diff --git a/siem-docker-native-way/siem-docker-native.md b/siem-docker-native-way/siem-docker-native.md
new file mode 100644
index 0000000..bfedf49
--- /dev/null
+++ b/siem-docker-native-way/siem-docker-native.md
@@ -0,0 +1,124 @@
+# SIEM Deployment - docker native way
+
+Hi! This explains the deployment of SIEM to our customers
+
+Follow steps bellow to deploy siem:
+
+1. Create compliance tenant within duplo plan.
+Go through documentation to create tenant (https://docs.duplocloud.com/docs/aws-user-guide/quick-start/step-2-tenant)
+
+2. Create host with following configuration:
+Name : SIEM
+AZ : Automatic
+Instance Type : t3a.xlarge
+Allocation Tag : siem
+Image ID : docker-duplo-ohio-ubuntu22
+Disc Size : 100
+
+3. Once SIEM host is up and running, deploy services
+ - opensearch
+ - siem
+ - dashboard
+
+ as follow
+ - Opensearch Service Deployment :
+ - Navigate to `Docker` tab.
+ - Select `services`.
+ - Add new service with configuration as follows:
+ - Name : opensearch
+ - DockerImage: duplocloud/wazuh-indexer:4.7.2-ssl
+ - DockerNetwork : Host Network
+ - AllocationTag : siem
+ - EnvironementVariables : "OPENSEARCH_JAVA_OPTS":"-Xms3g -Xmx3g"
+ - Volumes : "/data/es:/var/lib/wazuh-indexer"
+
+ - Siem Service Deployment:
+ - - Navigate to `Docker` tab.
+ - Select `services`.
+ - Add new service with configuration as follows:
+ - - Name : siem
+ - DockerImage: duplocloud/wazuh-manager:4.7.2-ssl
+ - DockerNetwork : Host Network
+ - AllocationTag : siem
+ - EnvironementVariables :
"INDEXER_URL" : "https://localhost:9200",
"INDEXER_USERNAME" : "admin",
"INDEXER_PASSWORD" : "VyTeLYbHb@t9ayg",
"FILEBEAT_SSL_VERIFICATION_MODE" : "none",
"API_USERNAME" : "wazuh-wui",
"API_PASSWORD" : "UTim*Ppu9MXyQ6hm"
+ - Volumes : "/data/ossec_api_configuration:/var/ossec/api/configuration","/data/ossec_etc:/var/ossec/etc"
+
+ - Dashboard Service Deployment:
+ - - Navigate to `Docker` tab.
+ - Select `services`.
+ - Add new service with configuration as follows:
+ - - Name : dashboard
+ - DockerImage: duplocloud/wazuh-dashboard:4.7.2-ssl
+ - DockerNetwork : Host Network
+ - AllocationTag : siem
+ - EnvironementVariables :
"OPENSEARCH_HOSTS" : "https://localhost:9200" ,
"WAZUH_API_URL" : "https://localhost" ,
"API_PORT" : 55000, "RUN_AS" : false,
"INDEXER_USERNAME" : "admin" ,
"INDEXER_PASSWORD" : "VyTeLYbHb@t9ayg",
"API_USERNAME" : "wazuh-wui",
"API_PASSWORD" : "UTim*Ppu9MXyQ6hm" ,
"DASHBOARD_USERNAME" : "kibanaserver" ,
"DASHBOARD_PASSWORD" : "L8JrB47!GNW3Zvx"
+
+4. Expose dashboard service internally using load-balancer to establish communication between SIEM & OPENSEARCH services.
+5. Create application load-balancers with following configurations :
+ - LB - 1
+ - Type : Application Loadbalancer
+ - Container Port : 5601
+ - External Port : 443
+ - Visibility : Internal Only
+ - Application Mode : Native App
+ - Health Check : "/proxy/duplosiem/translations/en.json"
+ - Backend Protocol : "https"
+ - Certificates :
+
+ - LB - 2
+ - Type : Application Loadbalancer
+ - Container Port : 55000
+ - External Port : 55000
+ - Visibility : Internal Only
+ - Application Mode : Native App
+ - Health Check : "/"
+ - Backend Protocol : "https"
+ - Certificates :
+ - Additional config = HTTP success code : 200-499
+
+ 6. Update Security Firewall to enable communications
+ - Navigate to `tenants`.
+ - Locate `compliance` tenant.
