Skip to main content

I. Setup & Hardware Tuning

A. Prerequisite

1. Common Prerequisites (Applies to Both VM & Bare-Metal)

  • Operating System: The T-Guard installation script requires a Debian-based platform and will explicitly block non-Linux environments; however, it is highly recommended to use a clean Ubuntu Live Server 24.04 LTS installation to ensure maximum resource efficiency and full compatibility with the automated deployment stack.
  • Network Addressing: A static/dedicated IP address is required. setup.sh detects the host IP once during installation and hardcodes it into all dashboard URLs and inter-service integrations (n8n ↔ MISP ↔ IRIS ↔ Wazuh). An IP change will break these integrations.

2. Virtual Machine Version

The resource requirements below define the allocation variables needed inside the guest OS framework. Note:
  1. Host Overhead Buffering: The requirements listed above are for the Guest VM allocation. Your physical host machine (PC/Laptop running VirtualBox) must possess at least +2 vCPUs and +4 GB RAM above these limits so the hypervisor does not lock up the host OS.
  2. VirtualBox Tuning Parameters: You must set your VM Network to Paravirtualized Network (virtio-net) and check Enable Host I/O Cache under your storage controllers to prevent database timeout faults (detail on step 1B).

3. Bare-Metal / Cloud Host Version

The resource requirements below define the allocation variables needed for the OS framework. Note:
  1. Required SOC Firewall Port Openings — Ensure your internal firewalls (e.g., UFW) or Cloud Security Groups allow inbound traffic on these explicit application ports. Do not expose these ports directly to the public internet; restrict entry using a secure VPN, a bastion host proxy, or explicit institutional IP address whitelists.

B. Hardware Performance Tuning (Virtual Machine in VirtualBox)

1

Change Network to Paravirtualized Network (virtio-net)

Vbox Network Virtio
Why: Paravirtualization allows the VM’s network interface to communicate directly with the physical host machine instead of using a slow hardware-emulation layer. This maximizes network throughput and prevents log delays between your security agents and the central manager.
2

Enable Host I/O Cache

Vbox Host Io Cache
Why: Enabling this setting allows virtual storage disks to directly tap into the host system’s RAM caching layer. This drastically improves Read/Write speeds during intense security database tasks, such as loading index tables in Opensearch or MariaDB.
3

Select Ubuntu Server (minimized)

Ubuntu Server Minimized
Why: This version is customized to have a small runtime footprint to save vital system memory and storage space on your machine.

II. Installation Steps

1

Clone the repository

2

Move to the directory and execute the installation script

Install Terminal Clone
3

Navigate the CLI dashboard

This is the interactive Command Line Interface (CLI) dashboard for managing the T-Guard framework. Users can navigate up and down using arrow keys, type keywords to filter specific choices, and press enter to execute operations. The core menu functionalities include:
Tguard Main Menu
[1] Full Installation: Automatically provisions and installs the complete internal security stack (Wazuh, n8n, IRIS, and MISP).[2] Integrate Manual: Allows users to link, adjust, or override custom operational API connection tokens between active platforms.[3] PoC (Proof of Concept): Launches local attack scenarios (e.g., SSH brute force, EICAR malware execution) to verify that SIEM detection and correlation rules work properly.[4] Inject n8n Workflows: Pushes structural incident triage, deduplication, and alerting blueprint playbooks straight into the automation engine.[5] View Default Credentials: Prints the initial system dashboard web addresses, ports, configurations, and default user passwords.[6] Uninstall: Safely stops all containers and purges all deployed components to return the host system to its clean original state.

