🎓 Learning & Training Platform - Deploy 15+ integrated security tools for cybersecurity education and testing
CyberBlue is a comprehensive, containerized cybersecurity LEARNING PLATFORM that brings together industry-leading open-source tools for SIEM, DFIR, CTI, SOAR, and Network Analysis.
🚀 Want to deploy CyberBlueSOC step-by-step in less than 60 minutes?
Download the Free 36-Page Installation and User Guide that walks you through setup and key configurations. 👉 Access it here: cyberblue.co
- 🔴 NO SECURITY GUARANTEES - No warranties, not suitable for processing real sensitive data or monitoring production systems
- 🔴 DEFAULT CREDENTIALS - All tools use well-known default passwords (admin/cyberblue, etc.)
- 🔴 NO AUTHENTICATION - Portal has authentication removed for ease of lab access
- 🔴 DEVELOPMENT BUILD - This is beta software for learning purposes
- 🎓 Cybersecurity training courses and certifications
- 🧪 Security tool evaluation and testing
- 🏫 Academic institutions and research labs
- 💻 Home lab environments (isolated from production)
- 📚 SOC analyst skill development
- 🎯 Capture-the-flag (CTF) and training exercises
- ❌ Processing any sensitive, confidential, or production data
This software is provided "AS IS" for educational purposes. No warranty or guarantee of security. Users are solely responsible for ensuring appropriate use in isolated lab environments. Not liable for any damages or security incidents resulting from use or misuse of this platform.
CyberBlue is an open-source, all-in-one cybersecurity training platform that provides hands-on experience with industry-standard security tools. Built specifically for educational purposes, it allows students, security professionals, and enthusiasts to learn SOC operations, threat hunting, incident response, and security automation in a safe, isolated environment.
🌐 Website-NotUpYet: https://cyberblue.co
📖 Documentation: Available in this repository
🎓 Purpose: Educational and training use
📜 License: MIT (Open Source)
CyberBlue transforms Blue Team cybersecurity tool deployment into a like one-command solution. Built with Docker Compose and featuring a beautiful web portal, it provides enterprise-grade security tool access in minutes, not days - perfect for learning and practicing security operations.
- 🚀 Instant Lab Deployment: Complete SOC training environment in about 30 minutes
- 🎓 Education Focused: Pre-configured with sample data for hands-on learning
- 🎨 Modern Interface: Beautiful dark-themed portal for easy tool access
- 🔧 Realistic Setup: Experience real security tools used in production SOCs
- 🤖 Smart Configuration: Automatic network detection and setup
- 📊 Sample Data Included: Arkime with network captures, Suricata with 50K+ events
- 🔍 Threat Hunting Ready: YARA (523 rules) & Sigma (3,047 rules) pre-installed
- 📚 Learning Resources: Comprehensive documentation and guides
- 🌐 Free & Open Source: No licensing costs, perfect for students and labs
- Wazuh - Host-based intrusion detection and log analysis
- Suricata - Network intrusion detection and prevention
- EveBox - Suricata event and alert management
- Velociraptor - Endpoint visibility and digital forensics
- Arkime - Full packet capture and network analysis
- Wireshark - Network protocol analyzer
- MISP - Threat intelligence platform
- MITRE ATT&CK Navigator - Threat modeling and visualization
- Shuffle - Security orchestration and automation
- TheHive - Incident response platform
- Cortex - Observable analysis engine
- CyberChef - Cyber Swiss Army knife
- Portainer - Container management interface
- FleetDM - Device management and osquery fleet manager
- Caldera - Adversary emulation platform
-
YARA - Pattern matching for malware detection and classification
- Installation: Direct host install (no container overhead)
- Rules: 523+ curated rules from Yara-Rules
- Location:
/opt/yara-rules/ - Usage:
yara -r /opt/yara-rules/malware_index.yar /path/to/file - Integration: Works with Velociraptor, TheHive/Cortex, and CLI
-
Sigma - Universal SIEM rule format and converter
- Installation: Sigma CLI installed on host
- Rules: 3,047+ detection rules from SigmaHQ
- Location:
/opt/sigma-rules/ - Usage: Convert rules to Wazuh/OpenSearch/Elasticsearch format
- Command:
sigma convert -t opensearch_lucene --without-pipeline rule.yml - Integration: Generate rules for Wazuh, Suricata, and EveBox
Portal now includes enterprise-grade agent deployment and threat intelligence features:
- Velociraptor - DFIR agent deployment (Windows, Linux, macOS)
- Wazuh - HIDS agent deployment (Windows, Linux)
- Caldera - Red team/adversary emulation deployment
- Arkime PCAP - One-click network traffic capture
- Shuffle - SOAR integration guide for 12 tools
Zero-configuration packages with auto-extracted certificates and secrets!
