Building a SIEM - 1 - Understanding the Parts - CastleDefender

# Building a SIEM - 1 - Understanding the Parts 04-21-2025 Tags: #Wazuh #Graylog #Shuffle #TheHive #Velociraptor #SIEM Links: [[Building a SIEM - 2 - Installing Wazuh]] --- **Table of Contents** - [[#Getting a Feel for SIEMs|Getting a Feel for SIEMs]] - [[#The Components|The Components]] - [[#The Flow of Data|The Flow of Data]] - [[#Why This Stack?|Why This Stack?]] - [[#So, What's the Goal again?|So, What's the Goal again?]] - [[#References|References]] --- ## Getting a Feel for SIEMs The goal of this post is two parts 1. to be able to demonstrate how the data is flowing for the SIEM that we will be building, and be able to draw a diagram of the flow of data. 2. Have a functioning SIEM that we can use to practice our blue-teaming skills like threat hunting, and performing triage. I'm following along with DFIR's [*SOC Automation Project (Home Lab)|Part 1*](https://www.youtube.com/watch?v=XR3eamn8ydQ), as my template for the home lab, as well as a guide from Taylor Walton, which you can view [here](https://www.youtube.com/watch?v=t4EJ98BNcvw&list=PLB6hQ_WpB6U0WeroZAfssgRpxW8olnkqy) ## The Components There are going to be a lot of moving parts but the core of the SIEM will be built on Wazuh, which will have Graylog to supplement it, and our SOAR will depend on Shuffle. **The Stack** 1. **Wazuh Agent** This is installed on the client machine to send and receive alerts and instructions 2. **Wazuh Manager** This is our Agent alert collector, our manager for the alerts. It monitors the logs and triggers alerts based on rules, taking advantage of Wazuh's awesome ruleset. 3. **Graylog** (Version 6.1.10) This aggregates our logs and is used as an analyzer, receiving logs from Wazuh, and also makes it easier to search, filter, and visualize. We'll be using it to write to our Wazuh-backend, Wazuh-indexer. 4. **Shuffle** This is our SOAR, it takes the triggers from Wazuh and Graylog, and turns them into responses. It also gets more information from the internet to enrich our alerts (VirusTotal, AbuseIPDB), giving us further insight. It can also start the remediation process and send information to theHive 5. **TheHive** This creates cases based on the alerts, making it easier to escalate or follow the progress of alerts. 6. **Velocirapter** This is an endpoint investigation and threat hunting tool. TheHive can trigger Velociraptor to run live forensics, get memory dumps, check for persistance and can help confirm or refute threats during an incident. ## The Flow of Data It's important to know how data is supposed to flow between all the moving parts, else, how are you supposed to fix it when it inevitably breaks? 1. **Agent**: Windows Machine Agent send events to Wazuh Manager 2. **Wazuh Manager** receives logs from the agents, and then forwards them to **Graylog**. Graylog will normalize and aggregate these logs. 3. **Graylog** will write the logs to **Wazuh Indexer**, taking advantage of Wazuh's advanced rules to analyze the logs and sends alerts based on rules 4. . **Shuffle** receives Wazuh alerts and sends responsive actions - **Shuffle** IOCs are also enriched by **OSINT** - An email is then sent to the SOC analyst for potential responsive actions 5. **TheHive** creates cases in case management for better collaboration 6. **Velociraptor** is triggered by TheHive to perform forensics, checks, and retrievals. You can visualize it like so: ![[siem_data_flow.png]] ## Why This Stack? Now, when it comes to SIEMs, there are a lot of options! Wazuh is a great, beginner-friendly base because of how easy it is to get up and running, and it comes out of the box with tons of features and enrichment, like compliance auditing and [[MITRE ATT@CK framework]] correlation. More time for us to *practice* our blue-teaming instead of troubleshooting. Other notable SIEMS include: - The ElasticSearch Stack: Elasticsearch, Logstash, Kibana (also known as ELK stack) - Splunk - Microsoft Sentinel (if using Microsoft services) These are going to be seen more in enterprise level operations due to how robust they are, but the costs that they come with exclude them from a lot of home labs, like the one that we are building here. Splunk is expensive, and Elasticsearch can require a subscription. Regarding the ELK stack, Wazuh is actually a fork of Elasticsearch (called Opensearch)! It uses ossec technology, which is a little bit older. It is recommended by some security professionals to use Elasticsearch even in a homelab setting, but for our purposes, Wazuh will be sufficient for us. If you're looking to improve your skills with enterprise tools, Splunk offers trainings on their site, which you can view [here](https://www.splunk.com/). ## So, What's the Goal again? This post was just covering, visualizing, how we want our system to work. Overall, the goal for the entire project is to have a functioning SIEM that we can use to practice threat hunting, develop alerts, and practice triage as well as other traditional SOC responsibilities. Add in a little enrichment here in there and you have a pretty solid base to be able to practice as well as experiment. Thanks for joining me on my homelab adventure, I'll see you in the next post, where we'll start building the stack up! --- ## References >DFIR, *SOC Automation Project (Home Lab)|Part 1*: https://www.youtube.com/watch?v=XR3eamn8ydQ >Splunk Website: https://www.splunk.com/ >Taylor Walton, *# World's Best SIEM Stack - Build your own Security Stack For FREE! - INTRO* : https://www.youtube.com/watch?v=t4EJ98BNcvw&list=PLB6hQ_WpB6U0WeroZAfssgRpxW8olnkqy