Malcolm

Overview 

Malcolm is a powerful open source network traffic analysis tool designed to enhance enterprise security operations. Developed by CISA in collaboration with Idaho National Laboratory (INL), Malcolm enables security teams to process, enrich, and visualize network telemetry for threat detection, compliance, and forensics.

Why Use Malcolm?

• Network Visibility: Ingests full packet capture (PCAP) and flow data to provide deep insights into network activity.
• Threat Detection & Hunting: Integrates with Suricata, Zeek, and other tools to detect anomalous behavior and cyber threats.
• User-Friendly Visualization: Utilizes open source dashboards to present security-relevant network data in an intuitive format.
• Scalability & Flexibility: Supports deployment on local systems, private clouds, and enterprise-scale environments.
• Compliance & Forensics: Aids in regulatory compliance by retaining historical network activity for forensic analysis.

Features

• Metadata Extraction & Enrichment: Leverages Zeek and Suricata to extract security-relevant metadata from raw network traffic.
• Integrated Data Pipeline: Uses Logstash, OpenSearch, and Kibana for data ingestion, indexing, and visualization.
• Customizable Alerting & Detection: Enables users to define rules and alerts for suspicious network activity.
• Secure & Open Source: Freely available and continuously improved by the cybersecurity community.

Getting Started 

Malcolm is available as a Docker-based deployment, making installation and setup straightforward. Follow the official Malcolm documentation to get started.

Resources & Support

• YouTube Channel: Explore video tutorials and demonstrations on the CISA's Malcolm YouTube playlist.
• GitHub Repository: https://github.com/cisagov/Malcolm.
• Documentation: Installation and configuration guides: https://cisagov.github.io/Malcolm/.
• Community Support: Engage with other users and contributors via GitHub discussions and issue tracking.