- IOC Search - Instant search across MISP database
- Auto-populated MISP - 280K+ indicators from 5 threat feeds
- Daily auto-updates - Fresh threat intel every day
- Recent Events - Latest threat intelligence
- Feed Sync - On-demand feed updates
Fully automated - MISP populates automatically during installation!
- Log in to your MISP web UI as admin and set the password (if it’s your first login).
- From the repository root, run:
bash misp/configure-threat-feeds.sh- RAM: 16+ GB recommended
- Storage: 150GB+ free disk space
- OS: Ubuntu 22.04+ LTS (tested on 22.04.5 & 24.04.2) Ubuntu x86_64 (AMD/Intel)
- Network: Internet connection for downloads
Complete CyberBlueSOC installation in few commands:
# Clone and install CyberBlue SOC
git clone https://github.com/CyberBlu3s/CyberBlue.git
cd CyberBlue
chmod +x cyberblue_install.sh
./cyberblue_install.shThat's it! This will:
- ✅ Install all prerequisites (Docker, Docker Compose, system optimizations)
- ✅ Configure 8GB swap space for system stability (prevents hanging/crashes)
- ✅ Deploy all 15+ security tools automatically
- ✅ Install YARA (523+ malware rules) and Sigma (3,047+ detection rules)
- ✅ Configure networking and SSL certificates
- ✅ Set up portal access (authentication removed for ease of use)
- ✅ Works on AWS, VMware, VirtualBox, you can test others :)
- ✅ Complete setup in about 30 minutes
After installation, access your security lab at:
- 🔒 Portal:
https://YOUR_SERVER_IP:5443(no authentication required) - 🛡️ Tools: Available on ports 7000-7099
The installation automatically:
- ✅ Deploys 15+ integrated security tools
- ✅ Configures 8GB swap space (prevents system hanging and OOM crashes)
- ✅ Installs YARA with 523+ malware detection rules
- ✅ Installs Sigma CLI with 3,047+ universal detection rules
- ✅ Configures secure HTTPS portal (direct access, no login required)
- ✅ Sets up network monitoring with Suricata and Arkime
- ✅ Initializes threat intelligence with MISP
- ✅ Configures SIEM with Wazuh and EveBox
- ✅ Sets up incident response with TheHive and Cortex
- ✅ Deploys automation platform with Shuffle
- ✅ Creates SSL certificates and security credentials
- ✅ Optimizes system for container workloads
After installation, access your tools at:
🔒 Main Portal:
https://YOUR_SERVER_IP:5443
No authentication required - direct access
🛡️ Individual Tools (ports 7000-7099):
- Velociraptor: https://YOUR_SERVER_IP:7000 (admin/cyberblue)
- Wazuh: https://YOUR_SERVER_IP:7001 (admin/SecretPassword)
- Shuffle: https://YOUR_SERVER_IP:7002 (admin/password)
- MISP: https://YOUR_SERVER_IP:7003 ([email protected]/admin)
- CyberChef: http://YOUR_SERVER_IP:7004 (no auth)
- TheHive: http://YOUR_SERVER_IP:7005 ([email protected]/secret)
- Cortex: http://YOUR_SERVER_IP:7006 (admin/cyberblue123)
- FleetDM: http://YOUR_SERVER_IP:7007 (setup required)
- Arkime: http://YOUR_SERVER_IP:7008 (admin/admin)
- Caldera: http://YOUR_SERVER_IP:7009 (red:cyberblue, blue:cyberblue)
- EveBox: http://YOUR_SERVER_IP:7015 (no auth)
- Wireshark: http://YOUR_SERVER_IP:7011 (admin/cyberblue)
- MITRE Navigator: http://YOUR_SERVER_IP:7013 (no auth)
