SIEM stands for Security Incident and Event Management is typically a category of multiple software and tools which are specifically designed to perform Security Operations such as collecting security information from various devices in the network, real-time network traffic monitoring, responding to network anomalies and threats. These types of operations are crucial for any organization to protect them from various cyber attacks.
We will be focusing on monitoring and responding to a real malicious network traffic, illicit network activities and cyber attacks.
In this Lab, I will initialize, configure and deploy a real SIEM lab from scratch by installing industry standard tools and virtual machines. Some of the tools that we will be installing include — Yara, OpenCTI, Snort, Network Miner, Zeek, Brim, Wireshark, Sysinternals, Wazuh, Splunk, ELK Stack and others on the fly (if needed).
The tools listed above provide multiple features to monitor the network traffic, respond to malicious traffic, monitor activities of hosts within the network, collect logs from multiple endpoints for event monitoring and so on. With such feature stack, we will be able to build a perfect SoC lab understanding how Blue Team Security Operations are performed.
Hardware Requirements and Deployment Setup for the Lab
In the above network diagram, there are two physical machines connected in the network (Windows Server and Linux Server). Additionally, Windows 10 and Ubuntu are also installed as a virtual machine in the network. Windows and Linux are selected for this lab due to platform requirements and ease of installation of tools that we will be using in this lab. So we can install tools that are platform dependent as well. For example some tools are installable on Windows platform whereas some requires Unix based platform.
As in the lab, Wazuh, EKL Stack and Splunk are the main and memory consuming software, therefore we will install Wazuh and Splunk directly in the Linux Server. For ELK Stack, we will create a Linux Virtual machine in the Windows Server with 8GB RAM.
| Configuration of Windows Server (Physical) 1st | Configuration of Linux Server (Physical) 2nd |
| i3–3rd Gen Dual Core Processor & 12GB RAM | i3–4th Gen Dual Core Processor & 8GB RAM |
What will be covered in this Part?
- Installation of Wazuh in Linux Server using Docker
- Installation of ELK stack in Windows Server as a Virtual Machine
- Installation of Splunk Enterprise in Linux Server
~~Installation of Wazuh in Linux Server using Docker Container~~
1. Install Docker in the System
sudo apt update #To update the system repositories
curl -sSL https://get.docker.com/ | sh #Install the Docker in the system
systemctl start docker #Start Docker service2. Deploy Wazuh as a Single Node using Docker
git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.1
cd wazuh-docker/single-node/
sudo docker-compose -f generate-indexer-certs.yml run --rm generator
sudo docker-compose -dNow the Wazuh Instance is up and running on HTTPS service. You can access the web UI at https://your_ip_address.
The default username and password for the Wazuh dashboard are admin and SecretPassword. For additional security, you can change the default password for the Wazuh indexer admin user.
Once you login the Wazuh successfully, you will see a dashboard like below. The Wazuh is now installed on your system and is ready to use.
~~Installation of ELK Stack in Windows Server using Linux Virtual Machine~~
Below are the Specifications of Virtual Machine.
– CPU CORE: 2
– RAM: 8GB
– OS TYPE: Ubuntu 64bit
The installation process of ELK Stack is followed by installing and setting up an Ubuntu Server virtual machine using VirtualBox. You can use any other hypervisor of your choice. The ELK Stack installation will follow a specific order.
1. Installing the Elastic Search
We will manually install the elastic search using .deb file which can be downloaded from https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.14.3-amd64.deb
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.14.3-amd64.deb
Install the .deb file to install the elastic search package.
sudo dpkg -i elasticsearch-8.14.3-amd64.debPlease visit https://medium.com/@rajharshbedi/build-a-perfect-security-operations-center-soc-home-lab-part-1-989ab132e317 for rest of the content.
Leave a Reply