New Blo
Project Report: How I Built a Cloud-Hosted SOC Lab Using Wazuh This project is potentially a continuous project, and I may keep updating it as I work on new stuff related to it.
Project Report: How I Built a Cloud-Hosted SOC Lab Using Wazuh
This project is potentially a continuous project, and I may keep updating it as I work on new stuff related to it.
Building such a project would require some resources that I didn’t have, and trying to manage the one I had would impair its success, so I had to move smart by choosing Virtual Machines, but aside from that, I also did something else, which I’ll explain below:
Requisites:
A cloud provider, in my case, Google Cloud Platform(GCP).
Three Linux virtual Machines running on the cloud.
Why Cloud?
I chose a cloud-based environment for three reasons:
As a security analyst, I need to familiarize myself with how security works with cloud computing. Organizations are rapidly moving to the cloud, and this will undoubtedly lead to new forms of cyberattacks targeting their cloud assets. Already, a significant portion of cyberattacks occurring in cloud-based environments are due to misconfigurations that are left unchecked and unaudited.
Resources: Running such a project successfully will require that I set up a minimum of 3 different computers, all with varying degrees of specifications. This is quite impossible for my situation. However, with a cloud-based instance, I can create the necessary number of computers I want as virtual machines and configure them to have just the right amount of specifications needed. That’s a dynamic approach to working. Something that organizations currently employ.
Consistent Uptime: I am aware that the project I am working on will teach me in practical ways how a SOC works, and in such realistic situations, there is often 24/7 monitoring. This means I had to ensure that my event logs come in 24/7 so that I can access and analyze logs from anywhere and anytime, as in an actual organization cybersecurity team.
To begin, I set up my instances. They all had a minimum of 50GB of balanced persistent storage, and 2 VCPUs, 1 core each.
Note: I gave them different names to ensure that I can easily recognize them from the shell.
Networking:
Networking is a really big deal in cybersecurity, and in a project like that, I had to ensure that I got my networking right.
Firstly, I ensured that I opened the following ports:
TCP: ports 22 for SSH, port 1515, 1415, and 55000 for my Wazuh Manager, agent, and API. All these were opened as ingress/inflow on my server end.
For outflow, I ensured that my agents could also communicate on those ports, including 22 for SSH.
IP Addressing: I ensured that my server was using a static/elastic IP address. This was to ensure that the IP address doesn’t change, thereby causing connectivity issues if, for any reason, I stop the instance while troubleshooting.
Ideally, the IP address of a server should not change.
For my agents, their IP address was permitted to change, and I wanted to access my server from anywhere, so I configured my server’s firewall to permit IP addresses on 0.0.0.0/0, and left my agents' IP addresses as dynamic/ephemeral.
Side Note: Google Cloud uses SSH keys by default, preventing password brute force attacks from getting their instances since their public IP address range is well known.
Suppose you aren’t using Google Cloud Platform or any cloud platform with such protection. In that case, I’ll advise you to use a stronger password and protect your public IP from attacks (not always feasible given how public IP addresses are structured, so use a robust password).
Moving forward, I installed the assisted installation configuration on my server using this command:
Then, I installed the Wazuh server, manager, dashboard, and fikebeat in one command using this:
Once my installation was completed, I copied my password and kept it somewhere safe for later use.
Dashboard:
I accessed my dashboard via my server’s IP address on https. i.e., https://server-ip
Using the login I copied after my installation, I accessed my Wazuh dashboard.
Agent Configuration:
On my dashboard, I clicked on menu > agents management > summary > deploy new agent
This opens up a new page, where you can choose any of the three supported OS types: Linux, Windows, and Mac.
I added my server IP and the name I want to identify my agent with. Also, I chose the group I want my agent to be in.
These inputs will be used to autogenerate a one-line command, copy this command and paste it into your terminal shell.
After running the command on your
Extras: Check this link for a comprehensive guide I wrote on setting up a Wazuh SIEM SOC.
Also, check their documentation here
Add that I used an elastic/static IP for my server and why