- Portainer: https://YOUR_SERVER_IP:9443 (admin/cyberblue123)
- ⚡ Quick Reference - Essential commands and access information
- 🔍 Arkime Setup - Network analysis with sample data
- ⚙️ Tool Configurations - Advanced tool setup and customization
- 🔌 API Reference - Portal API documentation
- 🔧 Troubleshooting - Common issues and solutions
The CyberBlue Portal provides a secure, unified interface for managing your security lab:
- Real-time container status monitoring (30+ containers)
- System resource utilization tracking
- Security metrics and trends visualization
- Activity logging and comprehensive changelog
- Container health indicators with status alerts
- One-click start/stop/restart controls for all services
- Health status indicators with real-time updates
- Resource usage monitoring and alerts
- Log viewing capabilities for troubleshooting
- Automated container monitoring and recovery
- Tool categorization (SIEM, DFIR, CTI, SOAR, Utilities)
- Quick access to all 15+ security tools
- Integration status monitoring across platforms
- Security posture dashboard with threat metrics
- Automated service health checking
- Global tool search functionality
- Category-based filtering (SIEM, DFIR, CTI, etc.)
- Status-based filtering (Running, Stopped, Critical)
- Organized tool layout with descriptions and credentials
CyberBlue uses a microservices architecture with Docker Compose:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ CyberBlue │ │ SIEM Stack │ │ DFIR Stack │
│ Portal │ │ │ │ │
│ (Flask App) │ │ • Wazuh │ │ • Velociraptor │
│ │ │ • Suricata │ │ • Arkime │
│ │ │ • EveBox │ │ • Wireshark │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
└───────────────────────┼───────────────────────┘
│
┌─────────────────┐ ┌┴─────────────────┐ ┌─────────────────┐
│ CTI Stack │ │ Docker Network │ │ SOAR Stack │
│ │ │ (172.18.0.0/16) │ │ │
│ • MISP │ │ │ │ • Shuffle │
│ • MITRE ATT&CK │ │ │ │ • TheHive │
│ │ │ │ │ • Cortex │
└─────────────────┘ └──────────────────┘ └─────────────────┘
- CPU: 8+ cores
- RAM: 16GB+
- Storage: 100GB+ SSD
- Network: Gigabit Ethernet
If installation fails or containers won't start:
# Complete system restart (recommended)
./force-start.sh
# Check all containers (should show 30+ running)
sudo docker ps
# View portal logs
sudo docker logs cyber-blue-portalPortal not accessible:
# Test HTTPS access
curl -k https://localhost:5443/health
# Restart portal
sudo docker-compose restart portalFleet database issues:
# Fix Fleet database
./fix-fleet.sh
# Check Fleet status
sudo docker logs fleet-serverIndividual tool issues:
# Restart specific service
sudo docker-compose restart [service-name]
# Check service logs
sudo docker logs [container-name]
# Check system resources
sudo docker stats./setup-prerequisites.sh- Install all system prerequisites./cyberblue_install.sh- Main CyberBlue installation script./force-start.sh- Emergency restart for all services./fix-fleet.sh- Fix Fleet database issues
What is YARA?
YARA is the industry-standard tool for identifying and classifying malware based on textual or binary patterns.
