This project allows for the quick deployment of a full-service log aggregation, SIEM, and SOAR stack using only free, open-source software. It utilizes Ansible to configure the hosts and Docker Compose to deploy the services.
- Create Docker Compose file for logging stack
- Create playbook for logging stack
- Create playbook for Wazuh manager deployment
- Create playbook for logging agent installation
- Create playbook for Wazuh agent installation
- Create playbook for Zeek deployment
- Create playbook for TheHuve installation
- Create automatic integration script to connect all the necessary services
In order to quickly ingest logs, I'm using two log ingestion and aggregation pipelines: General and Security.
- Prometheus Node Exporter: Collects hardware and OS metrics from Linux machines, providing detailed system-level insights for monitoring.
- Promtail: Gathers and ships logs from various sources to Loki, facilitating structured log collection and forwarding.
- Loki: Provides a scalable, cost-efficient log storage and querying system, ideal for monitoring, troubleshooting, and correlating logs with metrics.
- Grafana: A powerful open-source platform for visualizing and analyzing metrics and logs, enabling the creation of rich, interactive dashboards.
- Crowdsec: A collaborative, open-source intrusion prevention system that analyzes logs for malicious activity and shares threat intelligence to improve security.
- Fail2Ban: Monitors log files for suspicious activity, such as failed login attempts, and automatically bans IP addresses to prevent brute-force attacks.
- Wazuh Agent: The Wazuh agent installs on the host and forwards security logs and health information to the Wazuh Manager
- Zeek: A network security monitor that analyzes traffic in real time, producing detailed logs for detecting network anomalies and intrusions.
- Wazuh Manager: Focuses on security-related logs and threat detection, enhancing the system’s security posture.
- TheHive: An open-source Security Incident Response Platform (SIRP) that helps organize and manage security incidents, facilitating collaboration and case management among analysts.
The SIEM and SOAR of choice for this project are Wazuh and TheHive due to their opn-source model, continued support from developers and the community, rich feature-sets, and interoperability with other security-related services. Wazuh aggregates and correlates security logs from Fail2Ban, Crowdsec, and the Wazuh agent installed on the hosts. After logs are aggregated and correlated, Wazuh will alert an analyst a threat or attack is detected. Wazuh has some built-in features for automatically remediating basic security issues, but TheHive will do more in-depth remediation when a complex interference is required.
Wazuh and TheHive work together to create a comprehensive security operations workflow, combining threat detection, analysis, and incident response. Here’s how they integrate and complement each other:
1. Threat Detection (Wazuh)
- Log Collection: Wazuh collects and analyzes security logs, system data, and threat intelligence from various sources (e.g., endpoints, servers, firewalls).
- Threat Analysis: Wazuh applies rules and machine learning to detect anomalies, malware, intrusion attempts, or policy violations.
- Alert Generation: When Wazuh detects suspicious activity or a security event, it generates an alert. These alerts contain detailed information, such as affected hosts, severity, and relevant log data.
2. Alert Ingestion (TheHive + Cortext Analyzers)
- Alert Transfer: Wazuh can be configured to send alerts to TheHive using its REST API. This can be automated through Wazuh’s integration or a connector.
- Alert Processing: TheHive ingests these alerts and converts them into cases or observables. Each case represents a potential security incident that needs investigation.
3. Incident Response (TheHive)
- Case Management: Security analysts use TheHive to manage and investigate the cases created from Wazuh alerts. They can:
- Assign cases to team members.
- Add notes, collaborate, and track progress.
- Observable Analysis: Each case may contain observables (e.g., IP addresses, hashes, domains) that can be enriched or analyzed with integrated tools like Cortex.
- Automated Workflows: TheHive supports creating playbooks and response workflows to streamline investigations and responses.
4. Integration Workflow Example:
- Wazuh Detection: Wazuh detects a brute-force attack on an SSH service and generates an alert.
- Alert Sent to TheHive: The alert is forwarded to TheHive via the Wazuh integration.
- Case Creation: TheHive creates a case based on the alert and includes relevant observables (e.g., attacker IP, timestamp).
- Investigation in TheHive: Analysts investigate the case, enrich observables using Cortex analyzers, and take actions like blocking the IP.
- Resolution: TheHive updates the case status and logs the remediation steps taken.
- Centralized Incident Management: TheHive provides a unified platform to manage, track, and document incidents detected by Wazuh.
- Improved Collaboration: Security teams can collaborate effectively on investigations with TheHive’s case management system.
- Automated Threat Response: The combination of Wazuh’s detection capabilities and TheHive’s incident response workflows helps automate and accelerate the response process.
- Enhanced Threat Intelligence: Integrating Cortex with TheHive allows enrichment of Wazuh alerts, providing deeper insights into threats.
- Install Ansible & dependencies (text)
- Deploy a Debian or Ubuntu VM
- Ensure you can reach the VM using Ansible
ansible all -i inventory.ini -m ping - Deploy the SIEM logging stack using the
loggin-stack-compose.ymldocker compose loggin-stack-compose.yml up -d
ADD THE STEPS TO VERIFY THE STACK IS WORKING AS INTENDED
- Deploy another VM
- Ensure the VM has a static IPv4 address
- Deploy the Wazuh single node Ansible playbook
ansible-playbook wazuh-setup.yml -i inventory.ini --ask-become - Look at the console output for the admin login information
- Verify you can access the Wazuh manager by going to
https://<ip-address> - Login using admin login information
- Deploy another VM (or use one you already have running, but I recommend deploying it on a test VM first)
- Change the Wazuh server IPv4 address in
vm-setup.yml - Deploy the
deploy-agent-tools.ymlansible-playbook deploy-agent-tools.yml -i inventory.ini --ask-become
ADD THE STEPS TO VERIFY THE AGENTS ARE WORKING AND FORWARDING AS INTENDED