+ - Update security with following configuration:
+ - Rule : 1
+ - SourceType : IP address
+ - IP CIDR : Custom
+ - CIDR Range : 10.0.0.0/8
+ - Protocol : TCP
+ - Port-Range : 1514 - 1514
+ - Rule : 2
+ - SourceType : IP address
+ - IP CIDR : Custom
+ - CIDR Range : 10.0.0.0/8
+ - Protocol : TCP
+ - Port-Range : 55000-55000
+
+ 7. In order to setup reverse proxy we need to provide the credentials to the service. By default, kibana user credentials are configured with the service. We need to update to use `wazuh` credentials.
+ 8. With encode we can use these `d2F6dWgtd3VpOlVUaW0qUHB1OU1YeVE2aG0=` credential to update the service.
+ - Steps:
+ - - SSM to master instance
+ - Navigate to `services` & locate `Duplo.ComplianceService`.
+ - Stop the service.
+ - Navigate to FOLDER section.
+ - Search `Duplo.ComplianceCore.exe.config` file under `Duplo.ComplianceService` folder.
+ - Open with Notepad ++
+ - Under "appSettings" section locate `WAZUHCREDENTIALS` and update with above credential.
+ - Save file & navigate to services to start `Duplo.ComplianceService`.
+
+ 9. Go to Duplo portal nad navigate to `SECURITY` tab. "SIEM" will be available by now.
+ 10. Last part is to setup reverse proxy to access `DASHBOARD`.
+ 11. Use following command to setup proxy. The command can be hit from local machine as well. **NOTE** that openvpn is connected before running command.
+curl --location 'https://.duplocloud.net/admin/UpdateReverseProxyConfig' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer ' \
+--data '{
+ "ProxyPath": "/duplosiem",
+ "BackendHostUrl": "https://",
+ "ForwardingPrefix": "/proxy/duplosiem",
+ "AllowedRoles": [
+ "Administrator",
+ "SecurityAdmin"
+ ],
+ "Authorization": "Basic d2F6dWhfdXNlcjpKZ0ZEUS5ZVEFaNEM3czk="
+}'
+12. Check SIEM dashboard to be up and running.
diff --git a/siem-docker-native-way/siem.svd b/siem-docker-native-way/siem.svd
new file mode 100644
index 0000000..470e1fd
--- /dev/null
+++ b/siem-docker-native-way/siem.svd
@@ -0,0 +1,265 @@
+
+{
+ "TenantId": "##REPLACE_WITH_COMPLIANCE_TENANT_ID##",
+ "Name": "siem-setup",
+ "SchemaVersion": 1,
+ "ServiceType": "system",
+ "ServiceParameters": [],
+ "DisableAutoProvision": false,
+ "Roles": [
+ {
+ "Tags": [],
+ "Name": "opensearch",
+ "DockerImage": "duplocloud/wazuh-indexer:4.7.2-ssl",
+ "Replicas": 1,
+ "NetworkId": "default",
+ "AgentPlatform": 0,
+ "Volumes": "\"/data/es:/var/lib/wazuh-indexer\"",
+ "ExtraConfig": "{\n \"OPENSEARCH_JAVA_OPTS\": \"-Xms3g -Xmx3g\"\n}",
+ "AllocationTags": "siem",
+ "ApplicationUrl": "",
+ "IsInfraDeployment": false,
+ "SecondaryTenant": "",
+ "LBConfigurations": [],
+ "OtherDockerConfig": "",
+ "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+ "DeviceIds": [],
+ "Cloud": 0,
+ "IsLBSyncedDeployment": true,
+ "ForceStatefulSet": false,
+ "IsDaemonset": false,
+ "IsReplicaCollocationAllowed": false,
+ "IsAnyHostAllowed": false,
+ "IsUniqueK8sNodeRequired": false,
+ "ShouldSpreadAcrossZones": false,
+ "IsCloudCredsFromK8sServiceAccount": false,
