Skip to content

T-Lamour/The-Bridge-Between

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

The Bridge Between

An open-source SOC for businesses that can't afford a £15k/month MSSP.

Quick Start | The Stack | Use Cases | Deployment | NIST CSF | ISO 27001


The Message

Enterprise SOCs run on six-figure tooling. SMBs run on antivirus and hope for the best. This project is the bridge — a fully functional, automated SOC built entirely on free, open-source tools. Logs in, enriched incidents out, IPs blocked, accounts disabled, no licensing fees.

It takes you from "something might be wrong" to "here's what's wrong, why it matters, what to do next."


Architecture

SOC Architecture

Tool Role Why
OPNsense Firewall + IPS Purpose-built firewall with inbuilt Suricata rules
Wazuh SIEM / XDR Log collection, rule-based detection and vulnerability scanning
n8n SOAR automation Workflow engine; integrates with every tool via REST
MISP Threat intelligence Internal IOC database with feed ingestion
DFIR IRIS Case management Incident tracking from triage to closure
Ansible Configuration management / IaC Agentless playbooks for provisioning and patching
Prometheus Metrics collection Scrapes CPU, memory, disk, and service health
Grafana Dashboards / visualisation Turns Prometheus metrics into infrastructure health and telemetry

Each tool runs as a Docker Compose stack on its own VM. Reasoning: Deployment/00-prerequisites.md.


SOC Dashboard

SOC Dashboard

A single-pane dashboard for quick access to every tool in the stack. If you want a simpler, ready-made alternative, Homepage is a lightweight self-hosted dashboard that integrates with most of the stack out of the box and deploys as an additional Docker Compose service.


Cost Comparison

Solution Cost What You Get
MSSP "SIEM" subscription £120k–£240k/year Repackaged tooling + support
Enterprise security stack £20k–£100k+/year Full ecosystem, if you can afford it
The Bridge Between £0 licensing Fully functional SOC stack

The stack can run a a couple second-hand mini-PCs (Lenovo M920q, HP EliteDesk, Dell Optiplex) with 32–64 GB RAM. Everything else is free.


Quick Start

  1. 00 — Prerequisites — hardware, hypervisor, network plan, VM provisioning
  2. 01 — OPNsense — firewall, VLANs, Suricata IDS, syslog forwarding
  3. 02 — Wazuh — SIEM stack, agent enrolment, syslog receiver
  4. 03 — n8n — SOAR engine, credentials, Wazuh webhook integration
  5. 04 — MISP — threat intel platform, feed configuration, API key
  6. 05 — DFIR IRIS — case management, customer setup, API key
  7. 06 — Integration — end-to-end pipeline wiring and live test
  8. 07 — Ansible — playbooks for provisioning, patching, and hardening
  9. 08 — Prometheus + Grafana — infrastructure metrics and SOC dashboards
  10. 09 — Hardening — TLS, credential rotation, ufw tuning

Estimated deployment time: a week, assuming prerequisites are in place.


What This Project Demonstrates

  • End-to-end SOC pipeline — detection to enriched incident in under 15 seconds
  • Real automation — n8n actively blocks IPs via OPNsense, disables accounts via Entra, and revokes sessions; not just "sends an email"
  • Threat intel integration — AbuseIPDB, OTX AlienVault, abuse.ch (MalwareBazaar / ThreatFox), and MISP all feed enrichment decisions before any case is opened
  • Infrastructure as code — Ansible playbooks provision, patch, and harden the full stack; Proxmox cron handles VM snapshots for rollback
  • Full-stack observability — Prometheus scrapes every VM; Grafana surfaces infrastructure health and security telemetry side-by-side
  • Compliance alignment — full mapping to NIST CSF (all five functions) and ISO 27001 controls
  • Realistic use cases — brute force, account compromise, malicious file download, and C2 beaconing; all fully documented with payloads and timelines

Use Cases

Scenario Source MITRE Technique Automated MTTR
RDP Brute Force Wazuh rule 60106 T1110 ~9 sec
Suspicious Login M365 / Entra T1078, T1110.004 ~11 sec
Malicious File Download Wazuh FIM + abuse.ch MalwareBazaar T1566.002, T1204.002 ~14 sec
C2 Beaconing Suricata ET rules T1071.001, T1571 ~8 sec

Roadmap

Area Improvement Status
IaC Ansible playbooks for provisioning, patching, and hardening Complete
IaC Proxmox cron snapshot strategy for rollback Complete
Monitoring Grafana + Prometheus for infrastructure metrics Complete
Compliance CIS Benchmark checks via Wazuh SCA Planned
Metrics MTTD / MTTR tracking dashboards Planned
Response Automated endpoint isolation via Wazuh active response Planned
Threat Intel Automated IOC ingestion from external MISP feeds Planned
Correlation Improved multi-source alert correlation rules Planned

About

Built and maintained by Tidjani Lamour, Cyber Security Professional.

LinkedIn | Website

If this project is useful to you, star the repo.

About

Fully functional, automated SOC built entirely on free, open-source tools

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages