### Install Git and Download Wazuh Rules

Source: https://github.com/socfortress/ossiem/blob/main/README.md

Installs the Git package within the Wazuh Manager container and then downloads and executes a script to install custom SOCFortress rules for Wazuh. Requires executing into the Wazuh Manager container first.

```bash
docker exec -it wazuh.manager /bin/bash

dnf install git -y

curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/OSSIEM/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh
```

--------------------------------

### Start Wazuh Docker Environment (docker-compose)

Source: https://github.com/socfortress/ossiem/blob/main/wazuh/README.md

Starts the Wazuh Docker environment defined in the 'docker-compose.yml' file. Can be run in the foreground (for monitoring) or in the background. The initial startup may take some time for index and pattern generation.

```bash
docker-compose up
```

```bash
docker-compose up -d
```

--------------------------------

### Install SOCFortress Wazuh Rules and Decoders (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This bash script automates the deployment of SOCFortress custom detection rules and decoders to the Wazuh Manager. It includes steps for backing up existing rules, cloning the Wazuh-Rules repository, installing rule and decoder files, and validating the Wazuh service health. It requires root privileges to run.

```bash
#!/bin/bash
# wazuh_socfortress_rules.sh

# Execute the script (must be run as root inside Wazuh Manager container)
bash wazuh_socfortress_rules.sh

# The script will:
# 1. Prompt for confirmation before replacing rules
# 2. Detect system type (yum or apt-get)
# 3. Verify git is installed
# 4. Check for 64-bit architecture
# 5. Back up current rules to /tmp/wazuh_rules_backup/
# 6. Clone SOCFortress rules from GitHub
# 7. Install rules to /var/ossec/etc/rules/
# 8. Move decoders to /var/ossec/etc/decoders/
# 9. Set proper ownership (wazuh:wazuh) and permissions (660)
# 10. Restart Wazuh Manager service
# 11. Perform health check on wazuh-logcollector
# 12. Rollback on failure with automatic rule restoration

# Manual backup before running
mkdir -p /tmp/manual_backup
cp -r /var/ossec/etc/rules/* /tmp/manual_backup/

# Manual installation of specific rule file
wget https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/0580-win_malware_rules.xml
mv 0580-win_malware_rules.xml /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/0580-win_malware_rules.xml
chmod 660 /var/ossec/etc/rules/0580-win_malware_rules.xml
/var/ossec/bin/wazuh-control restart

# Verify rules are loaded
/var/ossec/bin/wazuh-logtest
# Test with sample event to verify rule matching

```

--------------------------------

### Deploy Docker Compose Stack

Source: https://github.com/socfortress/ossiem/blob/main/README.md

Starts all services defined in the docker-compose.yml file in detached mode. Ensure all environment variables and configurations are set before running.

```bash
docker compose up -d
```

--------------------------------

### Configure and Manage Wazuh Manager

Source: https://context7.com/socfortress/ossiem/llms.txt

Instructions for accessing the Wazuh Manager container, installing necessary tools, deploying custom rules, checking status, viewing agent connections, restarting the manager, and monitoring logs. Essential for SIEM core functionality.

```bash
# Access Wazuh Manager container
docker exec -it wazuh.manager /bin/bash

# Install git inside container for rule updates
dnf install git -y

# Deploy SOCFortress custom rules
curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/OSSIEM/main/wazuh_socfortress_rules.sh
bash ~/wazuh_socfortress_rules.sh

# Check Wazuh Manager status
/var/ossec/bin/wazuh-control status

# View agent connections
/var/ossec/bin/agent_control -l

# Restart Wazuh Manager
/var/ossec/bin/wazuh-control restart

# Check logs for errors
tail -f /var/ossec/logs/ossec.log
```

--------------------------------

### Test CoPilot API Authentication (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command tests the authentication of the CoPilot API by sending a request to the agents endpoint with provided credentials. It uses cURL to perform a GET request, demonstrating how to authenticate with the API.

```bash
curl -k -u copilot-api:SecurePass123!@# https://wazuh.manager:55000/agents?limit=10
```

--------------------------------

### Retrieve OSSIM Copilot Admin Password

Source: https://github.com/socfortress/ossiem/blob/main/README.md

This command retrieves the admin password for OSSIM Copilot by inspecting Docker logs. It's only accessible the first time Copilot is started. Ensure Docker is installed and running.

```bash
docker logs "$(docker ps --filter ancestor=ghcr.io/socfortress/copilot-backend:latest --format \"{{.ID}}\")" 2>&1 | grep "Admin user password"
```

