Skip to content

Releases: navein-kumar/socstackv2

SOC Stack v2.0.0

14 Mar 09:00
@navein-kumar navein-kumar
v2.0.0
3feda8d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
SOC Stack v2.0.0 Latest
Latest

SOC Stack v2.0.0 — Full SOC-in-a-Box with SSO

A production-ready, fully integrated Security Operations Center stack deployed via Docker Compose with centralized Keycloak SSO across all services.

Highlights

  • Two deployment modes — choose the one that fits your environment:
    • domain-ssl/ — Domain-based with Let's Encrypt SSL via Nginx Proxy Manager
    • ip-ssl/ — IP-based with self-signed CA + nginx:alpine (no domain required)
  • Single Sign-On everywhere — one Keycloak login for all 6 services
  • Automated setuppre-deploy.sh + post-deploy.py handle certs, realm import, API config, and SSO wiring
  • Validation scriptstest-stack.py and test-creds.py verify the entire stack post-deployment

Stack Components

Component Version Role
Wazuh 4.14.3 SIEM — log collection, threat detection, compliance
Keycloak 26.5.3 Central SSO & identity provider (OIDC/SAML)
TheHive 5.2 Incident response & case management
Cortex 3.1.8-1 Observable analysis & enrichment engine
MISP 2.5.32 Threat intelligence sharing platform
n8n 2.7.5 Workflow automation & alert orchestration

Features

SSO Integration

  • Keycloak OIDC for Wazuh Dashboard (OpenSearch Security + Wazuh API RBAC)
  • Keycloak OIDC for MISP via built-in OIDC plugin
  • OAuth2-Proxy for TheHive and n8n with custom SSO bridge
  • Cortex SSO via application.conf OIDC config
  • Role-based access: soc-admin, soc-analyst, soc-readonly groups

Wazuh Two-Layer SSO

  • OpenSearch Security layer: roles_mapping.yml + securityadmin.sh
  • Wazuh API RBAC layer: role-to-policy mappings via port 55000
  • Admin roles (1,3,5,7) and Readonly roles (2,4,6) auto-mapped from Keycloak groups

Alerting & Automation

  • Wazuh → n8n webhook integration for real-time alert forwarding
  • Pre-built n8n workflow template for Wazuh email alerts
  • Custom n8n SSO hook (hooks.js) for automatic user provisioning

Deployment Automation

  • pre-deploy.sh — generates SSL certs (self-signed CA or Let's Encrypt prep), Wazuh certs, config files
  • post-deploy.py — 8-step automated setup: Keycloak realm, Wazuh security, TheHive org, Cortex config, MISP SSO, n8n API keys
  • All Docker images pinned to tested versions (see IMAGE-VERSIONS.md)

ip-ssl Mode Specifics

  • nginx:alpine reverse proxy on ports 8443–8448
  • Self-signed CA with IP SAN for environments without a domain
  • NODE_EXTRA_CA_CERTS for n8n trust chain
  • CA import instructions for browser trust

Validation & Testing

  • test-stack.py — health checks for all services, SSL verification, port connectivity
  • test-creds.py — credential validation, SSO redirect verification, API authentication tests
  • POST-DEPLOY-UI-GUIDE.md — step-by-step UI configuration guide

Supported Infrastructure

  • OS: Ubuntu 20.04+ / Debian 11+ (tested), any Docker-capable Linux
  • Docker: Docker Engine 24+ with Compose v2
  • Resources: 16 GB RAM minimum recommended
  • Network: Ports 8443–8448 (ip-ssl) or 80/443 (domain-ssl)

Quick Start

# Clone
git clone https://github.com/navein-kumar/socstackv2.git
cd socstackv2/ip-ssl   # or domain-ssl

# Configure
cp .env.example .env
# Edit .env with your SERVER_IP and passwords

# Deploy
chmod +x pre-deploy.sh && ./pre-deploy.sh
docker compose up -d
python3 post-deploy.py

# Validate
python3 test-stack.py
python3 test-creds.py

Full Changelog

https://github.com/navein-kumar/socstackv2/commits/main

Assets 2
Loading