A siem built for DCO revolving around splunk. The Security stack will be based around the following tools sets.

Splunk Server Minimum requirements

• An x86 64-bit chip architecture.
• 48 physical CPU cores, or 96 vCPU at 2 GHz or greater speed per core.
• 128 GB RAM.
• Hardware storage solution should be nvme/ssd
• 14 terbytes of storage
• A 1 Gb Ethernet NIC with optional second NIC.
• A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual.

• Splunk - Data agragaztion and visualization
• Fleet/Osquery - Host artifact tracking and querying
• Velociraptor - Host/Memory interagation tool
• Sysmon - Robust logging solution used to power the threathunting dashboard for splunk
• Zeek - Network security monitoring
• Suricata - Network IDS, IPS, and NSM alerting

The following should be isntalled on ubuntu server 22.04

Ports that are accessable to view tools are as follows:

• Cockpit:9090
• Splunk:8000
• Fleet:8412
• Velociraptor:9999
• Splunk Deployment:8089

Ports for the firewall:

Install Procedure:

- sudo apt update
- sudo apt isntall cockpit
- sudo systemctl enable --now cockpit
- sudo apt install net-tools
- sudo apt install curl
- git clone [email protected]:TheDyingYAK/splunk_siem.git
- cd splunk_siem/scripts
- sudo cp -R vagrant/ /
- sudo ./install-splunk.sh
- sudo add-apt-repository ppa:apt-fast/stable
- sudo add-apt-repository ppa:rmescandon/yq
- sudo add-apt-repository ppa:osif/suricata-stable
- sudo apt update
- sudo apt -y install apt-fast
- sudo ./install-prereq
- sudo ./install-fleet.sh
- sudo ./install-palantir-osquery.sh
- sudo ./import-palantir-osquery.sh
- sudo ./install-velociraptor.sh

Deploying Splunk Over Microsoft Endpoint Manager (ECM): Read The document contained in this repo as "Splunk_ECM_Deployment.docx"

To-Do:

• The powershell scripts require access to the clear net, this needs to be fixed so it will pull from a local resource
• Need to install full ELK, Suricata, and Arkime for network logging and alerting