Home
Welcome to the S1EM wiki!
This project is a SIEM with SIRP and Threat Intel,all in one.
Solution work with CentOS 7 and kernel 5 ( For Auditbeat ), and docker.
Inside the solution:
- Elasticsearch
- Kibana
- Filebeat
- Logstash
- Metricbeat
- Auditbeat
- Elastalert
- TheHive
- Cortex
- MISP
- OpenCTI
- Suricata 5
- Zeek 3
- FleetDm
- StoQ
- Heimdall
- Traefik
Note: Cortex v3.1 use ELK connector and the OpenCTI v4 connector
You must have:
- 12 Go Ram
- 75 Go DD
- 8 cpu
- 1 network for monitoring
You must have:
- 32 Go Ram
- More than 75 Go DD
- 8 cpu
- 1 network for monitoring
- Installation Guide
- Configuration Guide
- Access Guide
- Detection Guide
- Architecture Guide
- Troubleshooting Guide
git clone https://github.com/V1D1AN/S1EM.git
cd S1EM
Edit the file "env.sample" and change the password for "elastic".
Change the account and the password of "OpenCTI".
After, run the command:
bash deploy.sh
Use the upgrade script for upgrading your S1EM infrastructure
bash upgrade.sh
if you see Merge conflict messages, resolve the conflicts with your favorite text editor
The Url of S1EM:
https://s1em.cyber.local
Note: You must add in your host file the name and the @IP of the solution.
Accounts:
| Application | user | password |
|---|---|---|
| Traefik | admin | admin |
| Kibana | elastic | your password |
| TheHive | admin@thehive.local | secret |
| Cortex | your username | your password |
| FleetDm | your username | your password |
| Misp | admin@admin.test | admin |
| OpenCTI | User in env.sample | your password |
Go to the interface MISP
Enter the login: "admin@admin.test"
Enter the password: "admin"
Enter a new password for MISP
After go to "Automation" and get the API Key.
Follow the official documentation for create an organization and a API key for TheHive:
https://github.com/TheHive-Project/TheHiveDocs/blob/master/TheHive4/User/Quick-start.md
get the API Key.
Follow the official documentation for create an organization and a API key for Cortex:
https://github.com/TheHive-Project/CortexDocs/blob/master/admin/quick-start.md
get the API Key.
once you have the API Key, to simplify the deployment. Use the script and enter the different API Keys.
cd S1EM
bash deploy_api_key.sh
For the detection, you can use the detection rules of Elasticsearch from the project "https://github.com/elastic/detection-rules" or, you can use SigmaHQ. In this example, we will use SigmaHQ:
Before, we must install SigmaHQ
git clone https://github.com/SigmaHQ/sigma.git
cd sigma/tools
python3 setup.py install
Then, you have to convert rules to integrate them in the Kibana interface
One rule:
./sigmac -t es-rule -c config/generic/sysmon.yml -c config/winlogbeat-modules-enabled.yml PATH_TO_THE_RULES.yml > rule.ndjson
curl -X POST "https://localhost/kibana/api/detection_engine/rules/_import?overwrite=true" -u 'elastic:changeme' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@/tmp/rule.ndjson"
Several rules (Windows example):
./sigmac -t es-rule -c config/generic/sysmon.yml -c config/winlogbeat-modules-enabled.yml -I --backend-config backend.yml -r ../rules/windows -o /tmp/rules-windows.ndjson
curl -X POST "https://localhost/kibana/api/detection_engine/rules/_import?overwrite=true" -u 'elastic:changeme' -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@/root/rules-windows.ndjson"
In my backend file, i have one option:
keyword_base_fields: '*'
Or you transfert the file rule with Winscp ( for example ) and import the rule from the Kibana interface.
If you want to use the rule of elasticsearch, go to Kibana Interface.
Security >> Detections >> Manage Detection Rules >> Load Elastic prebuilt rules
The architecture of the project S1EM:
Docker-compose must be installed on the system
The user must be on the group "docker" or you do that:
sudo groupadd docker
sudo usermod -aG docker $USER
Run the following command or Logout and login again and run (that doesn't work you may need to reboot your machine first)
newgrp docker
Check if docker can be run without root
docker ps
vi /etc/rsyslog.conf
Add the following line:
$FileCreateMode 0644
Filebeat can read the logs in the "/var/log" with the user rights
