Skip to content

HishamMG/Sentinel

BranchesTags

Repository files navigation

Project Sentinel

Automated Cloud-Native Active Defense Sandbox

A containerized threat simulation lab that demonstrates a complete automated incident response lifecycle. An attacker compromises a victim, the SIEM detects the intrusion, and a custom SOAR microservice autonomously quarantines the compromised container — all without human intervention.

One command. Full kill chain. Automated containment.

docker compose up --build

Architecture

┌──────────────────────────────────────────────────────────────────┐
│                     sentinel-main (bridge)                       │
│                                                                  │
│  ┌──────────────┐         ┌──────────────┐                      │
│  │    Kali       │ ──────→│    Flask      │                      │
│  │  Attacker     │  HTTP  │   Victim      │                      │
│  │  (Red Team)   │  SQLi  │  (Target)     │                      │
│  │              │  SSH   │              │                      │
│  └──────────────┘         └──────┬───────┘                      │
│                                  │ JSON logs (TCP:5170)          │
│                            ┌─────▼────────┐                      │
│                            │  Fluent Bit   │                      │
│                            │ (Log Shipper) │                      │
│                            └─────┬────────┘                      │
│                                  │ syslog / file                 │
│  ┌──────────────┐         ┌─────▼────────┐     ┌──────────────┐│
│  │   Wazuh       │◄────────│   Wazuh      │     │   Wazuh      ││
│  │  Dashboard    │         │  Manager     │     │  Indexer     ││
│  │  (Web UI)     │         │  (SIEM)      │     │ (OpenSearch) ││
│  └──────────────┘         └─────┬────────┘     └──────────────┘│
│                                  │ webhook (HTTP POST)           │
│                            ┌─────▼────────┐                      │
│                            │  SOAR Engine  │                      │
│                            │  (FastAPI +   │                      │
│                            │  Docker SDK)  │                      │
│                            └─────┬────────┘                      │
│                                  │                               │
└──────────────────────────────────┼───────────────────────────────┘
                                   │ Docker SDK:
                                   │  1. Pause victim
                                   │  2. Forensic snapshot
                                   │  3. Extract artifacts
                                   │  4. Unpause
                                   │  5. Quarantine ──────────┐
                                                              │
┌─────────────────────────────────────────────────────────────┼──┐
│               sentinel-quarantine (internal)                │  │
│                                                             ▼  │
│  ┌──────────────┐                                              │
│  │ Flask Victim  │  ← isolated, no external route              │
│  │ (quarantined) │                                              │
│  └──────────────┘                                              │
└────────────────────────────────────────────────────────────────┘

Data Flow

Kali Attack → Flask Victim → Structured JSON Logs → Fluent Bit
  → Wazuh Manager → Rule Match → Integrator Webhook
  → SOAR Engine → Pause → Snapshot → Extract → Unpause → Quarantine

Quick Start

Prerequisites

  • Docker Desktop with WSL2 backend
  • 8+ GB RAM available for containers (recommended: 32 GB system)

Run the Demo

# Clone the repository
git clone https://github.com/<your-username>/project-sentinel.git
cd project-sentinel

# Configure environment
cp .env.example .env

# Launch (zero-touch from here)
docker compose up --build

# Wait ~5 minutes for the full attack-detect-contain cycle

Verify Results

# Check forensic snapshot was created
docker images | grep sentinel-forensics

# View forensic artifacts
ls forensics/

# Check SOAR engine incidents
curl http://localhost:8000/api/v1/incidents

# View Wazuh dashboard
# Open https://localhost in browser (accept self-signed cert)
# Login: admin / SecretPassword

Clean Teardown

docker compose down -v

Technology Stack

Component Technology Role
Orchestration Docker Compose v2 Multi-container deployment
Target App Python Flask + PostgreSQL Deliberately vulnerable web app with Faker PII
Adversary Kali Linux Automated attack scripts (Nmap, Hydra, SQLi)
Log Transport Fluent Bit TCP sidecar with Source_Address_Key for IP preservation
SIEM Wazuh 5.0 Detection rules mapped to MITRE ATT&CK
SOAR Python FastAPI + Docker SDK Automated containment + forensic preservation
Forensics Docker commit + get_archive Image snapshot + filesystem artifact extraction

Attack Chain — MITRE ATT&CK Mapping

Phase Technique ATT&CK ID Tool Detection
1. Reconnaissance Active Scanning T1595 Nmap Port scan pattern rule
2. Credential Access Password Guessing T1110.001 Hydra / HTTP 50+ failed logins in 60s
3. Initial Access Exploit Public-Facing App T1190 SQL Injection SQL error pattern rule
4. Exfiltration Exfiltration Over C2 T1041 HTTP requests Large data access pattern

