Home - Pratiksha-Marane/duplo-docs GitHub Wiki

Deploying SIEM in Azure DuploCloud

1. Create a Tenant in the Default Plan

  1. Click on Create New Tenant named Compliance.
  2. Select the Default Plan for the tenant.

2. Download the SIEM Template File

  1. Go to the following URL to download the SIEM template JSON file: SIEM Template for Azure.
  2. Click on the Download button or Save As option in your browser.
  3. Store the JSON file locally on your computer, ensuring it is named siem-template-azure.json for easy reference.

3. Upload the SIEM Template to Automation

  1. In the DuploCloud dashboard, navigate to the Automation section.
  2. Select the Templates tab from the side menu.
  3. Click Upload Template and choose the siem-template-azure.json file you downloaded.
  4. Once uploaded, the template should appear in the list of available templates.

4. Create Deployment Using the Uploaded Template

  1. Go to the Deployments section within the automation where you intend to deploy the SIEM.
  2. Click Create New Deployment and select the recently uploaded SIEM template from the list.
  3. Under Template Variables, provide the following:
    • SIEM_HOST_IP: (0.0.0.0)
    • SIEM_PUSH_URL: (0.0.0.0)
  4. Click Deploy to initiate the deployment process.

5. Configure duple.compliance.exe.conf File

  1. Locate the duple.compliance.exe.conf file in the directory where DuploCloud stores its compliance configurations.

  2. Open the duple.compliance.exe.conf file using a text editor of your choice.

  3. Add the necessary key-value pairs required for SIEM integration. Below is an example configuration:

    <appsetting>
    <add key="ENGINEENDPOINT" value="0.0.0.0" />
    <add key="OAUTH" value="http://0.0.0.0" />
</appsetting>

6. Facing Issue with Wazuh Dashboard

If you encounter issues, refer to the following error logs:

10/16/2024 9:37:38 AM - 11 System.UriFormatException: Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Uri..ctor(String uriString)
   at ContainerManagement.NodeStateDriver.RestClient.Utils.GetData(String aInUrl, List`1 aInHeaders, String aInUserAgent, String aInAcceptHeader, Boolean ignoreSslErrors, Int32 aInTimeout) in D:\a\duplo\duplo\ContainerManagement\Containers\ApiClient\Utils.cs:line 154
   at Duplo.Compliance.EsClient.GetWazuhTemplate() in D:\a\duplo\duplo\services\compliance\ComplianceCore\CloudClients\ESClient.cs:line 139
   at Duplo.Compliance.Workers.ComplianceLifeCycleWorker.DoWazuhHc(String pushUrl) in D:\a\duplo\duplo\services\compliance\ComplianceCore\Workers\ComplianceLifeCycleWorker.cs:line 190
   at Duplo.Compliance.Workers.ComplianceLifeCycleWorker.<ProcessGoalStateUnsafe>b__7_1() in D:\a\duplo\duplo\services\compliance\ComplianceCore\Workers\ComplianceLifeCycleWorker.cs:line 55
   at ContainerManagement.Common.Workers.AbstractWorker.RunPart(List`1 faults, String runnerName, String subsystem, String partName, String resourceId, Boolean logStackTrace, Action part) in D:\a\duplo\duplo\ContainerManagement\Containers\ApiClient\Common\Workers\AbstractWorker.cs:line 567
10/16/2024 9:37:38 AM - 11 Query http://:9200/_plugins/_ism/policies/siem-index-state-policy
10/16/2024 9:37:38 AM - 11 ComplianceLifeCycleWorker SetOpensearchPolicies threw an exception: Invalid URI: The hostname could not be parsed.
10/16/2024 9:37:38 AM - 11 System.UriFormatException: Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Uri..ctor(String uriString)
   at ContainerManagement.NodeStateDriver.RestClient.Utils.GetData(String aInUrl, List`1 aInHeaders, String aInUserAgent, String aInAcceptHeader, Boolean ignoreSslErrors, Int32 aInTimeout) in D:\a\duplo\duplo\ContainerManagement\Containers\ApiClient\Utils.cs:line 154
   at Duplo.Compliance.EsClient.GetIlmPolicy(String policy_name) in D:\a\duplo\duplo\services\compliance\ComplianceCore\CloudClients\ESClient.cs:line 112
   at Duplo.Compliance.Workers.ComplianceLifeCycleWorker.CheckAndCreateOpensearchIlmPolicy() in D:\a\duplo\duplo\services\compliance\ComplianceCore\Workers\ComplianceLifeCycleWorker.cs:line 126
   at Duplo.Compliance.Workers.ComplianceLifeCycleWorker.<ProcessGoalStateUnsafe>b__7_2() in D:\a\duplo\duplo\services\compliance\ComplianceCore\Workers\ComplianceLifeCycleWorker.cs:line 63
   at ContainerManagement.Common.Workers.AbstractWorker.RunPart(List`1 faults, String runnerName, String subsystem, String partName, String resourceId, Boolean logStackTrace, Action part) in D:\a\duplo\duplo\ContainerManagement\Containers\ApiClient\Common\Workers\AbstractWorker.cs:line 567
⚠️ **GitHub.com Fallback** ⚠️