duplocloud · ApurvPatilDuplo · May 9, 2024 · May 9, 2024 · May 9, 2024 · May 9, 2024
diff --git a/siem-docker-native-way/siem-docker-native.md b/siem-docker-native-way/siem-docker-native.md
@@ -0,0 +1,124 @@
+# SIEM Deployment - docker native way
+
+Hi! This explains the deployment of SIEM to our customers
+
+Follow steps bellow to deploy siem:
+
+1. Create compliance tenant within duplo plan.
+Go through documentation to create tenant (https://docs.duplocloud.com/docs/aws-user-guide/quick-start/step-2-tenant)
+
+2. Create host with following configuration:<br />
+Name :             SIEM<br />
+AZ :               Automatic<br />
+Instance Type :    t3a.xlarge<br />
+Allocation Tag :   siem<br />
+Image ID :         docker-duplo-ohio-ubuntu22<br />
+Disc Size :        100<br />
+
+3. Once SIEM host is up and running, deploy services
+ - opensearch
+ - siem
+ - dashboard
+
+ as follow
+  - Opensearch Service Deployment :
+    - Navigate to `Docker` tab.
+    - Select `services`.
+    - Add new service with configuration as follows:
+       - Name : opensearch
+       - DockerImage: duplocloud/wazuh-indexer:4.7.2-ssl
+       - DockerNetwork : Host Network
+       - AllocationTag : siem
+       - EnvironementVariables : "OPENSEARCH_JAVA_OPTS":"-Xms3g -Xmx3g"
+       - Volumes : "/data/es:/var/lib/wazuh-indexer"
+
+  - Siem Service Deployment:
+  - - Navigate to `Docker` tab.
+    - Select `services`.
+    - Add new service with configuration as follows:
+    -  - Name : siem
+       - DockerImage: duplocloud/wazuh-manager:4.7.2-ssl
+       - DockerNetwork : Host Network
+       - AllocationTag : siem
+       - EnvironementVariables : <br /> "INDEXER_URL" : "https://localhost:9200",<br /> "INDEXER_USERNAME" : "admin", <br />"INDEXER_PASSWORD" : "VyTeLYbHb@t9ayg",<br /> "FILEBEAT_SSL_VERIFICATION_MODE" : "none",<br /> "API_USERNAME" : "wazuh-wui", <br />"API_PASSWORD" : "UTim*Ppu9MXyQ6hm"
+       - Volumes : "/data/ossec_api_configuration:/var/ossec/api/configuration","/data/ossec_etc:/var/ossec/etc"
+
+  - Dashboard Service Deployment:
+  - - Navigate to `Docker` tab.
+    - Select `services`.
+    - Add new service with configuration as follows:
+    -  - Name : dashboard
+       - DockerImage: duplocloud/wazuh-dashboard:4.7.2-ssl
+       - DockerNetwork : Host Network
+       - AllocationTag : siem
+       - EnvironementVariables :<br /> "OPENSEARCH_HOSTS" : "https://localhost:9200" ,<br /> "WAZUH_API_URL" : "https://localhost" , <br />"API_PORT" : 55000, "RUN_AS" : false, <br />"INDEXER_USERNAME" : "admin" , <br />"INDEXER_PASSWORD" : "VyTeLYbHb@t9ayg", <br />"API_USERNAME" : "wazuh-wui", <br />"API_PASSWORD" : "UTim*Ppu9MXyQ6hm" , <br />"DASHBOARD_USERNAME" : "kibanaserver" ,<br /> "DASHBOARD_PASSWORD" : "L8JrB47!GNW3Zvx"
+
+4. Expose dashboard service internally using load-balancer to establish communication between SIEM & OPENSEARCH services.
+5. Create application load-balancers with following configurations :
+   - LB - 1
+     - Type : Application Loadbalancer
+     - Container Port : 5601
+     - External Port : 443
+     - Visibility : Internal Only
+     - Application Mode : Native App
+     - Health Check : "/proxy/duplosiem/translations/en.json"
+     - Backend Protocol : "https"
+     - Certificates : <As per Portal>
+
+   - LB - 2
+      - Type : Application Loadbalancer
+      - Container Port : 55000
+      - External Port : 55000
+      - Visibility : Internal Only
+      - Application Mode : Native App
+      - Health Check : "/"
+      - Backend Protocol : "https"
+      - Certificates : <As per Portal>
+      - Additional config = HTTP success code : 200-499
+
+  6. Update Security Firewall to enable communications
+     - Navigate to `tenants`.
+     - Locate `compliance` tenant.
