Prerequisites

Fresh machine with Ubuntu 24.04 LTS (other Linux OS may work as well, but not tested). We do not recommend using machines that have other services running except you understand what you are doing.
System Requirements:
Broadband internet connections

	CPU	RAM (GB)	Storage (GB)	Remarks
Minimum Requirements For trial deployments	8	16	100	Swap memory activation required
Standard Requirements For production environments and continuous development	8	32	250	No need swap memory

Installation Steps

First, you need to clone the repository:

git clone https://github.com/sguresearcher/nusantara.git

Move to the directory and execute the installation script:

cd nusantara
chmod +x setup.sh
./setup.sh

To install the main T-Guard components, follow instructions below.

Step 1: Update System and Install Prerequisites

In the Main Menu, type ‘1’ and press Enter. This will update existing packages, install all necessary dependencies, and set up Docker. Wait for the process to complete and it will then return to the Main Menu.

Step 2: Install T-Guard SOC Package

In the Main Menu, type ‘2’ and press Enter. You’ll see a menu to choose the current network environment of your system for installing T-Guard, as shown in Figure 2.

If you are using a local virtual machine, such as VirtualBox or VMware, choose option ‘1’. If you are using a cloud-based virtual machine, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure, choose option ‘2’. The installation process will start sequentially, beginning with Wazuh (include deploy initial wazuh agent), followed by Shuffle, IRIS, and MISP, as shown in Figure 3, 4, 5, and 6, respectively.

Once the process is complete, a table will appear displaying dashboard access details and credentials for each module, as shown in Figure 7.

Open your browser and follow the link to access your dashboard.

You will see a warning from the browser that the certificate is invalid as illustrated in Figure 8. This is normal because we haven’t installed the signed SSL certificate, which is recommended for production. For now, just click proceed. The first page of Wazuh should be as illustrated in Figure 9.

Next, open Shuffle dashboard. Create administrator account using above mentioned credentials and then login using the same credentials. After logged in, you should see Figure 11.

Next, open IRIS dashboard. Sign in using above mentioned credentials. After logged in, you should see Figure 12.

Next, open MISP dashboard. Sign in using above mentioned credentials. After logged in, you should see Figure 13.

Credential Summary – T-Guard Modules

Service	Web Interface	Username	Password
Wazuh	https://<ip>	admin	SecretPassword
DFIR-IRIS	https://<ip>:8443	administrator	MySuperAdminPassword!
Shuffle	http://<ip>:3001	Create your own	Create your own
MISP	https://<ip>:1443	[email protected]	admin

Integration Steps

In the Main Menu, type ‘3’ and press Enter. The system will prompt you to enter the IRIS API key, as shown in Figure 14.

To obtain it, navigate to the IRIS page, select the Administrator profile, then go to My Settings.

The API key will be displayed.

Copy and paste it to the installation, then press Enter. Wait until the process is finished. During the installation process, you will be prompted to enter several integration parameters. Please follow the instructions below carefully.

Shuffle Webhook URL

Then, you’ll be prompted to enter your Shuffle Webhook URL.

To obtain the URL, follow the instructions below.

Go to your Shuffle dashboard.
Select Workflows.
Select Create Workflow.
Specify your preferred workflow name—for example, Sample workflow — then select Create from scratch.
In the left panel, under the Triggers tab, drag the Webhook icon to the middle panel as illustrated below.

Step 1: Create a New Workflow

Step 2: Select Create from Scratch

Step 3: Add Webhook Trigger

Adding webhook trigger in Shuffle workflow

Click on Webhook module, then it will show up the configuration panel on the right.
- In the “Webhook URL” parameter, manually copy the URL by highlighting it until the end of the url, then press Ctrl+C.

Paste it to the installation terminal, then press Enter. Wait until the process is finished.
Go back to the Shuffle, click the Start button as illustrated below.

Next, select the Shuffle module in the middle panel, then it will show up the configuration panel on the right.
- In the “Find Actions” parameter, make sure to select ‘Repeat back to me’.
- In the “Call” parameter, change the value to $exec, then click the Save button, as illustrated below.

Click the Test Execution button (play icon).

Select Run without Runtime Argument.

Then, you’ll see the All Workflow Runs panel on the right side.

Next, on the left panel, select Apps tab, type IRIS in the Search Active Apps bar. Just click the IRIS V2 (not IRIS V2 Fork), and wait until the IRIS v2 is show up Then drag it to the middle panel as illustrated below.

Click IRIS Module, then fill the following parameters:

Find Actions: Add a new case
Apikey: (insert your IRIS API Key)
Url: (your IRIS url)

Before proceeding to the Advanced settings on the right side, you must first configure Authentication for the IRIS module.

Configure IRIS Authentication

In the Shuffle workflow editor, click the IRIS module.
Locate the Authentication section.
Click the + (Add Authentication) button.
Select IRIS_API as the authentication type.
Fill in the required fields:
- API Key: Paste your IRIS API Key
- URL: Enter your IRIS base URL (for example: https://192.168.101:8443)
Click Submit.
Ensure the authentication status shows Valid.

IRIS authentication configuration with API key and URL

Configure IRIS Action

After authentication is successfully configured, continue with the action setup.

Under Find Actions, select Add a new case.
Verify that the Authentication field is set to IRIS_API.
Ensure the following parameters are filled:
- Find Actions: Add a new case
- Authentication: IRIS_API
- API Key: Automatically loaded from authentication
- URL: Automatically loaded from authentication

Choose the Advanced on the right side, and click the Expand Window Button.