Installation Location:
- Binary:
/usr/bin/yara - Rules:
/opt/yara-rules/(523+ rules) - Version: 4.1.3
Available Rule Categories:
/opt/yara-rules/
├── malware/ # Malware family detection (APTs, trojans, ransomware)
├── webshells/ # Web shell detection
├── cve_rules/ # CVE exploit detection
├── packers/ # Packer and crypter detection
├── crypto/ # Cryptographic algorithm detection
├── capabilities/ # Malware capability detection
├── email/ # Email-based threat detection
├── exploit_kits/ # Exploit kit detection
└── mobile_malware/ # Android/iOS malwareQuick Start Examples:
# Scan a single file with all malware rules
yara /opt/yara-rules/malware_index.yar /path/to/suspicious_file
# Recursive scan of directory
yara -r /opt/yara-rules/index.yar /path/to/directory
# Scan with specific category (webshells)
yara /opt/yara-rules/webshells_index.yar /var/www/html/
# Fast scan with timeout
yara -f -w -d timeout=60 /opt/yara-rules/malware_index.yar /path/to/files
# Scan memory dumps
sudo yara /opt/yara-rules/malware_index.yar /proc/*/memIntegration Examples:
# Integration with Velociraptor
# Create a hunt artifact that runs YARA against collected files
# Integration with TheHive/Cortex
# Use YARA as a Cortex analyzer for file observables
# Automated scanning script
#!/bin/bash
for file in /path/to/suspicious/*; do
yara -r /opt/yara-rules/malware_index.yar "$file" >> yara_scan_results.log
doneCommon YARA Rule Indexes:
index.yar- All rules combinedmalware_index.yar- All malware ruleswebshells_index.yar- All webshell rulescve_rules_index.yar- All CVE exploit rulescrypto_index.yar- Crypto-related rules
What is Sigma?
Sigma is a generic signature format for SIEM systems, allowing you to write detection rules once and convert them to any SIEM platform.
Installation Location:
- CLI:
/usr/local/bin/sigma - Rules:
/opt/sigma-rules/(3,047+ rules) - Backends: OpenSearch, Elasticsearch, Lucene
Available Rule Categories:
/opt/sigma-rules/
├── rules/ # Main detection rules
│ ├── windows/ # Windows event log rules
│ ├── linux/ # Linux system rules
│ ├── cloud/ # Cloud platform rules (AWS, Azure, GCP)
│ ├── network/ # Network traffic rules
│ ├── application/ # Application-specific rules
│ └── proxy/ # Proxy and web traffic rules
├── rules-threat-hunting/ # Threat hunting focused rules
├── rules-emerging-threats/ # Latest threat intel rules
└── rules-compliance/ # Compliance and audit rulesQuick Start Examples:
# List available conversion targets
sigma list targets
# Convert single rule to OpenSearch (for Wazuh)
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/linux/process_creation/proc_creation_lnx_susp_nohup.yml
# Convert Windows process creation rules to OpenSearch
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/windows/process_creation/*.yml \
-o /tmp/wazuh-rules.json
# Convert all rules in a directory
sigma convert -t lucene --without-pipeline \
/opt/sigma-rules/rules/linux/ \
-o /tmp/linux-detection-rules.txt
# Validate rules before conversion
sigma check /opt/sigma-rules/rules/windows/process_creation/
# Analyze rule coverage
sigma analyze /opt/sigma-rules/rules/Integration with Wazuh:
# Convert Sigma rules to OpenSearch format for Wazuh
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/windows/ \
-o /tmp/wazuh-windows-rules.json
# Apply rules to Wazuh (manual import via Dashboard > Management > Rules)
# Or programmatically via Wazuh APIIntegration with Suricata:
# While Sigma doesn't directly convert to Suricata format,
# you can use the network rules as reference for creating Suricata rules
sigma list /opt/sigma-rules/rules/network/Common Use Cases:
# 1. Detect PowerShell abuse
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/windows/powershell/ -o powershell-detections.json
# 2. Detect lateral movement
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/windows/builtin/security/win_security_susp_failed_logons.yml
# 3. Detect ransomware indicators
find /opt/sigma-rules/rules -name "*ransom*" -o -name "*crypt*" | \
xargs sigma convert -t opensearch_lucene --without-pipeline
# 4. Cloud security monitoring (AWS/Azure/GCP)
sigma convert -t opensearch_lucene --without-pipeline \
/opt/sigma-rules/rules/cloud/ -o cloud-detections.jsonRule Statistics:
- Total Sigma Rules: 3,047+
- Windows Rules: 2,500+
- Linux Rules: 200+
- Cloud Rules: 150+
- Network Rules: 100+
- Application Rules: 97+
Best Practices:
- Test rules before deployment: Use
sigma checkto validate - Start with high-confidence rules: Focus on emerging-threats category
- Tune for your environment: Adjust thresholds and conditions
- Regular updates: Pull latest rules weekly
- Document custom rules: Keep your own rule repository
Auto-Update Configuration:
CyberBlue automatically updates YARA and Sigma rules every Sunday at 2:00 AM via cron.
