[veganjay]

I'm a little confused as to running the Suricata, Zeek and the Elasticsearch stack on Kali. I think of these tools run on a server, rather than a desktop. And it seems like SecurityOnion scratches this niche.

I do like the idea of Kali Purple though - curious to check it out.

[milkshakes]

These tools (-elasticsearch) run on a server that's usually connected to a network tap that collects traffic from endpoints and servers alike.

Running them locally, a tap, and a server are unnecessary.

[_8j50]

Yeah, very unusual. Purpleteam is usually over some prod or prod-like environment.

I think they want you to put this in your purpleteam lab not as your actual defensive stack.

Might work for some folks but imo, the logging/detection/alerting part should alway be your actual prod stack but you can simulate attacks in a lab environment. What I have seen in the industry at large is a lot of purpleteam excercises are done in production, a red team excercise blended with a blue team investigation and response.

[lorenzo95]

From what I can tell they call it a soc in a box. They have a wiki on how you are supposed to build it (on proxmox). Here is a link to their architecture diagram for it. https://gitlab.com/kalilinux/kali-purple/documentation/-/raw... It is intended mostly for training purposes. I think it looks pretty neat for a start. We'll see where the community takes it over the next couple of years.

[mr_toad]

If you have local logs and you’re not in an enterprise environment it makes sense to analyse the logs locally.

[wronglebowski]

IMO this is lowering the barrier of entry to newbies. I work in this space and often users coming out of boot camps that want to set up their own labs for learning have a steep learning curve. Such is the difficulty with entering cybersecurity without an IT background, for better or worse.