Accueil Explorer Aide
Connexion
tum
/
soc
Suivre 1
Voter 0
Fork 0
Code Tickets 0 Pull Requests 0 Commits 34 Publications 0 Wiki
Parcourir la Source

readme

tum il y a 1 mois
Parent
9de2549954
commit
9ffefbf37c
1 fichiers modifiés avec 139 ajouts et 0 suppressions
Vue séparée Afficher les stats Diff
  1. 139 0
      README.md

+ 139 - 0
README.md
Voir le fichier 

@@ -0,0 +1,139 @@
1 
+# FoodProject SOC Lab
2 
+
3 
+This repository runs a combined SOC lab with:
4 
+
5 
+- `wazuh-docker` (single-node)
6 
+- `iris-web`
7 
+- `Shuffle`
8 
+- `pagerduty-stub`
9 
+- `soc-integrator` (FastAPI)
10 
+
11 
+All services are connected through a shared Docker network (`soc_shared`).
12 
+
13 
+## Prerequisites
14 
+
15 
+- Docker + Docker Compose plugin
16 
+- Bash
17 
+- `nc` (for test event script)
18 
+
19 
+## Quick Start
20 
+
21 
+Start all services (detached):
22 
+
23 
+```bash
24 
+./run-combined-stack.sh up --all -d
25 
+```
26 
+
27 
+Start all and stream logs:
28 
+
29 
+```bash
30 
+./run-combined-stack.sh up --all
31 
+```
32 
+
33 
+Stop all:
34 
+
35 
+```bash
36 
+./run-combined-stack.sh down --all
37 
+```
38 
+
39 
+Status overview:
40 
+
41 
+```bash
42 
+./run-combined-stack.sh status
43 
+```
44 
+
45 
+## Service URLs
46 
+
47 
+- Wazuh Dashboard: `https://localhost`
48 
+- Wazuh API: `https://localhost:55000`
49 
+- IRIS-web: `https://localhost:8443`
50 
+- Shuffle UI: `http://localhost:3001`
51 
+- PagerDuty Stub: `http://localhost:18080`
52 
+- SOC Integrator API: `http://localhost:8088`
53 
+- SOC Integrator Swagger: `http://localhost:8088/docs`
54 
+
55 
+## SOC Integrator
56 
+
57 
+Key env file:
58 
+
59 
+- `soc-integrator/.env`
60 
+
61 
+Main sections:
62 
+
63 
+- Legacy integration APIs (`/wazuh/*`, `/shuffle/*`, `/action/*`)
64 
+- MVP orchestration APIs (`/mvp/*`)
65 
+
66 
+### MVP endpoints
67 
+
68 
+- `POST /mvp/incidents/ingest`
69 
+- `POST /mvp/ioc/evaluate`
70 
+- `POST /mvp/vpn/evaluate`
71 
+- `GET /mvp/config/policies`
72 
+- `PUT /mvp/config/policies`
73 
+- `GET /mvp/health/dependencies`
74 
+
75 
+Protected endpoints require:
76 
+
77 
+- Header: `X-Internal-API-Key`
78 
+- Key from: `SOC_INTEGRATOR_INTERNAL_KEY` in `soc-integrator/.env`
79 
+
80 
+### Example: MVP ingest
81 
+
82 
+```bash
83 
+curl -X POST http://localhost:8088/mvp/incidents/ingest \
84 
+  -H 'Content-Type: application/json' \
85 
+  -H 'X-Internal-API-Key: dev-internal-key' \
86 
+  -d '{
87 
+    "source":"manual",
88 
+    "event_type":"ioc_ips",
89 
+    "event_id":"evt-1",
90 
+    "timestamp":"2026-02-12T16:00:00Z",
91 
+    "severity":"high",
92 
+    "title":"Test IOC",
93 
+    "description":"MVP test",
94 
+    "asset":{"hostname":"labhost","user":"analyst"},
95 
+    "network":{"src_ip":"203.0.113.10","country":"US"},
96 
+    "tags":["mvp","test"],
97 
+    "risk_context":{"admin_account":true},
98 
+    "raw":{},
99 
+    "payload":{}
100 
+  }'
101 
+```
102 
+
103 
+## Test Events to Wazuh
104 
+
105 
+Send synthetic events via syslog UDP 514:
106 
+
107 
+```bash
108 
+scripts/send-wazuh-test-events.sh all
109 
+```
110 
+
111 
+Scenarios:
112 
+
113 
+- `ioc_dns`
114 
+- `ioc_ips`
115 
+- `vpn_outside_th`
116 
+- `windows_auth_fail`
117 
+- `all`
118 
+
119 
+See `scripts/README.md` for details.
120 
+
121 
+## Logs
122 
+
123 
+All logs (non-follow):
124 
+
125 
+```bash
126 
+./run-combined-stack.sh logs --all --tail 200
127 
+```
128 
+
129 
+Follow one stack:
130 
+
131 
+```bash
132 
+./run-combined-stack.sh logs integrator -f
133 
+./run-combined-stack.sh logs wazuh -f
134 
+```
135 
+
136 
+## Notes
137 
+
138 
+- MVP escalation is wired to `pagerduty-stub` (not real PagerDuty).
139 
+- IRIS-web is used as case management backend (replacing DFIRTrack).