III. Step 1: Full Installation

Select Option [1] to perform a complete deployment of the SOC platform stack.
Install Terminal Clone
Select SOAR Engine:
1

Choose your orchestration platform

Choose your preferred orchestration platform. Select n8n (Lightweight, Highly Recommended).
Soar Engine Select
2

Advanced Configuration

Select NO to automatically deploy the entire system using standard, optimized default settings.
Advanced Config Prompt
3

VirusTotal Integration

Select YES if you want to perform automated threat scanning inside the SIEM.
Virustotal Integration Prompt
4

Enter your VirusTotal API Key

You will be prompted to paste your 64-character VirusTotal API Key.
Virustotal Api Key Input
Note: If using a VirusTotal free-tier key, note it has rate limits (usually per-minute/per-day caps), so high alert volume may delay or fail enrichment requests.
5

Confirm Deployment

Select “Yes, start deployment!” to begin the stack installation.
Confirm Deployment Prompt
6

Review the default access endpoints

Upon successful deployment, the system displays the default access endpoints:
Deployment Complete Credentials
Security Reminder: Change all default passwords immediately! Enable your firewall (sudo ufw enable) and restrict access exclusively to production ports: 443, 1443, 5678, 8443, 9200, 55000.
7

Configure the IRIS and MISP API keys

Right after Step 1 (Full Installation) completes, the installer will show an ACTION REQUIRED alert:
Action Required Api Config
Action Alert: The terminal warns you that the SOC is running but cannot automate data flow yet because the IRIS and MISP API keys must be generated manually from their respective dashboards.Next Steps Menu: You are given direct options to proceed forward immediately, choose 2: [2] Proceed to Integrate Manual (Configure APIs): Choose this option to jump directly into the setup screens for your API tokens.The installer guides you through these prompt fields:
1

IRIS DFIR Integration

  • IRIS Dashboard URL: Input the incident response application gateway
Iris Dashboard Url Prompt
  • IRIS API Key: Paste the unique integration token generated directly from your IRIS dashboard profile (Profile -> My Settings -> API Key)
Iris Api Key Profile
2

MISP Threat Intelligence Integration

  • MISP Platform URL: Input the local threat intel repository path
Misp Platform Url Prompt
  • MISP API Key: Paste the administrative authorization key retrieved from the MISP web console (Administration -> List Auth Keys)
Misp Auth Key Created
8

Access all dashboards

Try to access all the dashboard:
Wazuh Dashboard Overview
N8n Setup Owner Account
Iris Dashboard Overview
Misp Dashboard Events

IV. Step 2: Integrate Manual (Configure APIs)

Select Option [2] to link or reconfigure the API connections between all external security platforms and your central orchestration engine (n8n). If the host IP changes (e.g. after a DHCP restart or VM migration), all dashboard URLs and integrations will break, since the IP was hardcoded during install, update the URL fields (Wazuh, IRIS, MISP, n8n), and re-submit each API key. Also check this menu if an integration suddenly fails: the IRIS/MISP key may have expired or been revoked from its own dashboard.
1

Wazuh SIEM Integration

  • Wazuh Manager URL: Input your deployment host address
  • Wazuh API Password: Provide the secure API password (defaults to the system credentials generated during installation)
Wazuh Integration Prompt
2

IRIS DFIR Integration

  • IRIS Dashboard URL: Input the incident response application gateway
Iris Dashboard Url Prompt
  • IRIS API Key: Paste the unique integration token generated directly from your IRIS dashboard profile (Profile -> My Settings -> API Key)
Iris Api Key Profile
3

MISP Threat Intelligence Integration

  • MISP Platform URL: Input the local threat intel repository path
Misp Platform Url Prompt
  • MISP API Key: Paste the administrative authorization key retrieved from the MISP web console (Administration -> List Auth Keys)
Misp Auth Key Created
4

n8n Orchestration

  • n8n Target URL: Input the orchestration engine dashboard address
N8n Url Prompt
5

VirusTotal Integration (Threat Enrichment Layer)

  • VirusTotal API Key (Optional): If you skipped the automated VirusTotal onboarding during the initial Full Installation phase, or if you need to update an expired key, paste your 64-character key here.
Virustotal Optional Prompt
Note: This token allows the Wazuh manager to forward extracted file hashes (such as malware diagnostic strings for POC) to the VirusTotal cloud engine for structural threat scoring.
6

Save and apply the integration

Select “Yes, SAVE and apply” at the bottom prompt. The installer engine will bundle your configurations and output a secure state schema to:
7

Activation Notice

These integrations will lock in and apply across your SOC ecosystem upon the next scheduled T-Guard service container restart.