--------------------------------

### Generate Wazuh Indexer Certificates (Docker)

Source: https://github.com/socfortress/ossiem/blob/main/wazuh/README.md

Runs a Docker container to generate SSL certificates for the Wazuh Indexer. This is a required step before starting the Wazuh environment. Uses the 'generate-indexer-certs.yml' docker-compose file.

```bash
docker-compose -f generate-indexer-certs.yml run --rm generator
```

--------------------------------

### Delete Old Velociraptor Monitoring Data (Python)

Source: https://context7.com/socfortress/ossiem/llms.txt

This Python script automates the deletion of old Velociraptor monitoring data that is older than a specified retention period (default is 7 days). It utilizes the Velociraptor API and VQL queries to remove outdated artifacts, logging all operations. Ensure the `pyvelociraptor` library is installed.

```python
#!/usr/bin/env python3
# delete_monitoring_weekly.py

import datetime
import json
import grpc
import pyvelociraptor
from pyvelociraptor import api_pb2, api_pb2_grpc

# Configuration
API_CONFIG_PATH = "/opt/velociraptor_installer/api.config.yaml"
ARTIFACT = "Server.Utils.DeleteMonitoringData"
ARTIFACT_REGEX = "Windows.Hayabusa.Monitoring"
HOSTNAME_REGEX = "."
ONLY_REGISTERED = False
REALLY_DO_IT = True
LOG_FILE = "/var/log/velociraptor_delete_monitoring.log"

# Example: Delete monitoring data older than 7 days
# Calculate date threshold
date_before = (datetime.datetime.utcnow() - datetime.timedelta(days=7)).strftime("%Y-%m-%d")

# VQL query to delete old monitoring data
vql = f"""
SELECT * FROM Artifact.{ARTIFACT}(
    DateBefore='{date_before}',
    ArtifactRegex='{ARTIFACT_REGEX}',
    HostnameRegex='{HOSTNAME_REGEX}',
    ReallyDoIt={str(REALLY_DO_IT).lower()}
)
"""

# Execute with pyvelociraptor
# python3 delete_monitoring_weekly.py

# View deletion log
# cat /var/log/velociraptor_delete_monitoring.log

# Customize retention period (e.g., 14 days)
# date_before = (datetime.datetime.utcnow() - datetime.timedelta(days=14)).strftime("%Y-%m-%d")

# Test run without deleting (dry run)
# Set REALLY_DO_IT = False in script before execution

```

--------------------------------

### Create Admin User with JSON Configuration (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This snippet demonstrates how to create an admin user for the CoPilot API by first defining the user credentials in a JSON file and then executing a Python script. It includes commands to create the configuration file, run the user creation script, and verify the user creation using cURL.

```bash
cat > /var/ossec/api/configuration/admin.json << EOF
{
  "username": "copilot-api",
  "password": "SecurePass123!@#"
}
EOF

python3 /var/ossec/framework/scripts/create_user.py

curl -k -u copilot-api:SecurePass123!@# https://localhost:55000/security/users/me
```

--------------------------------

### Backup Wazuh Configuration and Logs (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

These commands create compressed archives of the Wazuh configuration and log directories. They use Docker to mount the respective volumes (`wazuh_etc` and `wazuh_logs`) into a temporary container and then use `tar` to create the backups in the current directory.

```bash
docker run --rm -v wazuh_etc:/source -v $(pwd):/backup alpine tar czf /backup/wazuh_etc_backup.tar.gz -C /source .
docker run --rm -v wazuh_logs:/source -v $(pwd):/backup alpine tar czf /backup/wazuh_logs_backup.tar.gz -C /source .
```

--------------------------------

### User Creation and Management

Source: https://context7.com/socfortress/ossiem/llms.txt

This section details the process of creating and managing users for the Copilot API, including script execution and verification steps.

```APIDOC
## User Creation and Management

### Description
This endpoint group covers the creation and management of users within the Copilot system. It involves creating configuration files, executing scripts, and verifying user creation.

### Method
POST (implicitly through script execution)

### Endpoint
N/A (script-based)

### Parameters
None directly for an endpoint, but configuration file fields are used:

#### Request Body (for admin.json)
- **username** (string) - Required - The desired username.
- **password** (string) - Required - The password for the user.

### Request Example (admin.json creation)
```json
{
  "username": "copilot-api",
  "password": "SecurePass123!@#"
}
```

### Response
#### Success Response (User Creation)
- **Output from `create_user.py` script** - The script provides output indicating success or failure.

#### Response Example (Verification `curl` command)
```json
{
  "data": {
    "affected_items": [
      {
        "id": 100,
        "username": "copilot-api",
        "roles": [1]  # administrator role
      }
    ]
  }
}
```

### Error Handling
- Script execution failures will be reported by the `python3` command.
- `curl` command failures may indicate network issues or incorrect authentication credentials.
```

--------------------------------

### API Authentication and Agent Query

Source: https://context7.com/socfortress/ossiem/llms.txt

Demonstrates how to authenticate with the Copilot API using credentials and query agent information.

```APIDOC
## API Authentication and Agent Query

### Description
This endpoint demonstrates how to authenticate with the Copilot API using basic authentication and then query for agent information.

### Method
GET

### Endpoint
`https://wazuh.manager:55000/agents?limit=10`

### Parameters
#### Query Parameters
- **limit** (integer) - Optional - The maximum number of agents to return.

#### Request Headers (for authentication)
- `Authorization`: `Basic <base64-encoded username:password>` (handled by `curl -u`)

### Request Example
```bash
curl -k -u copilot-api:SecurePass123!@# https://wazuh.manager:55000/agents?limit=10
```

### Response
#### Success Response (200 OK)
- **Agent Data**: A JSON object containing a list of agents matching the query criteria.

#### Response Example
(Example response structure would be provided here based on actual API behavior)
```

--------------------------------

### Configure Graylog with Wazuh Root CA

Source: https://github.com/socfortress/ossiem/blob/main/README.md

Copies the Graylog Java Keystore, imports the Wazuh root CA certificate into it, allowing Graylog to connect to the Wazuh Indexer. This involves executing commands inside the Graylog container.

```bash
docker exec -it graylog bash

cp /opt/java/openjdk/lib/security/cacerts /usr/share/graylog/data/config/

cd /usr/share/graylog/data/config/
keytool -importcert -keystore cacerts -storepass changeit -alias wazuh_root_ca -file root-ca.pem
```

--------------------------------

### Configure Graylog SSL Certificate for Indexer Communication

Source: https://context7.com/socfortress/ossiem/llms.txt

Steps to import the Wazuh root CA certificate into Graylog's Java keystore. This is a critical manual step required for secure communication between Graylog and the Wazuh Indexer after initial deployment.

```bash
# Access Graylog container
docker exec -it graylog bash

# Copy Java keystore to persistent volume
cp /opt/java/openjdk/lib/security/cacerts /usr/share/graylog/data/config/

# Navigate to config directory
cd /usr/share/graylog/data/config/

# Import Wazuh root CA into keystore
keytool -importcert -keystore cacerts -storepass changeit -alias wazuh_root_ca -file root-ca.pem
# Type "yes" when prompted to accept certificate

# Restart Graylog to apply changes
docker restart graylog

# Verify Graylog is running
docker logs graylog | grep -i "started"
```

--------------------------------

### List Docker Containers and Ports (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command lists all running Docker containers along with the ports they are exposing. The output is formatted as a table, making it easy to see which container is listening on which port.

```bash
docker ps --format "table {{.Names}}\t{{.Ports}}"
```

--------------------------------

### Backup CoPilot Database (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command performs a database dump of the CoPilot MySQL database. It executes `mysqldump` within the `copilot-mysql` container to create a SQL backup file.

```bash
docker exec copilot-mysql mysqldump -u copilot -p copilot > copilot_db_backup.sql
```

--------------------------------

### CoPilot Backend Administration

Source: https://context7.com/socfortress/ossiem/llms.txt

Covers accessing and managing the CoPilot backend service, including retrieving initial passwords and health checks.

```APIDOC
## CoPilot Backend Administration

### Description
This section outlines how to administer the CoPilot backend service, including retrieving the initial admin password, accessing the web interface and API, and monitoring service health.

### Method
Various (GET, POST, etc. depending on the command)

### Endpoint
- `http://localhost:5000/api/v1/auth/login` (API Login)
- `http://localhost:5000/health` (Health Check)

### Parameters
#### Request Body (for API Login)
- **username** (string) - Required - The admin username.
- **password** (string) - Required - The admin password.

### Request Example (API Login)
```bash
curl -X POST http://localhost:5000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"Ab3Cd5Ef7Gh9Ij1Kl2Mn4Op6Qr8St0"}'
```

### Response
#### Success Response (API Login)
- **Authentication Token**: A token used for subsequent authenticated API requests.

#### Success Response (Health Check)
- **Health Status**: Typically a JSON object indicating the service is running.

#### Response Example (Health Check)
```json
{
  "status": "operational"
}
```

### Notes
- The initial admin password is only available in the Docker logs on the first startup.
- The backend service runs on port 5000.
```