Automated Response — NIST SP 800-61 Mapping

NIST Phase Sentinel Implementation Automated?
Preparation Docker Compose stack with pre-configured rules, quarantine network Yes (IaC)
Detection & Analysis Wazuh rules match attack patterns, classify severity Yes
Containment SOAR engine quarantines victim via Docker network isolation Yes
Eradication Attacker loses all TCP connectivity to victim Yes
Recovery Victim restorable from pre-attack image Manual
Post-Incident Forensic artifacts + incident timeline preserved Yes

CompTIA Security+ SY0-701 Objective Mapping

Objective Description Demonstration
4.4 Security alerting and monitoring Wazuh SIEM + Fluent Bit log pipeline
4.7 Automation and orchestration FastAPI SOAR microservice
4.8 Incident response activities Full IR lifecycle
4.9 Data sources for investigations App logs, forensic snapshots
2.4 Attack techniques Brute force, SQLi, reconnaissance
2.5 Threat mitigation Network segmentation, automated containment

Project Structure

project-sentinel/
├── docker-compose.yml          # Master orchestration
├── .env.example                # Environment template
├── red-team/
│   └── kali-attacker/          # Automated attack scripts
│       ├── attack_runner.py    # Kill chain orchestrator
│       └── phases/             # T1595, T1110, T1190, T1041
├── target/
│   ├── flask-victim/           # Vulnerable Flask app
│   └── postgres/               # PII database schema
├── blue-team/
│   ├── soar-engine/            # FastAPI + Docker SDK
│   │   ├── app/engine/         # ContainerRuntime ABC + containment
│   │   └── tests/              # Unit tests
│   └── wazuh-config/           # SIEM rules, decoders, integrations
├── infra/
│   └── fluent-bit/             # Log shipping configuration
├── tests/integration/          # End-to-end cycle tests
├── forensics/                  # Runtime artifact output
└── docs/                       # Research, PRD, Tech Design

Key Design Decisions

Runtime Abstraction Layer

The SOAR engine uses an abstract ContainerRuntime interface, making the Docker SDK implementation swappable for Kubernetes or AWS in Phase 2:

class ContainerRuntime(ABC):
    @abstractmethod
    def quarantine_container(self, container_id, main_net, quarantine_net) -> bool: ...
    @abstractmethod
    def snapshot_container(self, container_id, tag) -> str: ...

class DockerRuntime(ContainerRuntime):  # MVP
    ...
class KubernetesRuntime(ContainerRuntime):  # Phase 2
    ...

Forensic Protocol

The containment engine executes a strict 5-step protocol before quarantine:

  1. Pause — Freeze attacker's processes (cgroups SIGSTOP)
  2. Commit — Create forensic image snapshot of container diff layer
  3. Extract — Pull critical filesystem paths (/var/log/, /tmp/, /app/)
  4. Unpause — Restore container to running state
  5. Quarantine — Move to internal: true bridge network (no external route)

Success Metrics

Metric Target Measurement
Detection Latency < 30s Attack → Wazuh alert
Containment Latency < 10s Webhook → quarantine verified
End-to-End Cycle < 5 min docker compose up → containment
Forensic Artifact Pass Image + tar files exist
Zero Manual Steps Yes No input after initial command

Verification Results & Fixes

Issue Addressed: Fluent Bit was crashing, and Wazuh custom rules were not triggering to initiate the SOAR containment playbook. Fixes Applied:

  • Fluent Bit: Changed Format json_lines to Format plain in file output so that it logs raw valid JSON objects without tags.
  • Wazuh Log Parsing: Changed log_format in wazuh_manager.conf from json to syslog to prioritize custom decoders properly.
  • Wazuh Rule Matching: Modified local_rules.xml to use <decoded_as>json</decoded_as> and <field> matching on the parsed JSON fields, elevating custom Sentinel rules (e.g., failed logins) level to beat generic logging.

Verified Behavior:

  • Fluent Bit correctly processes and passes raw JSON to Wazuh.
  • Wazuh custom rules successfully fire (e.g., Data exfiltration attempt at level 12).
  • The SOAR engine successfully receives the webhook, captures forensic snapshots of the victim, and fully moves it to sentinel-quarantine.

License

This project is for educational and portfolio purposes only. Do not use against systems you do not own.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages