Prerequisites

  • Fresh machine with Ubuntu 24.04 LTS (other Linux OS may work as well, but not tested). We do not recommend using machines that have other services running except you understand what you are doing.
  • System Requirements:
  • Broadband internet connections
CPURAM
(GB)
Storage
(GB)
Remarks
Minimum Requirements
For trial deployments
4850Swap memory activation required
Standard Requirements
For production environments and continuous development
812100No need swap memory

Installation Steps

First, you need to clone the repository:
git clone https://github.com/sguresearcher/nusantara.git
Move to the directory and execute the installation script:
cd nusantara
chmod +x setup.sh
./setup.sh
To install the main T-Guard components, follow instructions below.
Main Menu Pn

Figure 1. T-Guard Installer Main Menu

Step 1: Update System and Install Prerequisites

In the Main Menu, type ‘1’ and press Enter. This will update existing packages, install all necessary dependencies, and set up Docker. Wait for the process to complete and it will then return to the Main Menu.

Step 2: Install T-Guard SOC Package

In the Main Menu, type ‘2’ and press Enter. You’ll see a menu to choose the current network environment of your system for installing T-Guard, as shown in Figure 2.
Network Env Choice Pn

FIgure 2. Network Environtment Options

If you are using a local virtual machine, such as VirtualBox or VMware, choose option ‘1’. If you are using a cloud-based virtual machine, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure, choose option ‘2’. The installation process will start sequentially, beginning with Wazuh (include deploy initial wazuh agent), followed by Shuffle, IRIS, and MISP, as shown in Figure 3, 4, 5, and 6, respectively.
Wazuh Inst PnWazuh Inst 2 Pn

Figure 3. Wazuh Installation

Shuffle Inst Pn

Figure 4. Shuffle Installation

Iris Inst Pn

Figure 5. IRIS-DFIR Instalation

Misp Inst Pn

Figure 6. MISP Installation

Once the process is complete, a table will appear displaying dashboard access details and credentials for each module, as shown in Figure 7.
Dashboard Pn

Figure 7. Dashboard Access and Default Credentials

Open your browser and follow the link to access your dashboard.
Image(4) Pn

Figure 8. Warning Page

You will see a warning from the browser that the certificate is invalid as illustrated in Figure 8. This is normal because we haven’t installed the signed SSL certificate, which is recommended for production. For now, just click proceed. The first page of Wazuh should be as illustrated in Figure 9.
Image(2) Avi

Figure 9. Wazuh Login Page

Log in using above mentioned credentials. After log in, you should see Figure 10.
Image(5) Pn

Figure 10. Wazuh Dashboard

Next, open Shuffle dashboard. Create administrator account using above mentioned credentials and then login using the same credentials. After logged in, you should see Figure 11.
Image(6) Pn

Figure 11. Shuffle Dashboard

Next, open IRIS dashboard. Sign in using above mentioned credentials. After logged in, you should see Figure 12.
Image(3) Avi

Figure 12. IRIS Dashboard

Next, open MISP dashboard. Sign in using above mentioned credentials. After logged in, you should see Figure 13.
Image(7) Pn

Figure 13. MISP Dashboard

Credential Summary – T-Guard Modules

ServiceWeb InterfaceUsernamePassword
Wazuhhttps://<ip>adminSecretPassword
DFIR-IRIShttps://<ip>:8443administratorMySuperAdminPassword!
Shufflehttp://<ip>:3001administratorMySuperAdminPassword!
MISPhttps://<ip>:1443admin@admin.testadmin

Integration Steps

In the Main Menu, type ‘3’ and press Enter. The system will prompt you to enter the IRIS API key, as shown in Figure 14.
Iris Wazuh Int Pn