--------------------------------

### Deploy and Manage SIEM Stack with Docker Compose

Source: https://context7.com/socfortress/ossiem/llms.txt

Commands to deploy, check status, view logs, and tear down the entire SIEM stack using Docker Compose. This is the primary method for managing the integrated services.

```bash
# Deploy the entire SIEM stack
docker compose up -d

# Check container status
docker ps

# View logs for specific containers
docker logs wazuh.manager
docker logs graylog
docker logs copilot-backend

# Stop all services
docker compose down

# Stop and remove volumes (complete cleanup)
docker compose down -v
```

--------------------------------

### Backup Graylog Data (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command creates a compressed archive of the Graylog data volume. It uses a temporary Docker container to access the `graylog_data` volume and package its contents into a tar.gz file in the current directory.

```bash
docker run --rm -v graylog_data:/source -v $(pwd):/backup alpine tar czf /backup/graylog_data_backup.tar.gz -C /source .
```

--------------------------------

### Configure Velociraptor API for CoPilot Integration

Source: https://context7.com/socfortress/ossiem/llms.txt

Commands to access the Velociraptor container, generate an API client configuration required for CoPilot integration, and then copy this configuration to the CoPilot directory on the host machine. This enables automated artifact collection and forensic investigations.

```bash
# Access Velociraptor container
docker exec -it velociraptor /bin/bash

# Generate API client configuration
./velociraptor --config server.config.yaml config api_client --name admin --role administrator,api api.config.yaml

# Exit container
exit

# Copy API config to CoPilot directory (run on host)
docker cp velociraptor:/velociraptor/api.config.yaml ./data/copilot-mcp/api.config.yaml

# Restart CoPilot MCP to load new config
docker restart copilot-mcp
```

--------------------------------

### List Docker Volumes (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command lists all Docker volumes currently present on the system. Volumes are used to persist data generated by and used by Docker containers.

```bash
docker volume ls
```

--------------------------------

### Create Wazuh API User (Python)

Source: https://context7.com/socfortress/ossiem/llms.txt

This Python script manages Wazuh API user accounts. It reads user credentials from a specified JSON file, creates new users with administrator roles, and can disable default accounts. The script leverages Wazuh's RBAC framework for secure API access management. Ensure the necessary Wazuh framework components are accessible.

```python
#!/usr/bin/env python3
# create_user.py

import json
import sys
import os

sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")

from wazuh.rbac.orm import check_database_integrity
from wazuh.security import create_user, get_users, get_roles, set_user_role, update_user

USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"

# Example: Create custom API user

```

--------------------------------

### View CoPilot Service Logs (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command streams the logs for the `copilot-backend` Docker container in real-time. It is useful for monitoring the backend service's activity and troubleshooting issues.

```bash
docker logs -f copilot-backend
```

--------------------------------

### Restore Wazuh Configuration (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command restores the Wazuh configuration from a previously created tar.gz archive. It uses a temporary Docker container to mount the target volume (`wazuh_etc`) and extracts the archive contents into it.

```bash
docker run --rm -v wazuh_etc:/target -v $(pwd):/backup alpine tar xzf /backup/wazuh_etc_backup.tar.gz -C /target
```

--------------------------------

### Access CoPilot API Login Endpoint (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This cURL command demonstrates how to log in to the CoPilot API by sending a POST request with JSON payload containing username and password. It targets the authentication endpoint of the CoPilot backend service.

```bash
curl -X POST http://localhost:5000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"Ab3Cd5Ef7Gh9Ij1Kl2Mn4Op6Qr8St0"}'
```

--------------------------------

### Inspect Docker Volume Details (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command inspects a specific Docker volume, providing detailed information about its configuration, mount points, and other metadata. This is useful for understanding where volume data is stored on the host system.

```bash
docker volume inspect wazuh_logs
docker volume inspect graylog_data
docker volume inspect copilot-mysql_data
```

