A siem built for DCO revolving around splunk. The Security stack will be based around the following tools sets.
Splunk Server Minimum requirements
- An x86 64-bit chip architecture.
- 48 physical CPU cores, or 96 vCPU at 2 GHz or greater speed per core.
- 128 GB RAM.
- Hardware storage solution should be nvme/ssd
- 14 terbytes of storage
- A 1 Gb Ethernet NIC with optional second NIC.
- A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual.
- Splunk - Data agragaztion and visualization
- Fleet/Osquery - Host artifact tracking and querying
- Velociraptor - Host/Memory interagation tool
- Sysmon - Robust logging solution used to power the threathunting dashboard for splunk
- Zeek - Network security monitoring
- Suricata - Network IDS, IPS, and NSM alerting
The following should be isntalled on ubuntu server 22.04
Ports that are accessable to view tools are as follows:
- Cockpit:9090
- Splunk:8000
- Fleet:8412
- Velociraptor:9999
- Splunk Deployment:8089
Ports for the firewall:
Install Procedure:
- sudo apt update
- sudo apt isntall cockpit
- sudo systemctl enable --now cockpit
- sudo apt install net-tools
- sudo apt install curl
- git clone [email protected]:TheDyingYAK/splunk_siem.git
- cd splunk_siem/scripts
- sudo cp -R vagrant/ /
- sudo ./install-splunk.sh
- sudo add-apt-repository ppa:apt-fast/stable
- sudo add-apt-repository ppa:rmescandon/yq
- sudo add-apt-repository ppa:osif/suricata-stable
- sudo apt update
- sudo apt -y install apt-fast
- sudo ./install-prereq
- sudo ./install-fleet.sh
- sudo ./install-palantir-osquery.sh
- sudo ./import-palantir-osquery.sh
- sudo ./install-velociraptor.sh
Deploying Splunk Over Microsoft Endpoint Manager (ECM): Read The document contained in this repo as "Splunk_ECM_Deployment.docx"
To-Do:
- The powershell scripts require access to the clear net, this needs to be fixed so it will pull from a local resource
- Need to install full ELK, Suricata, and Arkime for network logging and alerting