ResilMesh is an Innovation Action project funded by the European Union, dedicated to revolutionizing cybersecurity practices.
At its core, ResilMesh endeavors to develop a cutting-edge security orchestration and analytics toolset grounded in cyber situational awareness (CSA). This initiative aims to equip organizations with the capabilities needed for real-time defense of essential business functions in an era marked by dispersed, heterogeneous cyber systems.
Here's a UML to help you understand the architecture:
---
title: Resilmesh Architecture
config:
theme: dark
noteAlign: left
---
sequenceDiagram
participant Vector
participant NATS
participant SLP-Enrichment
note over SLP-Enrichment: Micro service enriches events
participant AD
note over AD: Anomaly Detector
participant Wazuh
participant MISP-Client
note over MISP-Client: Micro service leverages MISP API
participant MISP
Vector->>+Vector: watch datasets files
Vector->>+Vector: dedupe events
Vector->>+Vector: normalize (ECS) events
Vector->>NATS: publish to<br/>'ecs_events' queue
NATS->>SLP-Enrichment: subscribe to 'ecs_events'<br/>and enrich events
SLP-Enrichment->>+SLP-Enrichment: enriches events
SLP-Enrichment-->>NATS: publish to<br/>'enriched_events' queue
NATS->>MISP-Client: MISP API Client subscribed to 'enriched_events' queue
NATS-->>Vector: source from 'enriched_events' queue
Vector->>Wazuh: Vector sinks the enriched events into RSyslog using tcp connection
AD-->>NATS: publish to<br/>'ad_events' queue
NATS-->>Vector: source from 'ad_events' queue
Vector->>Wazuh: Vector sinks the Anomaly Detector events into RSyslog using tcp connection
Wazuh->>+Wazuh: RSyslog logs<br/>events from Resilmesh
Wazuh->>Wazuh: Wazuh Agent<br/>collects logs
MISP-Client->>MISP: push events
We will need Docker with Compose, see Install Docker Compose
To avoid dependencies and issues between components during the deployment, it is recommended to clone the main repository and deploy the Resilmesh Platform following the installation guide https://awscloud-deployment.readthedocs.io/en/latest/#application-stack-deployment
- To clone this repo:
git clone https://github.com/resilmesh2/Aggregation.git --recurse-submodules - Create .env file and add the following, replacing the values enclosed by < >:
# Add this only if you're behind a proxy!
# i.e.: http_proxy=http://jao:secret@192.168.0.254:8080
http_proxy=http://<USER>:<PASSWORD>@<PROXY_IP>:<PROXY_PORT>
https_proxy=http://<USER>:<PASSWORD>@<PROXY_IP>:<PROXY_PORT>- There are some config files we need, follow instructions at README.md
- Follow the README's in the other containers to set them up:
The datasets included in this repository are for demonstration purpose only, the real ones used in production need to be copied into Vector/datasets folder, replacing the sample ones.
If you need to add more datasets, check Vector for instructions.
Please use 'resilmesh_<YOUR_COMPONENT>[<INTERNAL_SERVICE>]', per example: 'resilmesh-ap-silentpush-redis'.
There's a global external network called 'resilmesh_network', this network should be use for all docker containers which represent the components.
Don't expose ports unless really necessary, like dashboards, etc. Instead use the resilmesh_network
docker compose up -f production.yml -dThis is a quick demo showing the framework in action, on the left side you see the microservices, on the right side you can see the MISP and Wazuh instance:
Ping if you need any further help: <Jorgeley jorgeley@silentpush.com>