--------------------------------

### Test Service Connectivity (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

A collection of cURL commands to test connectivity to various SIEM stack services by accessing their web interfaces or APIs. This helps in verifying that the services are running and accessible on their respective ports.

```bash
curl -k https://localhost:5601  # Wazuh Dashboard
curl http://localhost:9000      # Graylog
curl http://localhost:3000      # Grafana
curl -k https://localhost:8000  # Velociraptor
curl http://localhost:80        # CoPilot Frontend
```

--------------------------------

### Build Wazuh Manager Docker Image with Fluent Bit

Source: https://github.com/socfortress/ossiem/blob/main/wazuh/custom-wazuh-manager/README.md

Command to build the Wazuh Manager Docker image, specifying the Wazuh version and tag revision. This image is configured to use Fluent Bit for log shipping.

```dockercli
docker build -t socfortress/wazuh-manager:[WAZUH_VERSION] --build-arg WAZUH_VERSION=[WAZUH_VERSION] --build-arg WAZUH_TAG_REVISION=[WAZUH_TAG_REVISION] .
```

```dockercli
docker build -t socfortress/wazuh-manager:4.9.0 --build-arg WAZUH_VERSION=4.9.0 --build-arg WAZUH_TAG_REVISION=1 .
```

--------------------------------

### Test Graylog API Cluster Nodes (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command tests connectivity to the Graylog API by retrieving information about the cluster nodes. It uses cURL with basic authentication to access the API endpoint.

```bash
curl -u admin:yourpassword http://localhost:9000/api/system/cluster/nodes
```

--------------------------------

### Restart CoPilot Services (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command restarts the CoPilot backend, frontend, and MCP (Message Queue Protocol) services. It's a common administrative task for applying updates or recovering from service disruptions.

```bash
docker restart copilot-backend copilot-frontend copilot-mcp
```

--------------------------------

### Forward Ports via SSH Tunnel (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command sets up SSH tunnels to forward local ports to specific ports on a remote SIEM server. This allows for secure remote access to services like Wazuh Dashboard, Graylog, Grafana, and CoPilot Frontend.

```bash
ssh -L 5601:localhost:5601 -L 9000:localhost:9000 -L 3000:localhost:3000 user@siem-server
```

--------------------------------

### Generate Velociraptor API Config

Source: https://github.com/socfortress/ossiem/blob/main/README.md

Generates the `api.config.yaml` file required for Copilot to access the Velociraptor API. This command is executed within the Velociraptor container.

```bash
docker exec -it velociraptor /bin/bash

./velociraptor --config server.config.yaml config api_client --name admin --role administrator,api api.config.yaml
```

--------------------------------

### Test Wazuh API Cluster Health (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command tests the authentication and connectivity to the Wazuh API's cluster health endpoint. It uses cURL to send a request with basic authentication credentials to the specified endpoint.

```bash
curl -k -u admin:SecretPassword https://localhost:9200/_cluster/health?pretty
```

--------------------------------

### Update CoPilot Admin Password (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This snippet shows how to update the password for an existing CoPilot API admin user. It involves overwriting the admin.json configuration file with new credentials and then re-executing the user creation script, which handles password updates for existing users.

```bash
cat > /var/ossec/api/configuration/admin.json << EOF
{
  "username": "copilot-api",
  "password": "NewSecurePass456!@#"
}
EOF

python3 /var/ossec/framework/scripts/create_user.py
```

--------------------------------

### Check CoPilot Service Health (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This cURL command queries the `/health` endpoint of the CoPilot backend service to check its operational status. It's a simple way to verify if the service is running and responsive.

```bash
curl http://localhost:5000/health
```

--------------------------------

### Remove Unused Docker Volumes (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command prunes (removes) all Docker volumes that are not currently used by any containers. This is a good practice for freeing up disk space.

```bash
docker volume prune
```

--------------------------------

### Increase vm.max_map_count (Linux)

Source: https://github.com/socfortress/ossiem/blob/main/wazuh/README.md

Sets the maximum memory map count for the Linux kernel. This is a prerequisite for running Wazuh Indexer in a Docker environment. Requires root permissions.

```bash
sysctl -w vm.max_map_count=262144
```

--------------------------------

### Remove Specific Docker Volume (Bash)

Source: https://context7.com/socfortress/ossiem/llms.txt

This command removes a specific Docker volume. **Warning:** This action will result in data loss for the specified volume. Use with extreme caution.

```bash
docker volume rm wazuh_logs
```

=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.