S1EM solution is based on the principle of bringing together the best products in their field, free of charge, and making them quickly interoperable.

S1EM is a SIEM with SIRP and Threat Intel, a full packet capture, all in one.

Inside the solution:

• Cluster Elasticsearch
• Kibana
• Filebeat
• Logstash
• Metricbeat
• Heartbeat
• Auditbeat
• N8n
• Spiderfoot
• Syslog-ng
• Elastalert
• TheHive
• Cortex
• MISP
• OpenCTI
• Arkime
• Suricata
• Zeek
• StoQ
• Mwdb
• Traefik
• Clamav
• Codimd
• Watchtower
• Homer

Note: Cortex v3.1 use ELK connector and the OpenCTI v4 connector

Installation Guide

Prerequisites

Solution works with Linux, docker, and docker-compose.
For auditbeat, you must have Kernel in the version 5.

On Linux, you must have in the “/etc/sysctl.conf” the line:

vm.max_map_count=262144

Physical

You must have:

• 64 Go Ram
• More than 100 Go of HDD in SSD ( Very Important for SSD )
• 8 cpu
• 1 network for management
• 1 network for monitoring

Installation

log in to your system as « root »

git clone https://github.com/V1D1AN/S1EM.git
cd S1EM

After, run the command:

bash 01_deploy.sh

On Linux, add this entry in your /etc/hosts file to access to this solution ( change s1em.cyber.local with the hostname entered during installation ).

vi /etc/hosts
XXX.XXX.XXX.XXX s1em.cyber.local

On Windows, add this entry in your hosts file to access to this solution ( change s1em.cyber.local with the hostname entered during installation ).

notepad C:\Windows\System32\drivers\etc\hosts
XXX.XXX.XXX.XXX s1em.cyber.local