Key Takeaways
- Five open source components form a complete SOC: Wazuh (SIEM/XDR), TheHive (case management), n8n (SOAR automation), Cortex (IOC analyzers), MISP (threat intelligence).
- Zero licensing: all components are open source. Cost is infrastructure plus operational time. Massively cheaper than commercial SIEM + SOAR + TIP stack (typically INR 50 lakh - 2 crore per year combined).
- Production-grade: this stack runs at thousands of organisations globally including financial services, healthcare, governments, defense. Not a hobbyist solution.
- Integration patterns: Wazuh -> TheHive (alerts to cases), TheHive -> n8n (triggers playbooks), n8n -> Cortex (analyzer invocation), Cortex -> MISP (correlation), MISP -> Wazuh (threat feed integration).
- Deployment time for Indian SMB: 4-6 weeks for full integrated stack including detection rules, playbooks, dashboards and operational handover.
Why Build a SOC on Open Source for Indian SMBs
Commercial SOC tooling stacks are expensive. Splunk Enterprise Security plus Splunk SOAR plus Recorded Future threat intelligence plus enterprise EDR easily reaches INR 1-3 crore per year for an Indian SMB scale. The licensing math kills the business case before SOC operations even begin.
Open source SOC changes the math. Wazuh + TheHive + n8n + Cortex + MISP delivers equivalent SIEM, case management, SOAR automation, IOC enrichment and threat intelligence capability with zero licensing cost. The trade-off is operational responsibility: you (or your service provider) deploy, integrate, tune, operate. For Indian SMBs the operational cost is dramatically less than the licensing saving.
This is the stack Codesecure operates for managed SOC clients. It is also the stack we deploy for SOC Implementation clients (where the client team operates it themselves). This article explains the architecture and integration so you can evaluate whether to build, hire managed, or do both.
The Five Components and What Each Does
Wazuh: SIEM and XDR Foundation
The detection and log management layer. Ingests logs from endpoints (agents), network devices (syslog), cloud (API/log streams), applications (custom integrations). Correlates events using 5000+ detection rules. Generates alerts. Provides search, dashboards, FIM, vulnerability detection, configuration assessment. Wazuh is the source of truth for what happened in your environment.
TheHive: Incident Case Management
When a Wazuh alert is significant enough to investigate, TheHive turns it into a case. Cases contain: alert evidence, affected assets, observables (IPs, hashes, domains), assigned analyst, timeline of investigation, response actions taken, resolution notes. TheHive maintains the formal incident record and audit trail. Wazuh is good at detection; TheHive is good at managing the human response to detections.
n8n: SOAR Automation Workflows
When the same response action is needed for similar alerts, automate it. n8n is a visual workflow automation tool with 300+ pre-built integrations. SOC use cases: TheHive case created -> n8n triggers, pulls observables, enriches via Cortex, queries MISP for prior intelligence, queries internal asset database, posts enriched context back to TheHive. Or: high-severity alert -> n8n auto-isolates host via EDR API, opens ServiceNow ticket, notifies on-call analyst via PagerDuty, posts in Slack.
Cortex: IOC Analyzers and Responders
When an investigation involves checking observables against threat intelligence, Cortex provides 200+ analyzers covering: VirusTotal (file hash, URL, IP, domain reputation), AbuseIPDB (IP reputation), Shodan (asset fingerprinting), MISP (correlation with internal TI), MalwareBazaar (file analysis), URLhaus, ThreatCrowd, and many vendor-specific (CrowdStrike, Microsoft Defender, etc.). TheHive invokes Cortex analyzers automatically when observables are added to a case.
MISP: Threat Intelligence Platform
Curated threat intelligence sharing. MISP stores indicators of compromise (IOCs), threat actor profiles, TTPs, malware family information. Pulled from: public feeds (MISP communities, Abuse.ch, CIRCL), commercial feeds (Recorded Future, Mandiant where licensed), sector-specific feeds (FS-ISAC for finance, H-ISAC for healthcare). MISP integrates with Wazuh (so detection rules can match against fresh IOCs), with Cortex (so observables get checked against your MISP corpus), with TheHive (for case context).
Need a Managed SOC for Your SMB?
Codesecure runs Managed SOC for Indian SMBs using Wazuh + TheHive + n8n + Cortex + MISP open source stack. 24x7 named India-based analysts, fixed-fee monthly retainer, no expensive licensing. ISO/IEC 27001:2022 certified delivery.
See SOC for SMBs →How They Integrate: The Operational Workflow
The five components form a coherent SOC workflow that mirrors what analysts actually do during an incident:
Step 1: Wazuh Detects
Log event comes in (Windows logon failure, firewall block, AWS GuardDuty finding, custom application alert). Wazuh correlation rules match, generate alert. Alert severity, MITRE ATT&CK technique, affected asset all populated. Alert pushed to TheHive via Wazuh-TheHive integration.
Step 2: TheHive Creates Case
TheHive receives alert as a 'case'. Observables auto-extracted (IPs, file hashes, usernames, URLs). Severity tagged. Case assigned to on-call analyst (or auto-assigned based on rules). Initial enrichment triggered.
Step 3: Cortex Enriches Observables
TheHive invokes Cortex analyzers on each observable. VirusTotal check on file hash returns reputation. AbuseIPDB check on source IP returns reputation. MISP correlation returns prior intelligence. Internal asset database lookup returns asset criticality. Results posted back to TheHive case as observable reports.
