Vanguard v2 is a complete rewrite of the original Vanguard. It’s still the same feature rich SIEM with all the functionalities of the original version, but with much more advanced features like context aware incident response, automated threat hunting, and more.
Initially I wanted to continue developing the original version of Vanguard, but I quickly realized that it would be much easier to start from a clean slate. This allowed me to rethink the architecture and implement new features that were not possible with the original version or would have required a lot of work to implement.
Context aware incident response
One of the biggest improvements in Vanguard v2 is the context aware incident response. This means that Vanguard is able to automatically enrich alerts with additional context, such as the user’s role, geographical location, threat intelligence, and more. This allows Vanguard to make more informed decisions automatically, without the need for human intervention.
Automating incident response
One of the most important features of Vanguard is the SOAR. It allows the automation of almost anything, but most importantly handling alerts. This means that before an analyst even sees the alert, Vanguard has already enriched, investigated, and in most cases, resolved it. According to my tests, the average time to handle an incident from the moment it is created is less than 45 seconds.
Centralised log collection and analysis
Vanguard is capable of collecting logs from almost any source. It has built-in support for syslog, Windows Event Log, and many other sources. It can also collect logs from custom sources using the HTTP API. Once the logs have been collected, they are parsed and normalized into a common format. This allows Vanguard to easily analyze and correlate logs from different sources. The logs can easily be queried using RQL which was specifically designed for this project. Vanguard’s log analysis tool is also used in my public Log Analysis Tool.
After the normalizing, Vanguard runs the logs through a set of IOCs to detect possible threats. If an IOC is detected, Vanguard will automatically raise an alert and take the necessary actions.
Email Integration
Vanguard has a built-in email integration that allows sending and receiving of emails. This is useful for example when an analyst needs to communicate with the end-user. Vanguard SOAR is also able to use this integration to notify the analyst, if needed.
Incoming emails will automatically get necessary tags and TLP levels assigned based on some predefined rules. This makes it easier to see which emails are important and which are not.
Technical stuff
The majority of Vanguard’s codebase is written in TypeScript. The frontend uses Next.js and the backend runs on Node.js. In this version, I opted to use C++ for Linux & OSX endpoint agents in favor of the original Rust implementation, because I have more experience with C++. The Windows endpoint agent is still written in C#.
Vanguard uses PostgreSQL as the primary database and ElasticSearch for log storage. Some internal parts of the system also use Redis for caching and queuing. The whole project is containerized using Docker for easy deployment and scaling.