+     - Update security with following configuration:
+       - Rule : 1
+         - SourceType : IP address
+         - IP CIDR : Custom
+         - CIDR Range : 10.0.0.0/8
+         - Protocol : TCP
+         - Port-Range : 1514 - 1514
+       - Rule : 2
+         - SourceType : IP address
+         - IP CIDR : Custom
+         - CIDR Range : 10.0.0.0/8
+         - Protocol : TCP
+         - Port-Range : 55000-55000
+
+   7. In order to setup reverse proxy we need to provide the credentials to the service. By default, kibana user credentials are configured with the service. We need to update to use `wazuh` credentials.
+   8. With encode we can use these `d2F6dWgtd3VpOlVUaW0qUHB1OU1YeVE2aG0=` credential to update the service.
+      - Steps:
+      - - SSM to master instance
+        - Navigate to `services` & locate `Duplo.ComplianceService`.
+        - Stop the service.
+        - Navigate to FOLDER section.
+        - Search `Duplo.ComplianceCore.exe.config` file under `Duplo.ComplianceService` folder.
+        - Open with Notepad ++
+        - Under "appSettings" section locate `WAZUHCREDENTIALS` and update with above credential.
+        - Save file & navigate to services to start `Duplo.ComplianceService`.
+
+   9. Go to Duplo portal nad navigate to `SECURITY` tab. "SIEM" will be available by now.
+   10. Last part is to setup reverse proxy to access `DASHBOARD`.
+   11. Use following command to setup proxy. The command can be hit from local machine as well. **NOTE** that openvpn is connected before running command.<br />
+curl --location 'https://<change>.duplocloud.net/admin/UpdateReverseProxyConfig' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer <token>' \
+--data '{
+    "ProxyPath": "/duplosiem",
+    "BackendHostUrl": "https://<give-dashboard-service-url>",
+    "ForwardingPrefix": "/proxy/duplosiem",
+    "AllowedRoles": [
+        "Administrator",
+        "SecurityAdmin"
+    ],
+    "Authorization": "Basic d2F6dWhfdXNlcjpKZ0ZEUS5ZVEFaNEM3czk="
+}'
+12. Check SIEM dashboard to be up and running.
diff --git a/siem-docker-native-way/siem.svd b/siem-docker-native-way/siem.svd
@@ -0,0 +1,265 @@
+
+{
+	"TenantId": "##REPLACE_WITH_COMPLIANCE_TENANT_ID##",
+	"Name": "siem-setup",
+	"SchemaVersion": 1,
+	"ServiceType": "system",
+	"ServiceParameters": [],
+	"DisableAutoProvision": false,
+	"Roles": [
+        {
+            "Tags": [],
+            "Name": "opensearch",
+            "DockerImage": "duplocloud/wazuh-indexer:4.7.2-ssl",
+            "Replicas": 1,
+            "NetworkId": "default",
+            "AgentPlatform": 0,
+            "Volumes": "\"/data/es:/var/lib/wazuh-indexer\"",
+            "ExtraConfig": "{\n    \"OPENSEARCH_JAVA_OPTS\": \"-Xms3g -Xmx3g\"\n}",
+            "AllocationTags": "siem",
+            "ApplicationUrl": "",
+            "IsInfraDeployment": false,
+            "SecondaryTenant": "",
+            "LBConfigurations": [],
+            "OtherDockerConfig": "",
+            "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+            "DeviceIds": [],
+            "Cloud": 0,
+            "IsLBSyncedDeployment": true,
+            "ForceStatefulSet": false,
+            "IsDaemonset": false,
+            "IsReplicaCollocationAllowed": false,
+            "IsAnyHostAllowed": false,
+            "IsUniqueK8sNodeRequired": false,
+            "ShouldSpreadAcrossZones": false,
+            "IsCloudCredsFromK8sServiceAccount": false,
+            "TenantId": ""
+        },
+        {
+            "Tags": [],
+            "Name": "siem",
+            "DockerImage": "duplocloud/wazuh-manager:4.7.2-ssl",
+            "Replicas": 1,
+            "NetworkId": "default",
+            "AgentPlatform": 0,
+            "Volumes": "\"/data/ossec_api_configuration:/var/ossec/api/configuration\",\"/data/ossec_etc:/var/ossec/etc\"",
