Blue Team Tools
Blue team tools focus on detection, monitoring, and response. These platforms and utilities help defenders gain visibility, analyze telemetry, and build detections that identify malicious behavior across endpoints and networks.
Wazuh
Wazuh is an open-source SIEM and endpoint security platform that provides log analysis, intrusion detection, file integrity monitoring, and compliance checks. It integrates with Elastic Stack for visualization.
Why it’s useful: Great for learning SIEM fundamentals and understanding how alerts, rules, and log pipelines work.
Difficulty: Intermediate
OSQuery
OSQuery exposes system information through SQL queries, enabling real-time visibility into processes, users, network connections, and more. It is widely used for detection and incident response.
Why it’s useful: Teaches how structured queries can reveal suspicious activity and support threat hunting.
Difficulty: Intermediate
Sysmon
Sysmon is a Windows system monitoring tool that logs detailed process, network, and registry activity. It is commonly used with SIEMs for detection engineering.
Why it’s useful: Shows how granular telemetry enables high-fidelity detections and behavioral analytics.
Difficulty: Intermediate
Elastic Security
Elastic Security provides SIEM, endpoint protection, and threat hunting capabilities built on the Elastic Stack. It supports rule-based detections, dashboards, and timeline investigations.
Why it’s useful: Helps learners understand modern SIEM workflows and how detection engineering is performed.
Difficulty: Advanced
CrowdSec
CrowdSec is a collaborative intrusion detection and prevention system that uses community-driven threat intelligence to block malicious IPs. It supports logs from many services.
Why it’s useful: Demonstrates how community defense and shared intel can improve detection and response.
Difficulty: Beginner