Figure 14. Input API KEY

To obtain it, navigate to the IRIS page, select the Administrator profile, then go to My Settings. Iris Wazuh Int2 Pn The API key will be displayed. Satu Pn Copy and paste it to the installation, then press Enter. Wait until the process is finished. Then, you’ll be prompted to enter your VirusTotal API key. Virustotalapi Pn If you don’t have a VirusTotal account yet, please create one first in following URL:
https://www.virustotal.com/
If you already have an account, log in, click your profile name, and select ‘API Key’ to view it. Virus Total Pn Copy and paste it to the installation, then press Enter. Wait until the process is finished. Then, you’ll be prompted to enter your Shuffle Webhook URL. Webhook4 Pn To obtain the URL, follow the instructions below.
  • Go to your Shuffle dashboard.
  • Select Experienced.
  • Select New Workflow.
  • Specify your preferred workflow name—for example, test. > select Done.
  • In the left panel, select Trigger tab, then drag the Webhook to the middle panel as illustrated below. Webhook Pn
  • Click on Webhook module, then it will show up the configuration panel on the right.
    • In the “Webhook URL” parameter, manually copy the URL by highlighting it until the end of the url, then press Ctrl+C.
Webhook5 Pn
  • Paste it to the installation terminal, then press Enter. Wait until the process is finished.
  • Go back to the Shuffle, click the Start button as illustrated below.
Webhook6 Pn
  • Next, select the Shuffle module in the middle panel, then it will show up the configuration panel on the right.
    • In the “Find Actions” parameter, make sure to select ‘Repeat back to me’.
    • In the “Call” parameter, change the value to $exec, then click the Save button, as illustrated below.
    Webhook7 Pn
Click the Test Execution button (play icon). Play Pn Select Run Anyway. Run Anyway Pn Then, you’ll see the All Workflow Runs panel on the right side. Shuffle Pn Next, on the left panel, select Apps tab, type “IRIS” in the Search Active Apps bar. Just click the IRIS module (not IRIS V2), and wait until the IRIS v2 is show up. Then drag it to the middle panel as illustrated below. Iris Pn Click IRIS Module, then fill the following parameters:
  • Find Actions: Add a new case
  • Apikey: (insert your IRIS API Key)
  • Url: (your IRIS url)
Delapan Pn Scroll down to the Body parameter, and click the Expand Window button. Iris2 Pn Change the body content with the following:
{  
"case_customer": "1",  
"case_description": "Test from Shuffle",
"case_name": "$change_me.title",
"case_soc_id": "123",
}
Then, click Try It button on the top right. Wait until the result is show up in the bottom. Iris3 Pn After that, click Submit button on the bottom right. Then, click Save button. Save Pn Click the Show Executions button to open the All Workflow Runs panel. You should see alerts from Wazuh listed here. Iris Shuffle Pn Then, click on the alerts with the following icon. Alerts Pn If there’s nothing available yet, run the Brute-Force Simulation which is explained in Use Case section below in Use Case 1, then come back here. Then, click Refresh button as illustrated below. Sepuluh Pn It should be exist the IRIS process. Inside the IRIS module, the Status value should be 200, means that the automation of ticket creation is success, as illustrated below. Sebelas Pn We can also check in the IRIS page (https://<your_ip>:8443), select Manage Case tab on the left panel. We can see the ticket created from Shuffle exists. Duabelas Avi

Use Case

Main Menu Pn In the Main Menu, type ‘4’ and press Enter.

Use Case 1: Brute-Force Simulation

Poc Pn In the PoC Menu, type ‘1’ and press Enter. Poc 1 Pn If prompted to continue connecting, type yes and press Enter. Multiple login attempts have been recorded in the Wazuh security events, indicating a potential security threat. Brute Force Pn These events will be closely monitored and analyzed by the security operations center (SOC) team to determine the source of the attempts and take appropriate action to mitigate any potential risk.

Use Case 2: Malware Detection and Auto-Response

In the PoC Menu, type ‘2’ and press Enter. Open your Wazuh page (https://<your_ip>). It would be appear an event about VirusTotal detect the malware, the deletion of the file, and the activated response regarding to the malware, illustrated below. Zero Avi We can also check in the IRIS to see the ticket that automatic created One Pn

Use Case 3: Web Defacement Detection

In the PoC Menu, type ‘3’ and press Enter. Before simulate the web defacement, open the given link (http://<your_ip>:3000) in your browser. It will direct you to the example website that created by the script. Two Pn Then, start the web defacement. It will change the website appearance. Three Pn We can see in the Wazuh for the detection of file content changes. The rule id is 550 with the description is Integrity Checksum Changed. Four Pn