+ "TenantId": ""
+ },
+ {
+ "Tags": [],
+ "Name": "siem",
+ "DockerImage": "duplocloud/wazuh-manager:4.7.2-ssl",
+ "Replicas": 1,
+ "NetworkId": "default",
+ "AgentPlatform": 0,
+ "Volumes": "\"/data/ossec_api_configuration:/var/ossec/api/configuration\",\"/data/ossec_etc:/var/ossec/etc\"",
+ "ExtraConfig": "{\n \"INDEXER_URL\": \"https://localhost:9200\",\n \"INDEXER_USERNAME\": \"admin\",\n \"INDEXER_PASSWORD\": \"VyTeLYbHb@t9ayg\",\n \"FILEBEAT_SSL_VERIFICATION_MODE\": \"none\",\n \"API_USERNAME\": \"wazuh-wui\",\n \"API_PASSWORD\": \"UTim*Ppu9MXyQ6hm\"\n}",
+ "AllocationTags": "siem",
+ "ApplicationUrl": "",
+ "IsInfraDeployment": false,
+ "SecondaryTenant": "",
+ "LBConfigurations": [],
+ "OtherDockerConfig": "",
+ "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+ "DeviceIds": [],
+ "Cloud": 0,
+ "IsLBSyncedDeployment": true,
+ "ForceStatefulSet": false,
+ "IsDaemonset": false,
+ "IsReplicaCollocationAllowed": false,
+ "IsAnyHostAllowed": false,
+ "IsUniqueK8sNodeRequired": false,
+ "ShouldSpreadAcrossZones": false,
+ "IsCloudCredsFromK8sServiceAccount": false,
+ "TenantId": ""
+ },
+ {
+ "Tags": [],
+ "Name": "dashboard",
+ "DockerImage": "duplocloud/wazuh-dashboard:4.7.2-ssl",
+ "Replicas": 1,
+ "NetworkId": "default",
+ "AgentPlatform": 0,
+ "Volumes": "",
+ "ExtraConfig": "{\n \"OPENSEARCH_HOSTS\": \"https://localhost:9200\",\n \"WAZUH_API_URL\": \"https://localhost\",\n \"API_PORT\": 55000,\n \"RUN_AS\": false,\n \"INDEXER_USERNAME\": \"admin\",\n \"INDEXER_PASSWORD\": \"VyTeLYbHb@t9ayg\",\n \"API_USERNAME\": \"wazuh-wui\",\n \"API_PASSWORD\": \"UTim*Ppu9MXyQ6hm\",\n \"DASHBOARD_USERNAME\": \"kibanaserver\",\n \"DASHBOARD_PASSWORD\": \"L8JrB47!GNW3Zvx\"\n}",
+ "AllocationTags": "siem",
+ "ApplicationUrl": "",
+ "IsInfraDeployment": false,
+ "SecondaryTenant": "",
+ "LBConfigurations": [
+ {
+ "ReplicationControllerName": "dashboard",
+ "Protocol": "https",
+ "Port": "5601",
+ "DIPAddresses": [],
+ "HostPort": 0,
+ "IsInfraDeployment": false,
+ "SetIngressHealthCheck": false,
+ "ExternalPort": 443,
+ "IsInternal": true,
+ "ForHealthCheck": false,
+ "HealthCheckUrl": "/proxy/duplosiem/translations/en.json",
+ "CertificateArn": "##REPLACE_WITH_DEFAULT_PLAN_CERTIFICATE_ARN##",
+ "IsNative": true,
+ "LbType": 1,
+ "TgCount": 0,
+ "ExtraSelectorLabels": [],
+ "HealthCheckConfig": {
+ "HealthyThresholdCount": 0,
+ "UnhealthyThresholdCount": 0,
+ "HealthCheckTimeoutSeconds": 0,
+ "HealthCheckIntervalSeconds": 0
+ },
+ "LbIndex": 0,
+ "CustomCidrs": [],
+ "TenantId": ""
+ },
+ {
+ "ReplicationControllerName": "dashboard",
+ "Protocol": "https",
+ "Port": "55000",
+ "DIPAddresses": [],
+ "HostPort": 0,
+ "IsInfraDeployment": false,
+ "SetIngressHealthCheck": false,
+ "ExternalPort": 55000,
+ "IsInternal": true,
+ "ForHealthCheck": false,
+ "HealthCheckUrl": "/",
+ "CertificateArn": "##REPLACE_WITH_DEFAULT_PLAN_CERTIFICATE_ARN##",
+ "IsNative": true,
+ "LbType": 1,
+ "TgCount": 0,
+ "ExtraSelectorLabels": [],
+ "HealthCheckConfig": {
+ "HealthyThresholdCount": 0,
