Blue P.E.A.R is a network security monitoring (NSM) tool suite for use by a deploying blue team. It spawned from a need for a more efficient and lightweight NSM for network-based (passive) threat hunting. Blue P.E.A.R allows an analyst to:
- seamlessly transition between log review and netflow or full packet capture analysis
- single-handedly deploy a kit and conduct hunts
- operate using a hardware-contrained network
- make use of various open-source analytic frameworks, Bro scripts, and Logstash configs for data enrichment
- employs up-to-date versions of Elastic applications
- utilize training aids (workflows and hunt matrix templates)
Blue P.E.A.R is comprised of three virtual machines which can be downloaded using the following links:
Elastic VM - https://mega.nz/#F!TOBnkSpY!VCkwPDRAUQIEtcBcsLBVVg
sensor VM - https://mega.nz/#F!TLZBDaRJ!LVctFasi8QHyRWGTtEC1IA
analyst workstation VM - https://mega.nz/#F!zGIhTaZB!qpNOCt9UrZKmW4-E_peBkQ