V. Step 3: PoC (Proof of Concept) Simulation

Select Option [3] to test your defensive monitoring rules against simulated real-world attack behaviors.
Tguard Main Menu Poc
Select your target host IP (defaults to loopback 127.0.0.1) and toggle the security scenarios you want to run:
Poc Scenario Select Target Ip
1

A. SSH Brute Force Simulation

Execution: Simulates an attacker trying to guess passwords by attempting 10 invalid login rounds on the host machine using non-existent usernames.
Poc Bruteforce Output
SIEM Verification: You will see alert hits flagged as “Password Guessing, SSH” and “sshd brute force trying to get access to the system”.
Wazuh Bruteforce Alerts
2

B. EICAR Malware Detection Test

Execution: Drops an industry-standard EICAR malware test string file into monitored server folders (/root/eicar.com and /home/user/nusantara/usecase/webdeface/uploads/eicar-sample.txt)
Poc Eicar Output
SIEM Verification: The agent instantly catches the file writing event.
Wazuh Eicar Detection
It triggers a VirusTotal Alert within the log engine, showing that up to 61 engines flagged the signature.
Virustotal Eicar Detections
3

C. Web Defacement Detection

Execution: Simulates a website defacement compromise by modifying the application file index (/home/user/nusantara/usecase/webdeface/index.html).
Poc Webdeface Output
SIEM Verification: T-Guard triggers a “Stored Data Manipulation” alert event. Wazuh catches the File Integrity Monitoring (FIM) change in real-time, logging the modified attributes, timestamp modifications, and cryptographic checksum differences (Old md5sum vs New md5sum).
Wazuh Fim Webdeface Alert

VI. Step 4: Inject n8n Workflows

Select Option [4] to automatically load pre-built blueprint playbooks into your n8n orchestration instance.
1

Inject the workflows

Select “Yes, inject workflows” at the prompt. The installer will verify that the n8n container is up and running before importing the playbooks.
Tguard Main Menu Inject N8n
2

Review the playbooks loaded

The system injects 4 essential SOC automation workflows directly into n8n:
N8n Workflows Overview
a. Master Triage: Receives raw alerts from the Wazuh Webhook, extracts the Indicators of Compromise (Extract IOC), and splits the data into three paths: Trigger Enrichment, Trigger IRIS, and Trigger Notification.b. IP Enrichment & Anti-Dupe: Takes the parsed data, filters out repetitive IP addresses (Check Duplicate IP), and queries AbuseIPDB and VirusTotal only if the IP is new (IF Not Scanned).c. IRIS Incident Response Anti-Dupe: Checks if a ticket already exists for the alert (Search IRIS Case). If the Case Exists, it updates the ticket (Add Note); if not, it opens a new one (Create Case).d. Notification Dispatcher: Takes the final alert details and sends a direct security message to your team’s chat group using the Telegram node (sendMessage).Activation: Once injected, log into your n8n web dashboard to view, review, and turn on the playbooks. The workflow templates are ready to use, but you may need to manually update or adjust the URL fields inside the nodes to match your network path (please refer to the official n8n documentation: https://docs.n8n.io/integrations).

VII. Step 5: View Default Credentials

Select Option [5] from the main menu if you need to display the default system passwords and access URLs that were generated during the initial deployment.
Tguard Main Menu View Credentials
  • This option is helpful if you lose your login details or need a quick reference to access your web dashboards.
  • When selected, the terminal will print a secure text block containing the exact URLs, ports, and default usernames for Wazuh, n8n, IRIS, and MISP.
Tguard Deployment Complete Credentials
Security Check: The screen will display a warning reminder to change these default passwords immediately to prevent unauthorized access to your SOC stack if you going to use this for production.

VIII. Step 6: Uninstall T-Guard Components

Select Option [6] only when you need to completely remove the T-Guard platform from your host system.
Tguard Main Menu Uninstall
  • Automated Cleanup: The installer engine stops all active security services and cleanly deletes the operational containers from your Docker environment.
  • Data Removal: This process clears out internal system states, temporary deployment certificates, and network port mappings.
  • Final State: Your Ubuntu host environment is returned to its original configuration, leaving your hardware resources free for other applications.