+            "ExtraConfig": "{\n    \"INDEXER_URL\": \"https://localhost:9200\",\n    \"INDEXER_USERNAME\": \"admin\",\n    \"INDEXER_PASSWORD\": \"VyTeLYbHb@t9ayg\",\n    \"FILEBEAT_SSL_VERIFICATION_MODE\": \"none\",\n    \"API_USERNAME\": \"wazuh-wui\",\n    \"API_PASSWORD\": \"UTim*Ppu9MXyQ6hm\"\n}",
+            "AllocationTags": "siem",
+            "ApplicationUrl": "",
+            "IsInfraDeployment": false,
+            "SecondaryTenant": "",
+            "LBConfigurations": [],
+            "OtherDockerConfig": "",
+            "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+            "DeviceIds": [],
+            "Cloud": 0,
+            "IsLBSyncedDeployment": true,
+            "ForceStatefulSet": false,
+            "IsDaemonset": false,
+            "IsReplicaCollocationAllowed": false,
+            "IsAnyHostAllowed": false,
+            "IsUniqueK8sNodeRequired": false,
+            "ShouldSpreadAcrossZones": false,
+            "IsCloudCredsFromK8sServiceAccount": false,
+            "TenantId": ""
+        },
+        {
+            "Tags": [],
+            "Name": "dashboard",
+            "DockerImage": "duplocloud/wazuh-dashboard:4.7.2-ssl",
+            "Replicas": 1,
+            "NetworkId": "default",
+            "AgentPlatform": 0,
+            "Volumes": "",
+            "ExtraConfig": "{\n    \"OPENSEARCH_HOSTS\": \"https://localhost:9200\",\n    \"WAZUH_API_URL\": \"https://localhost\",\n    \"API_PORT\": 55000,\n    \"RUN_AS\": false,\n    \"INDEXER_USERNAME\": \"admin\",\n    \"INDEXER_PASSWORD\": \"VyTeLYbHb@t9ayg\",\n    \"API_USERNAME\": \"wazuh-wui\",\n    \"API_PASSWORD\": \"UTim*Ppu9MXyQ6hm\",\n    \"DASHBOARD_USERNAME\": \"kibanaserver\",\n    \"DASHBOARD_PASSWORD\": \"L8JrB47!GNW3Zvx\"\n}",
+            "AllocationTags": "siem",
+            "ApplicationUrl": "",
+            "IsInfraDeployment": false,
+            "SecondaryTenant": "",
+            "LBConfigurations": [
+                {
+                    "ReplicationControllerName": "dashboard",
+                    "Protocol": "https",
+                    "Port": "5601",
+                    "DIPAddresses": [],
+                    "HostPort": 0,
+                    "IsInfraDeployment": false,
+                    "SetIngressHealthCheck": false,
+                    "ExternalPort": 443,
+                    "IsInternal": true,
+                    "ForHealthCheck": false,
+                    "HealthCheckUrl": "/proxy/duplosiem/translations/en.json",
+                    "CertificateArn": "##REPLACE_WITH_DEFAULT_PLAN_CERTIFICATE_ARN##",
+                    "IsNative": true,
+                    "LbType": 1,
+                    "TgCount": 0,
+                    "ExtraSelectorLabels": [],
+                    "HealthCheckConfig": {
+                        "HealthyThresholdCount": 0,
+                        "UnhealthyThresholdCount": 0,
+                        "HealthCheckTimeoutSeconds": 0,
+                        "HealthCheckIntervalSeconds": 0
+                    },
+                    "LbIndex": 0,
+                    "CustomCidrs": [],
+                    "TenantId": ""
+                },
+                {
+                    "ReplicationControllerName": "dashboard",
+                    "Protocol": "https",
+                    "Port": "55000",
+                    "DIPAddresses": [],
+                    "HostPort": 0,
+                    "IsInfraDeployment": false,
+                    "SetIngressHealthCheck": false,
+                    "ExternalPort": 55000,
+                    "IsInternal": true,
+                    "ForHealthCheck": false,
+                    "HealthCheckUrl": "/",
+                    "CertificateArn": "##REPLACE_WITH_DEFAULT_PLAN_CERTIFICATE_ARN##",
+                    "IsNative": true,
+                    "LbType": 1,
