Why CyberBlue for Learning?

• 🚀 Instant Lab Deployment: Complete SOC training environment in about 30 minutes
• 🎓 Education Focused: Pre-configured with sample data for hands-on learning
• 🎨 Modern Interface: Beautiful dark-themed portal for easy tool access
• 🔧 Realistic Setup: Experience real security tools used in production SOCs
• 🤖 Smart Configuration: Automatic network detection and setup
• 📊 Sample Data Included: Arkime with network captures, Suricata with 50K+ events
• 🔍 Threat Hunting Ready: YARA (523 rules) & Sigma (3,047 rules) pre-installed
• 📚 Learning Resources: Comprehensive documentation and guides
• 🌐 Free & Open Source: No licensing costs, perfect for students and labs

---

🛡️ Security Tools Included

📊 SIEM & Monitoring

• Wazuh - Host-based intrusion detection and log analysis
• Suricata - Network intrusion detection and prevention
• EveBox - Suricata event and alert management

🕵️ DFIR & Forensics

• Velociraptor - Endpoint visibility and digital forensics
• Arkime - Full packet capture and network analysis
• Wireshark - Network protocol analyzer

🧠 Threat Intelligence

• MISP - Threat intelligence platform
• MITRE ATT&CK Navigator - Threat modeling and visualization

⚡ SOAR & Automation

• Shuffle - Security orchestration and automation
• TheHive - Incident response platform
• Cortex - Observable analysis engine

🔧 Utilities & Management

• CyberChef - Cyber Swiss Army knife
• Portainer - Container management interface
• FleetDM - Device management and osquery fleet manager
• Caldera - Adversary emulation platform

🔍 Threat Hunting & Detection

• YARA - Pattern matching for malware detection and classification

  • Installation: Direct host install (no container overhead)
  • Rules: 523+ curated rules from Yara-Rules
  • Location: /opt/yara-rules/
  • Usage: yara -r /opt/yara-rules/malware_index.yar /path/to/file
  • Integration: Works with Velociraptor, TheHive/Cortex, and CLI

• Sigma - Universal SIEM rule format and converter

  • Installation: Sigma CLI installed on host
  • Rules: 3,047+ detection rules from SigmaHQ
  • Location: /opt/sigma-rules/
  • Usage: Convert rules to Wazuh/OpenSearch/Elasticsearch format
  • Command: sigma convert -t opensearch_lucene --without-pipeline rule.yml
  • Integration: Generate rules for Wazuh, Suricata, and EveBox

---

✨ NEW: Agent Deployment & Threat Intelligence Hub

Portal now includes enterprise-grade agent deployment and threat intelligence features:

🔵 Agent Deployment (Agents Tab)

• Velociraptor - DFIR agent deployment (Windows, Linux, macOS)
• Wazuh - HIDS agent deployment (Windows, Linux)
• Caldera - Red team/adversary emulation deployment
• Arkime PCAP - One-click network traffic capture
• Shuffle - SOAR integration guide for 12 tools

Zero-configuration packages with auto-extracted certificates and secrets!

🧠 Threat Intelligence (Intel Tab)

• IOC Search - Instant search across MISP database
• Auto-populated MISP - 280K+ indicators from 5 threat feeds
• Daily auto-updates - Fresh threat intel every day
• Recent Events - Latest threat intelligence
• Feed Sync - On-demand feed updates

Fully automated - MISP populates automatically during installation!

⚡ Quick Update — Force-Refresh MISP Feeds

1. Log in to your MISP web UI as admin and set the password (if it’s your first login).
2. From the repository root, run:

bash misp/configure-threat-feeds.sh

---

🚀 Quick Start

📋 System Requirements

• RAM: 16+ GB recommended
• Storage: 150GB+ free disk space
• OS: Ubuntu 22.04+ LTS (tested on 22.04.5 & 24.04.2) Ubuntu x86_64 (AMD/Intel)
• Network: Internet connection for downloads

⚡ Simple Installation

Complete CyberBlueSOC installation in few commands:

# Clone and install CyberBlue SOC
git clone https://github.com/CyberBlu3s/CyberBlue.git
cd CyberBlue
chmod +x cyberblue_install.sh
./cyberblue_install.sh

That's it! This will:

• ✅ Install all prerequisites (Docker, Docker Compose, system optimizations)
• ✅ Configure 8GB swap space for system stability (prevents hanging/crashes)
• ✅ Deploy all 15+ security tools automatically
• ✅ Install YARA (523+ malware rules) and Sigma (3,047+ detection rules)
• ✅ Configure networking and SSL certificates
• ✅ Set up portal access (authentication removed for ease of use)
• ✅ Works on AWS, VMware, VirtualBox, you can test others :)
• ✅ Complete setup in about 30 minutes

🌐 Access Your SOC Lab

After installation, access your security lab at:

• 🔒 Portal: https://YOUR_SERVER_IP:5443 (no authentication required)
• 🛡️ Tools: Available on ports 7000-7099

🛡️ What Gets Installed

The installation automatically:

• ✅ Deploys 15+ integrated security tools
• ✅ Configures 8GB swap space (prevents system hanging and OOM crashes)
• ✅ Installs YARA with 523+ malware detection rules
• ✅ Installs Sigma CLI with 3,047+ universal detection rules
• ✅ Configures secure HTTPS portal (direct access, no login required)
• ✅ Sets up network monitoring with Suricata and Arkime
• ✅ Initializes threat intelligence with MISP
• ✅ Configures SIEM with Wazuh and EveBox
• ✅ Sets up incident response with TheHive and Cortex
• ✅ Deploys automation platform with Shuffle
• ✅ Creates SSL certificates and security credentials
• ✅ Optimizes system for container workloads

🌐 Access Your Security Lab

After installation, access your tools at:

🔒 Main Portal:

ht