Milestone 8 - Putting the SEC in DevSecOps
💡This is a two week milestone, see if you can get the server portion done the first week, and the agent installation done the second week. Leave time to go back to server installation should you need to do so based upon your investigation of the agent installation. In the demonstrations shown below, the instructor is using Splunk Enterprise as the Server and Splunk Forwarder + TA for LInux and Unix as the agent.
Use your 480-Utils Script to deploy the Linux Server of your choice, The example uses a rocky and ubuntu virtual machine from Milestone 7.
Add an Edit-Vm function to your 480-Utils that allows you to modify the memory and cpu count for a given VM. SIEMs typically require more than the default
Use Ansible to install the SIEM of your choice on the BLUE1-LAN, examples might include: Splunk, Graylog, Wazuh, an ELK Stack, Velociraptor, FleetDM.
- Note, if you are running low on resources, delete some of the rocky or linux systems created during the previous provisioning milestone.
- Your ansible script should install the software and add an account for which to administer the service
Use Ansible to install a SIEM agent of your choice on a BLUE-LAN based system (not the SIEM). Your goal is to install the server and agent and get the events flowing without manual intervention.
Demonstrate that events are flowing from the agent system to the SIEM