I. Setup & Hardware Tuning
A. Prerequisite
1. Common Prerequisites (Applies to Both VM & Bare-Metal)
- Operating System: The T-Guard installation script requires a Debian-based platform and will explicitly block non-Linux environments; however, it is highly recommended to use a clean Ubuntu Live Server 24.04 LTS installation to ensure maximum resource efficiency and full compatibility with the automated deployment stack.
- Network Addressing: A static/dedicated IP address is required.
setup.shdetects the host IP once during installation and hardcodes it into all dashboard URLs and inter-service integrations (n8n ↔ MISP ↔ IRIS ↔ Wazuh). An IP change will break these integrations.
2. Virtual Machine Version
The resource requirements below define the allocation variables needed inside the guest OS framework.- Host Overhead Buffering: The requirements listed above are for the Guest VM allocation. Your physical host machine (PC/Laptop running VirtualBox) must possess at least +2 vCPUs and +4 GB RAM above these limits so the hypervisor does not lock up the host OS.
- VirtualBox Tuning Parameters: You must set your VM Network to Paravirtualized Network (virtio-net) and check Enable Host I/O Cache under your storage controllers to prevent database timeout faults (detail on step 1B).
3. Bare-Metal / Cloud Host Version
The resource requirements below define the allocation variables needed for the OS framework.- Required SOC Firewall Port Openings — Ensure your internal firewalls (e.g., UFW) or Cloud Security Groups allow inbound traffic on these explicit application ports. Do not expose these ports directly to the public internet; restrict entry using a secure VPN, a bastion host proxy, or explicit institutional IP address whitelists.
B. Hardware Performance Tuning (Virtual Machine in VirtualBox)
Change Network to Paravirtualized Network (virtio-net)

Enable Host I/O Cache

Select Ubuntu Server (minimized)

II. Installation Steps
Clone the repository
Move to the directory and execute the installation script

Navigate the CLI dashboard

III. Step 1: Full Installation
Select Option [1] to perform a complete deployment of the SOC platform stack.
Choose your orchestration platform

Advanced Configuration

VirusTotal Integration

Enter your VirusTotal API Key

Confirm Deployment

Review the default access endpoints

sudo ufw enable) and restrict access exclusively to production ports: 443, 1443, 5678, 8443, 9200, 55000.Configure the IRIS and MISP API keys

IRIS DFIR Integration
- IRIS Dashboard URL: Input the incident response application gateway

- IRIS API Key: Paste the unique integration token generated directly from your IRIS dashboard profile (Profile -> My Settings -> API Key)

MISP Threat Intelligence Integration
- MISP Platform URL: Input the local threat intel repository path

- MISP API Key: Paste the administrative authorization key retrieved from the MISP web console (Administration -> List Auth Keys)

Access all dashboards




IV. Step 2: Integrate Manual (Configure APIs)
Select Option [2] to link or reconfigure the API connections between all external security platforms and your central orchestration engine (n8n). If the host IP changes (e.g. after a DHCP restart or VM migration), all dashboard URLs and integrations will break, since the IP was hardcoded during install, update the URL fields (Wazuh, IRIS, MISP, n8n), and re-submit each API key. Also check this menu if an integration suddenly fails: the IRIS/MISP key may have expired or been revoked from its own dashboard.Wazuh SIEM Integration
- Wazuh Manager URL: Input your deployment host address
- Wazuh API Password: Provide the secure API password (defaults to the system credentials generated during installation)

IRIS DFIR Integration
- IRIS Dashboard URL: Input the incident response application gateway

- IRIS API Key: Paste the unique integration token generated directly from your IRIS dashboard profile (Profile -> My Settings -> API Key)

MISP Threat Intelligence Integration
- MISP Platform URL: Input the local threat intel repository path

- MISP API Key: Paste the administrative authorization key retrieved from the MISP web console (Administration -> List Auth Keys)

n8n Orchestration
- n8n Target URL: Input the orchestration engine dashboard address

VirusTotal Integration (Threat Enrichment Layer)
- VirusTotal API Key (Optional): If you skipped the automated VirusTotal onboarding during the initial Full Installation phase, or if you need to update an expired key, paste your 64-character key here.

Save and apply the integration
Activation Notice
V. Step 3: PoC (Proof of Concept) Simulation
Select Option [3] to test your defensive monitoring rules against simulated real-world attack behaviors.

A. SSH Brute Force Simulation


B. EICAR Malware Detection Test
/root/eicar.com and /home/user/nusantara/usecase/webdeface/uploads/eicar-sample.txt)


C. Web Defacement Detection
/home/user/nusantara/usecase/webdeface/index.html).

VI. Step 4: Inject n8n Workflows
Select Option [4] to automatically load pre-built blueprint playbooks into your n8n orchestration instance.Inject the workflows

Review the playbooks loaded

VII. Step 5: View Default Credentials
Select Option [5] from the main menu if you need to display the default system passwords and access URLs that were generated during the initial deployment.
- This option is helpful if you lose your login details or need a quick reference to access your web dashboards.
- When selected, the terminal will print a secure text block containing the exact URLs, ports, and default usernames for Wazuh, n8n, IRIS, and MISP.

VIII. Step 6: Uninstall T-Guard Components
Select Option [6] only when you need to completely remove the T-Guard platform from your host system.
- Automated Cleanup: The installer engine stops all active security services and cleanly deletes the operational containers from your Docker environment.
- Data Removal: This process clears out internal system states, temporary deployment certificates, and network port mappings.
- Final State: Your Ubuntu host environment is returned to its original configuration, leaving your hardware resources free for other applications.