# View configured auto-update schedule
crontab -l | grep -E "yara|sigma"
# Manual update anytime
cd /opt/yara-rules && git pull
cd /opt/sigma-rules && git pull
# Check update logs
tail -f /var/log/yara-update.log
tail -f /var/log/sigma-update.log
# Disable auto-update (if needed)
crontab -l | grep -v "yara-rules\|sigma-rules" | crontab -Update Schedule:
- YARA Rules: Every Sunday at 2:00 AM →
/var/log/yara-update.log - Sigma Rules: Every Sunday at 2:05 AM →
/var/log/sigma-update.log - Automatic: Configured during installation, no manual setup required
CyberBlue includes built-in monitoring:
- Container Health: Real-time status monitoring
- Resource Usage: CPU, memory, disk utilization
- Network Isolation: Deploy only in isolated lab networks, never on production
- Access Control: Default credentials are intentionally simple for lab use
- SSL/TLS: Self-signed certificates included (accept warnings in lab)
- Firewall: Keep isolated from production systems
- Data: Never process real sensitive data with this platform
- 🌍 Official Website (Not Up Yet): https://cyberblue.co
- 📚 Documentation: Available in this repository
- ⭐ Star the Project: Help others discover CyberBlue!
This project is licensed under the MIT License - see the LICENSE file for details.
Educational Use Only - Not for production security operations.
This project stands on the shoulders of giants. We are deeply grateful to the entire open-source security community:
- Wazuh - For the exceptional open-source SIEM platform
- The Hive Project - For TheHive and Cortex incident response tools
- Yara-Rules Community - For 523+ curated malware detection signatures
- SigmaHQ & Florian Roth - For 3,047+ universal SIEM detection rules
- Velociraptor - For the powerful DFIR platform
- Arkime Project - For full packet capture and analysis
- MISP Project - For threat intelligence sharing
- Shuffle - For security automation and orchestration
- Suricata - For network intrusion detection
- EveBox - For Suricata event management
- FleetDM - For osquery fleet management
- Caldera - For adversary emulation
- CyberChef - For the Swiss Army knife of cyber operations
- Portainer - For container management
- GCHQ - For CyberChef and inspiring security innovation
- MITRE Corporation - For the ATT&CK framework that revolutionized threat intelligence
- Elastic - For Elasticsearch and the ELK stack foundation
- Florian Roth (Neo23x0) - Sigma rules, YARA expertise, and tireless security research
- All YARA rule authors who share their detection knowledge
- All Sigma rule contributors improving detection capabilities daily
- Docker community for containerization best practices
- Every security researcher who open-sources their work
This platform is designed for LEARNING and TRAINING purposes only.
- ✅ Perfect for: Cybersecurity education, hands-on training, skill development
- ❌ Never use for: real security operations, sensitive data
⭐ Star this repository if you find it useful for learning!
🌐 Visit cyberblue.co for tutorials and guides (Not Up Yet)
CyberBlue v1.0-beta - Educational Cybersecurity Training Platform