+                    "TgCount": 0,
+                    "ExtraSelectorLabels": [],
+                    "HealthCheckConfig": {
+                        "HealthyThresholdCount": 0,
+                        "UnhealthyThresholdCount": 0,
+                        "HealthCheckTimeoutSeconds": 0,
+                        "HealthCheckIntervalSeconds": 0,
+                        "HttpSuccessCode": "200-499"
+                    },
+                    "LbIndex": 0,
+                    "CustomCidrs": [],
+                    "TenantId": ""
+                }
+            ],
+            "OtherDockerConfig": "",
+            "OtherDockerHostConfig": "{\"NetworkMode\": \"host\", \"CapAdd\": [ \"NET_ADMIN\" ]}",
+            "DeviceIds": [],
+            "Cloud": 0,
+            "IsLBSyncedDeployment": true,
+            "ForceStatefulSet": false,
+            "IsDaemonset": false,
+            "IsReplicaCollocationAllowed": false,
+            "IsAnyHostAllowed": false,
+            "IsUniqueK8sNodeRequired": false,
+            "ShouldSpreadAcrossZones": false,
+            "IsCloudCredsFromK8sServiceAccount": false,
+            "TenantId": ""
+        }
+    ],
+	"NativeHosts": [
+		{
+			"Zone": 1,
+			"IsEbsOptimized": false,
+			"DesiredCapacity": 0,
+			"MinSize": 0,
+			"MaxSize": 0,
+			"MetaData": [
+				{
+					"Key": "OsDiskSize",
+					"Value": "100"
+				},
+				{
+					"Key": "MetadataServiceOption",
+					"Value": "enabled"
+				}
+			],
+			"UseLaunchTemplate": true,
+			"FriendlyName": "siem",
+			"ImageId": "##REPLACE_WITH_LATEST_AMI##",
+			"Capacity": "t3a.xlarge",
+			"IsMinion": true,
+			"Base64UserData": "IyEvYmluL2Jhc2gKZWNobyAiTWFraW5nIGRhdGEgZGlyZWN0b3J5Igpta2RpciAtcCAvZGF0YS9lcwpta2RpciAtcCAvZGF0YS9vc3NlY19hcGlfY29uZmlndXJhdGlvbgpta2RpciAtcCAvZGF0YS9vc3NlY19ldGMKCmVjaG8gIkdpdmluZyBwZXJtaXNzaW9ucyAiCmNobW9kIDc3NyAvZGF0YS9lcyAKY2htb2QgNzc3IC9kYXRhL29zc2VjX2FwaV9jb25maWd1cmF0aW9uCmNobW9kIDc3NyAvZGF0YS9vc3NlY19ldGMKZWNobyAiMTI3LjAuMC4xIiAkKGhvc3RuYW1lKSA+PiAvZXRjL2hvc3RzCmVjaG8gIlNldHRpbmcgbWF4X21hcF9jb3VudCBmb3Igb3BlbnNlYXJjaCIKc3lzY3RsIC13IHZtLm1heF9tYXBfY291bnQ9MjYyMTQ0CmVjaG8gInZtLm1heF9tYXBfY291bnQ9MjYyMTQ0IiA+PiAvZXRjL3N5c2N0bC5jb25mCgo=",
+			"AgentPlatform": 0,
+			"Cloud": 0,
+			"AllocatedPublicIp": false,
+			"MinionTags": [],
+			"EncryptDisk": false
+		}
+	],
+	"AzureHosts": [],
+	"NativeHostCustomData": [
+		{
+			"ComponentId": "siem",
+			"ComponentType": 2,
+			"Key": "AllocationTags",
+			"Value": "siem"
+		},
+		{
+			"ComponentId": "siem",
+			"ComponentType": 2,
+			"Key": "siem",
+			"Value": "true"
+		}
+	],
+	"CustomData": [],
+	"S3Buckets": [],
+	"SgRules": [
+		{
+			"SourceInfos": [
+				{
+					"Type": 1,
+					"Value": "10.0.0.0/8",
+					"Description": "Agents connection services"
+				}
+			],
+			"ServiceType": 0,
+			"ToPort": 1514,
+			"FromPort": 1514,
+			"ServiceProtocol": "tcp"
+		},
+		{
+			"SourceInfos": [
+				{
+					"Type": 1,
+					"Value": "10.0.0.0/8",
+					"Description": "Syslog collector"
+				}
+			],
+			"ServiceType": 0,
+			"ToPort": 514,
+			"FromPort": 514,
+			"ServiceProtocol": "tcp"
+		},
+		{
+			"SourceInfos": [
+				{
+					"Type": 1,
+					"Value": "10.0.0.0/8",
+					"Description": "SIEM cluster deamon"
+				}
+			],
+			"ServiceType": 0,
+			"ToPort": 1516,
+			"FromPort": 1516,
+			"ServiceProtocol": "tcp"
+		},
+		{
+			"SourceInfos": [
+				{
+					"Type": 1,
+					"Value": "10.0.0.0/8",
+					"Description": "SIEM syslog collector"
+				}
+			],
+			"ServiceType": 0,
+			"ToPort": 514,
+			"FromPort": 514,
+			"ServiceProtocol": "udp"
+		},
+		{
+			"SourceInfos": [
+				{
+					"Type": 1,
+					"Value": "10.0.0.0/8",
+					"Description": "Agents connection service"
+				}
+			],
+			"ServiceType": 0,
+			"ToPort": 1514,
+			"FromPort": 1514,
+			"ServiceProtocol": "udp"
+		}
+	]
+}