# SIEM Stack Project

## Wazuh
---

Wazuh is an Extended Detection and Response (XDR) and SIEM solution that provides comprehensive 
monitoring, detection, and alerting of security events and incidents across multiple layers of the IT 
infrastructure.

Wazuh Provides endpoint security, threat intelligence, and security operations capabilities, enabling proactive 
threat detection, incident response, and regulatory compliance alignment. Benefits include cost effectiveness, strong community support, and multitenancy.

### Wazuh architecture

Wazuh offers agent based and an agentless based approach to monitoring endpoints and devices. Wazuh 
has three main components working together namely; Wazuh indexer, Wazuh manager, and Wazuh 
dashboard. The Wazuh indexer is mainly used for storage and indexing of Logs. The Wazuh manager is 
mainly used as a central server for decoding and analysis of Logs to detect security events. The Wazuh 
dashboard is the visualization tool used to display our security events and our endpoints compliance
information.

![deployment-architecture1.png](attachment:deployment-architecture1.png)
<p><i>Wazuh components architecture</i></p>

### Wazuh requirements

<table>
    <thead>
        <tr>
            <th>Component</th>
            <th>Port</th>
            <th>Protocol</th>
            <th>Purpose</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td rowspan="4">Wazuh Server</td>
            <td>1514</td>
            <td>TCP (default)</td>
            <td>Agent connection service</td>
        </tr>
        <tr>
            <td>1515</td>
            <td>TCP</td>
            <td>Agent enrollment service</td>
        </tr>
        <tr>
            <td>1516</td>
            <td>TCP</td>
            <td>Wazuh cluster daemon</td>
        </tr>
        <tr>
            <td>55000</td>
            <td>TCP</td>
            <td>Wazuh server RESTful API</td>
        </tr>
        <tr>
            <td>Wazuh indexer</td>
            <td>9200</td>
            <td>TCP</td>
            <td>Wazuh indexer RESTful API</td>
        </tr>
        <tr>
            <td>Wazuh dashboard</td>
            <td>8443</td>
            <td>TCP</td>
            <td>Wazuh web user interface</td>
        </tr>
    </tbody>
</table>
<p><i>Network ports required</i></p>


|Component|RAM (GB)|CPU (cores)|OS|Storage|
|---:|:---:|:---:|:---:|---:|
|Wazuh indexer|16|8|Ubuntu 22.04|2TB (6 months)|
|Wazuh Manager|16|8|Ubuntu 22.04|20GB|
|Wazuh Dashboard|16|8|Ubuntu 22.04|20GB|
<p><i>Wazuh components requirements</i></p>


|Monitored endpoints|APS (alerts per second)|Storage in Wazuh (GB/90 days)|
|---:|:---:|:---|
|Servers|0.25|3.7|
|Workstations|0.1|1.5|
|Network devices|0.5|7.4|
<p><i>Disk space provisioning estimates</i></p>

### Wazuh 4.8 installation

### Wazuh 4.8 upgrade steps

1. stop all the service 
```bash
   systemctl stop wazuh-manager
   systemctl stop wazuh-dashboard
   systemctl stop wazuh-indexer
```

2. upgrade the wazuh indexer
```bash
   sudo apt-get install --only-upgrade wazuh-indexer
```
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;start the wazuh indexer
```bash
   systemctl start wazuh-indexer
   systemctl status wazuh-indexer
```

3. upgrade the wazuh dashboard
```bash
   sudo apt-get install --only-upgrade wazuh-dashboard
```
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;start the wazuh dashboard
```bash
   systemctl start wazuh-dashboard
   systemctl status wazuh-dashboard
```

4. upgrade the wazuh manager
```bash
   sudo apt-get install --only-upgrade wazuh-manager
```
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;start the wazuh manager
```bash
   systemctl start wazuh-manager
   systemctl status wazuh-manager
```

5. update ossec configuration
Edit your ossec.conf file to update the vulnerability detection configuration. Replace the existing ```<vulnerability-detector>``` block with the new configuration

```
   <vulnerability-detection>
      <enabled>yes</enabled>
      <index-status>yes</index-status>
      <feed-update-interval>60m</feed-update-interval>
   </vulnerability-detection>

   <indexer>
      <enabled>yes</enabled>
      <hosts>
         <host>https://0.0.0.0:9200</host>
      </hosts>
      <ssl>
         <certificate_authorities>
            <ca>/etc/filebeat/certs/root-ca.pem</ca>
         </certificate_authorities>
         <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
         <key>/etc/filebeat/certs/filebeat-key.pem</key>
      </ssl>
   </indexer>
```
<p><i>code to insert in ossec.conf on the wazuh manager</i></p>

### Socfortress advanced rules integration

## Grafana
---

Grafana is a visualization tool which provides us with the capabilities to create custom Dashboards for our SIEM. It provides us with a data connection feature which helps us to integrate data from any data source and build dashboards with its vast visualization panels.

## Grafana installation

## Grafana upgrage

## Grafana plugin installation

## DFIR IRIS
---

## Velociraptor
---

## Uptime Kuma
---