Scroll down to the Body parameter, and click the Expand Window button.

Change the body content with the following:

{  
{
  "case_customer": 1,
  "case_soc_id": 1,
  "cid": 1,
  "case_name":
"$exec.rule.description",
  "case_description": "Log Level:
$exec.rule.level \n\n Full Log:
$exec.full_log",
  "case_severity_id": 2,
  "case_status_id": 1,
  "ioc": "$exec.data.srcip"
}
}

Then, click Try It button on the top right. Wait until the result is show up in the bottom. After that, click Submit button on the bottom right. Then, click Save button.

Click the Show Executions button to open the All Workflow Runs panel. You should see alerts from Wazuh listed here.

Then, click on the alerts with the following icon.

If there’s nothing available yet, run the Brute-Force Simulation which is explained in Use Case section below in Use Case 1, then come back here. Then, click Refresh button as illustrated below.

It should be exist the IRIS process. Inside the IRIS module, the Status value should be 200, means that the automation of ticket creation is success, as illustrated below.

We can also check in the IRIS page (https://<your_ip>:8443), select Manage Case tab on the left panel. We can see the ticket created from Shuffle exists.

Virus Total API Key

Then, you’ll be prompted to enter your VirusTotal API key. If you don’t have a VirusTotal account yet, please create one first in following URL: https://www.virustotal.com/ If you already have an account, log in, click your profile name, and select ‘API Key’ to view it. Copy and paste it to the installation, then press Enter. Wait until the process is finished.

MISP Configuration

You will then be prompted to configure the MISP integration. MISP Base URL Example prompt:

MISP Base URL (default: https://<SERVER_IP>:1443):

If the default value is correct, you can simply press Enter. Otherwise, type your MISP Base URL and press Enter. Example:

https://192.168.0.108:1443

MISP API Key Next step, enter your MISP API Key. Example prompt:

MISP API Key:

Copy and paste your MISP API key, then press Enter. To obtain the MISP API key:

Log in to the MISP Dashboard
Go to Administration → List Auth Keys
Copy an existing key or create a new one
Paste the key into the terminal

MISP Default Feed Data (JSON)

After configuring the MISP API key, the next step is to add the default MISP feed sources to enable threat intelligence ingestion.

Import Default Feeds from JSON

Open the following GitHub URL in your browser:
https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json
Copy the entire JSON content from the page.
In the MISP Dashboard, navigate to:
- Sync Actions
- Feeds
- Import Feeds from JSON
Paste the copied JSON content into the input field.
Click Add to import the feed configuration.

Enable and Fetch Feed Data

Go to List Feeds.
Select Check All to select all available feeds.
Click Enable Selected to activate the data sources.
Click Fetch and Store All Feed Data to download threat intelligence data from each feed source.

This process may take several minutes depending on the number of feeds and network conditions.

Viewing Imported Feed Data

Retrieved threat intelligence events can be viewed under Event Actions.
Attributes generated from each event can be reviewed in List Attributes.

These attributes are used as IOC lookup values by Wazuh, enabling correlation between detected events and known threat indicators.

Once this step is completed, MISP will actively provide threat intelligence data that can be consumed by Wazuh for IOC matching and alert enrichment.

Wazuh Dashboard URL

Finally, you will be prompted to enter the Wazuh Dashboard URL. Example prompt:

Wazuh Dashboard URL (default: https://<SERVER_IP>):

If the default value matches your setup, press Enter. Otherwise, enter the correct URL and press Enter. Example:

https://192.168.0.108

Use Case

In the Main Menu, type ‘4’ and press Enter.

Use Case 1: Brute-Force Simulation

In the PoC Menu, type ‘1’ and press Enter.

If prompted to continue connecting, type yes and press Enter. Multiple login attempts have been recorded in the Wazuh security events, indicating a potential security threat.

These events will be closely monitored and analyzed by the security operations center (SOC) team to determine the source of the attempts and take appropriate action to mitigate any potential risk.

Use Case 2: Malware Detection and Auto-Response

In the PoC Menu, type ‘2’ and press Enter. Open your Wazuh page (https://<your_ip>). It would be appear an event about VirusTotal detect the malware, the deletion of the file, and the activated response regarding to the malware, illustrated below.

We can also check in the IRIS to see the ticket that automatic created

Use Case 3: Web Defacement Detection

In the PoC Menu, type ‘3’ and press Enter. Before simulate the web defacement, open the given link (http://<your_ip>:3000) in your browser. It will direct you to the example website that created by the script.

Then, start the web defacement. It will change the website appearance.

We can see in the Wazuh for the detection of file content changes. The rule id is 550 with the description is Integrity Checksum Changed.

Get Started

​Prerequisites

​Installation Steps

​Step 1: Update System and Install Prerequisites

​Step 2: Install T-Guard SOC Package

​Credential Summary – T-Guard Modules

​Integration Steps

​Shuffle Webhook URL

​Step 1: Create a New Workflow

​Step 2: Select Create from Scratch

​Step 3: Add Webhook Trigger

​Configure IRIS Authentication

​Configure IRIS Action

​Virus Total API Key

​MISP Configuration

​MISP Default Feed Data (JSON)

​Import Default Feeds from JSON

​Enable and Fetch Feed Data

​Viewing Imported Feed Data

​Wazuh Dashboard URL

​Use Case

​Use Case 1: Brute-Force Simulation

​Use Case 2: Malware Detection and Auto-Response

​Use Case 3: Web Defacement Detection