Step 4: n8n Automates Routine Response
Pre-approved playbooks fire for known patterns: known-bad IP -> auto-block at firewall via API. Known-malware hash -> auto-isolate affected host via EDR API. Known phishing campaign -> auto-quarantine email. New observable -> post to internal Slack channel for SOC visibility. Update ServiceNow ticket with enrichment. Notify on-call analyst via PagerDuty.
Step 5: Analyst Investigates and Resolves
Analyst reviews enriched case in TheHive. Decides: false positive (close with reason), genuine but contained (close with response notes), genuine and ongoing (escalate, run additional response actions, coordinate with affected system owners). Case is closed with documented resolution and learnings. New IOCs from the investigation pushed back to MISP for future correlation.
Codesecure Deployment Timeline for Indian SMB
Typical 4-6 week deployment for full integrated stack:
Week 1: infrastructure provisioning (5 servers or VMs: Wazuh manager + indexer, TheHive + Cassandra, n8n, Cortex, MISP). Network architecture, TLS certificates, base hardening.
Week 2: Wazuh deployment plus initial agent rollout. Detection rules baseline. Log source onboarding.
Week 3: TheHive deployment. Wazuh-TheHive integration. Case workflow definition. Analyst roles and access control.
Week 4: Cortex deployment. Analyzer configuration (VirusTotal, AbuseIPDB, MISP, internal lookups). TheHive-Cortex integration.
Week 5: MISP deployment. Threat intelligence feed subscriptions. Wazuh-MISP integration. MISP-Cortex integration. n8n deployment plus initial SOAR playbooks.
Week 6: end-to-end testing. Playbook tuning. Analyst training. Operational handover (for Implementation engagements) or transition to Codesecure managed SOC operations.
Frequently Asked Questions
Why these five components specifically and not other open source options?
Wazuh + TheHive + n8n + Cortex + MISP have all been individually battle-tested at scale, have strong open source communities, are documented to integrate with each other (active integration code maintained by the maintainers), and together cover the full SOC workflow. Alternative open source projects exist for each layer (Elastic Security, Velociraptor, StackStorm, OSSEC, OpenCTI) but the five we use are the most mature integrated combination. Codesecure has operated this stack across many client environments and is confident in its production maturity.
Can we deploy just Wazuh without the rest of the stack?
Yes. Many Indian SMBs start with just Wazuh for SIEM and add TheHive, Cortex, MISP, n8n later as their programme matures. Wazuh alone gives you log management, threat detection, FIM, vulnerability detection, compliance reporting. The other components add case management, automation, enrichment, threat intelligence which become valuable once your alert volume crosses about 10-50 per day.
What infrastructure cost should we budget for the full stack?
Typical Indian SMB scale (200-500 endpoints, 5-20 log sources, 30-90 day retention): INR 40K-1.2L per month on AWS/Azure/GCP infrastructure. Multiple VMs or containers across the five components. Self-hosting on existing infrastructure (VMware, Hyper-V, Proxmox) further reduces cost. Codesecure managed SOC includes infrastructure in monthly retainer; SOC Implementation deploys on your infrastructure.
Do all five components have official Indian-language support or are they English only?
Documentation primarily English. Wazuh has community translations for some languages. UI dashboards English. Operational language in Codesecure-managed deployments: English for documentation, English+Tamil+Hindi for analyst communication with clients. Local language is rarely a blocker because the operational personas (security engineers, IT admins) are comfortable with English.
Can we run the full stack on-premise without cloud?
Yes. The full stack runs comfortably on commodity hardware in your data centre. Many Indian enterprises (especially banking, manufacturing, defence-adjacent) prefer fully on-premise deployment. Hardware sizing: 5-8 servers or VMs covering the five components. Codesecure supports both cloud and on-premise deployment models. Hybrid is also possible (Wazuh on-premise plus MISP and threat intel feeds via cloud).
How does this compare to a commercial SOAR like Splunk SOAR or Cortex XSOAR?
Commercial SOARs (Splunk SOAR, Palo Alto Cortex XSOAR, IBM Resilient) have more pre-built integrations, more polished UX, vendor support. n8n + Cortex covers the core SOAR use cases at zero licensing cost. For Indian SMBs, the n8n + Cortex approach is operationally adequate; for very large enterprises with hundreds of integrations and complex playbooks, commercial SOAR may be worth the cost. Codesecure recommends n8n + Cortex for SMBs and lets enterprise clients pick based on their specific operational needs.
What does Codesecure deliver under SOC Implementation vs Managed SOC?
SOC Implementation: we deploy the full stack on your infrastructure, train your team, configure rules and playbooks, hand it over for your team to operate, with optional support retainer. Best for: organisations with in-house SOC capability or willing to hire. Managed SOC: we operate the stack on your behalf with 24x7 named India-based analysts, monthly metrics, quarterly tuning. Best for: SMBs without dedicated security headcount, prefer fixed monthly retainer.
Build a Production Open Source SOC for Your Indian SMB
Codesecure deploys Wazuh + TheHive + n8n + Cortex + MISP for Indian SMBs. SOC Implementation (we build, you operate) or Managed SOC (we operate). ISO/IEC 27001:2022 certified delivery, fixed-fee engagements.
