Skip to content

Tools SOC

Jump to bottom
Melvin PETIT edited this page Jun 17, 2026 · 1 revision

Tools, SOC / Detection & Response

14 tools covering a full SOC stack: SIEM, XDR, NDR, CTI, SOAR, endpoint and network forensics.

Deploy any of them with ./medusa.sh deploy <name> or via the interactive menu (option 1).

Tool Type Role
wazuh docker SIEM/XDR, detection, response, compliance
security-onion vm NDR, network monitoring (Suricata + Zeek)
suricata docker High-performance network IDS/IPS
zeek docker Passive network traffic analysis
opencti docker CTI platform, threat intelligence
misp docker Indicators of compromise sharing
dfir-iris docker Case management, forensic investigation
cortex docker Observable enrichment and active response
velociraptor docker Endpoint forensics and threat hunting
shuffle docker SOAR, orchestration and automation
yara cli Malware detection rules
grr docker Remote incident response (Google)
arkime docker Network packet capture and indexing
sigma cli Generic multi-SIEM detection rules

wazuh

SIEM/XDR. Clones the official wazuh-docker single-node stack, generates indexer certificates, then starts the containers.

  • Dashboard: https://localhost:443 — user admin, password SecretPassword (upstream default, change it)
  • API: https://localhost:55000
  • Other ports: 1514 (agent), 1515 (enrollment), 514/udp (syslog)

security-onion

vm type. NDR built on Suricata + Zeek. Medusa shows manual deployment instructions (ISO install on VirtualBox/VMware), no automated container deployment. Upstream: Security-Onion-Solutions/securityonion.

suricata

High-performance IDS/IPS. Medusa writes a compose file (image jasonish/suricata:8.0.5, network_mode: host, NET_ADMIN/NET_RAW/SYS_NICE) auto-detecting the default network interface. Logs and rules are mounted under the tool directory.

zeek

Passive network traffic analysis. Deployed as a Docker container monitoring the host interface; output logs land in the tool directory.

opencti

Cyber threat intelligence platform. Compose stack with a randomly generated admin password.

  • URL: http://localhost:8080 — user admin, password generated and saved to credentials.txt

misp

Malware Information Sharing Platform. Clones MISP/misp-docker.

  • URL: https://localhost:443 — default credentials admin@admin.test / admin (change on first login)

dfir-iris

Incident-response case management.

  • URL: https://localhost:4433 — user administrator, initial password printed in the container logs on first startup

cortex

Observable enrichment and active response (TheHive ecosystem).

  • URL: http://localhost:9001 — create the admin account on first launch

velociraptor

Endpoint forensics and threat hunting.

  • GUI: https://localhost:8889 — agent frontend on port 8000
  • ⚠️ Known issue: the bundled compose references an image that is not published under that name on Docker Hub, so the pull can fail. See Troubleshooting.

shuffle

SOAR, workflow orchestration and automation.

  • URL: http://localhost:3443

yara

cli. Malware detection rules engine. Installed via the system package manager (apt-get install yara).

  • Command: yara
  • A guided sub-menu (run_yara) offers scanning a file/directory against a rules file.

grr

GRR Rapid Response (Google), remote live forensics.

  • URL: http://localhost:8001 — admin UI on http://localhost:8010

arkime

Full-packet capture and indexing.

  • URL: http://localhost:8005

sigma

cli. Generic, SIEM-agnostic detection rules. Installed via pip/pipx (sigma-cli, pySigma).

  • Command: sigma
  • Guided sub-menu (run_sigma) helps convert Sigma rules to backend queries.

Credentials shown as "generated" are written to medusa_deployments/<env>/<tool>/credentials.txt (chmod 600). Upstream defaults like Wazuh's SecretPassword should be rotated immediately. See Security.

Next: Tools-GRC · Ports-Reference

Repository · Issues · Security policy · MIT License

Medusa

Get running

Concepts

Tool catalog

Reference

Develop

Clone this wiki locally