Security Incident and Event Management (SIEM) in DuploCloud
DuploCloud uses Wazuh for SIEM. The primary functions of the SIEM are:
Data Repository
Event Processing Rules
Dashboard
Events and Alerting
OSSEC agents are deployed at various endpoints (VMs in the cloud) where they collect event data from multiple logs such as syslogs, virus scan results, NIDS alerts, File Integrity events, etc. Data is sent to the centralized Wazuh server deployed in the Compliance Tenant, where it undergoes a set of rules to produce events and alerts stored in an OpenSearch with a Kibana Dashboard. Data is also ingested from cloud provider sources like CloudTrail, AWS Trusted Advisor, Guard duty, Container registry scans, Azure Security Center, etc.
For customers who require SIEM, the setup is a seamless, fully orchestrated experience. The platform takes care of everything, automatically installing and updating OSSEC agents in the DuploCloud Hosts, ensuring a hassle-free experience for the customer.
Typically, one centralized SIEM is used for multiple accounts, i.e., one DuploCloud implementation implements the SIEM, and more DuploCloud environments can ingest data there.