+ "UnhealthyThresholdCount": 0,
+ "HealthCheckTimeoutSeconds": 0,
+ "HealthCheckIntervalSeconds": 0,
+ "HttpSuccessCode": "200-499"
+ },
+ "LbIndex": 0,
+ "CustomCidrs": [],
+ "TenantId": ""
+ }
+ ],
+ "OtherDockerConfig": "",
+ "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+ "DeviceIds": [],
+ "Cloud": 0,
+ "IsLBSyncedDeployment": true,
+ "ForceStatefulSet": false,
+ "IsDaemonset": false,
+ "IsReplicaCollocationAllowed": false,
+ "IsAnyHostAllowed": false,
+ "IsUniqueK8sNodeRequired": false,
+ "ShouldSpreadAcrossZones": false,
+ "IsCloudCredsFromK8sServiceAccount": false,
+ "TenantId": ""
+ }
+ ],
+ "NativeHosts": [
+ {
+ "Zone": 1,
+ "IsEbsOptimized": false,
+ "DesiredCapacity": 0,
+ "MinSize": 0,
+ "MaxSize": 0,
+ "MetaData": [
+ {
+ "Key": "OsDiskSize",
+ "Value": "100"
+ },
+ {
+ "Key": "MetadataServiceOption",
+ "Value": "enabled"
+ }
+ ],
+ "UseLaunchTemplate": true,
+ "FriendlyName": "siem",
+ "ImageId": "##REPLACE_WITH_LATEST_AMI##",
+ "Capacity": "t3a.xlarge",
+ "IsMinion": true,
+ "Base64UserData": "IyEvYmluL2Jhc2gKZWNobyAiTWFraW5nIGRhdGEgZGlyZWN0b3J5Igpta2RpciAtcCAvZGF0YS9lcwpta2RpciAtcCAvZGF0YS9vc3NlY19hcGlfY29uZmlndXJhdGlvbgpta2RpciAtcCAvZGF0YS9vc3NlY19ldGMKCmVjaG8gIkdpdmluZyBwZXJtaXNzaW9ucyAiCmNobW9kIDc3NyAvZGF0YS9lcyAKY2htb2QgNzc3IC9kYXRhL29zc2VjX2FwaV9jb25maWd1cmF0aW9uCmNobW9kIDc3NyAvZGF0YS9vc3NlY19ldGMKZWNobyAiMTI3LjAuMC4xIiAkKGhvc3RuYW1lKSA+PiAvZXRjL2hvc3RzCmVjaG8gIlNldHRpbmcgbWF4X21hcF9jb3VudCBmb3Igb3BlbnNlYXJjaCIKc3lzY3RsIC13IHZtLm1heF9tYXBfY291bnQ9MjYyMTQ0CmVjaG8gInZtLm1heF9tYXBfY291bnQ9MjYyMTQ0IiA+PiAvZXRjL3N5c2N0bC5jb25mCgo=",
+ "AgentPlatform": 0,
+ "Cloud": 0,
+ "AllocatedPublicIp": false,
+ "MinionTags": [],
+ "EncryptDisk": false
+ }
+ ],
+ "AzureHosts": [],
+ "NativeHostCustomData": [
+ {
+ "ComponentId": "siem",
+ "ComponentType": 2,
+ "Key": "AllocationTags",
+ "Value": "siem"
+ },
+ {
+ "ComponentId": "siem",
+ "ComponentType": 2,
+ "Key": "siem",
+ "Value": "true"
+ }
+ ],
+ "CustomData": [],
+ "S3Buckets": [],
+ "SgRules": [
+ {
+ "SourceInfos": [
+ {
+ "Type": 1,
+ "Value": "10.0.0.0/8",
+ "Description": "Agents connection services"
+ }
+ ],
+ "ServiceType": 0,
+ "ToPort": 1514,
+ "FromPort": 1514,
+ "ServiceProtocol": "tcp"
+ },
+ {
+ "SourceInfos": [
+ {
+ "Type": 1,
+ "Value": "10.0.0.0/8",
+ "Description": "Syslog collector"
+ }
+ ],
+ "ServiceType": 0,
+ "ToPort": 514,
+ "FromPort": 514,
+ "ServiceProtocol": "tcp"
+ },
+ {
+ "SourceInfos": [
+ {
+ "Type": 1,
+ "Value": "10.0.0.0/8",
+ "Description": "SIEM cluster deamon"
+ }
+ ],
+ "ServiceType": 0,
+ "ToPort": 1516,
+ "FromPort": 1516,
+ "ServiceProtocol": "tcp"
+ },
+ {
+ "SourceInfos": [
+ {
+ "Type": 1,
+ "Value": "10.0.0.0/8",
+ "Description": "SIEM syslog collector"
+ }
+ ],
+ "ServiceType": 0,
+ "ToPort": 514,
+ "FromPort": 514,
+ "ServiceProtocol": "udp"
+ },
+ {
+ "SourceInfos": [
+ {
+ "Type": 1,
+ "Value": "10.0.0.0/8",
+ "Description": "Agents connection service"
+ }
+ ],
+ "ServiceType": 0,
+ "ToPort": 1514,
+ "FromPort": 1514,
+ "ServiceProtocol": "udp"
+ }
+ ]
+}