Skip to content

Management & Access

Service URLs

Each SOC service has its own web UI. Access in two modes:

  1. Via FQDN (recommended) — nginx reverse proxy on CT502 (192.168.200.5) with wildcard SSL *.nasbu.edu.ua + ACL restrictions (see below).
  2. Direct to CT — IP + port inside VLAN250. For debugging, when nginx is unavailable, or for internal automation.
Service FQDN (via rproxy) Direct in VLAN250 CT Status
Wazuh Dashboard https://wazuh.nasbu.edu.ua https://10.250.0.12:443 CT703 🟢
TheHive https://thehive.nasbu.edu.ua http://10.250.0.30:9000 CT710 🟢 (4.1.24)
Cortex https://cortex.nasbu.edu.ua http://10.250.0.31:9001 CT711 🟢
MISP https://misp.nasbu.edu.ua https://10.250.0.15 CT706 🟢
Shuffle https://shuffle.nasbu.edu.ua http://10.250.0.32:3443 CT712 🟢
Velociraptor https://velociraptor.nasbu.edu.ua https://10.250.0.33:8889 CT713 🟢
Wazuh Manager API — (REST only) https://10.250.0.11:55000 CT702 🟢
Wazuh Indexer REST API — (REST only) https://10.250.0.10:9200, .13, .14 CT701/704/705 🟢
CrowdSec LAPI — (API only, no UI) http://10.250.0.16:8080 CT707 🟢 — managed via cscli on CT707
CrowdSec blocklist feed http://10.250.0.16/security/blocklist CT707 🟢 — FortiGate pulls every minute

!!! warning "Not deployed (Tier 3 planned)" - Grafana — executive dashboards, BACKLOG TASK-092e - CrowdSec Cloud Console — not used; only local LAPI

If older documentation mentions URLs like `grafana:3000` or `crowdsec:3000` — those are planning placeholders, not reality.

ACL — who can reach the FQDNs

Why SOC UIs are inaccessible from the internet: these subdomains (wazuh, thehive, cortex, misp, shuffle, velociraptor) exist only in the internal FortiGate DNS — they are not in Cloudflare at all. From the public internet, DNS simply does not resolve.

The nginx ACL is a second layer for internal networks (limits who from inside can access the UI):

allow 10.99.0.0/24;     # VPN clients (WireGuard)
allow 10.30.0.9;        # admin-node (for curl tests from bastion)
allow 10.168.150.0/24;  # Academy office network
allow 10.250.0.0/24;    # SIEM VLAN250 (CT-to-CT internal)
deny all;               # everything else → 403 Forbidden

SSH access to Proxmox nodes and containers

The SOC infrastructure lives on 5 separate Proxmox nodes (not a cluster). SSH access: PC → admin-node (94.45.140.197:2223) → reverse SSH tunnel → localhost:227X (port for each siem-pxN node). No intermediate hops (workspace, share) in this chain.

SSH alias Proxmox node Host IP (VLAN250) SSH port Containers on it
siem-px1 siem-px1 10.250.0.2 2270 CT701 — Wazuh Indexer primary
siem-px2 siem-px2 10.250.0.3 2271 CT702 (Wazuh Manager) · CT710 (TheHive) · CT711 (Cortex)
siem-px3 siem-px3 10.250.0.4 2272 CT703 (Wazuh Dashboard) · CT704 (Wazuh Indexer replica 1)
siem-px4 siem-px4 10.250.0.5 2273 CT706 (MISP) · CT707 (CrowdSec) · CT712 (Shuffle)
siem-px5 siem-px5 10.250.0.6 2274 CT705 (Wazuh Indexer replica 2) · CT713 (Velociraptor)

Proxmox web UI on each node: https://10.250.0.X:8006 (only from VLAN250 / VPN). No public FQDN.

Typical command patterns inside a CT

# Service status
ssh siem-px2 'pct exec 710 -- systemctl status docker'

# Docker container logs
ssh siem-px2 'pct exec 710 -- docker logs thehive --tail 50'

# curl from inside a CT to a local service
ssh siem-px4 'pct exec 706 -- curl -sk https://localhost/users/login'

# "CT host level" pattern (on the Proxmox node itself, not in CT)
ssh siem-px2 'dmesg -T | tail -30'

Management Model

There is no single control plane (like Kubernetes). Each service is a standalone web UI + auth + config.

Key points:

  • Shuffle was intended as the orchestrator ("conductor", SOAR layer), but currently idle: no playbooks written (TASK-092d subtask 22 deferred). Real automation happens via custom Python/bash scripts on CT702:
    • /var/ossec/integrations/custom-thehive.py — Wazuh → TheHive Alert
    • /var/ossec/integrations/custom-crowdsec-block.py — Wazuh → CrowdSec decision
    • /var/ossec/integrations/custom-teams.sh — Wazuh → Teams webhook
  • Proxmox manages underlying infrastructure (CT/VM, storage, network) — not SOC applications.

  • No centralized SSO yet (TASK-115 planned). Each system has its own credentials. Plan: Keycloak with LDAP federation → two AD groups (both in OU=AcadAdmins):

    • SOC-Users (6 members) — base access to SOC UIs
    • SOC-Admins (2 members: Samuel, OleksiiSt) — admin role in all services

    Both admin users are also in SOC-Users. Note: email in our AD lives in the userPrincipalName attribute, not mail. - Centralized logging exists only for security events (Wazuh Indexer). Application logs (nginx access, docker stdout, systemd journal) remain on individual CTs.

Access Patterns by Role

Role Primary UI Additional Notes
SOC Analyst Tier 1 Wazuh Dashboard + TheHive Teams (notifications) 60% of time — Wazuh Dashboard; triage — TheHive. Details in 006. Daily Routine - Tier 1.
SOC Analyst Tier 2 TheHive (case management) Wazuh Dashboard, MISP, Cortex Deep investigations, pivot to forensics
SOC Analyst Tier 3 / Threat Hunter Velociraptor + Wazuh Indexer search MISP, TheHive Proactive hunts, deep forensics, threat research
SOC Manager / CISO (future: Grafana) Wazuh Dashboard executive view Tier 3, component not yet deployed
System Administrator SSH bastion chain + pct exec Proxmox web UI (VLAN250) Not via SOC UI — via Proxmox/CLI
Automation (planned) Shuffle All services via API Shuffle idle; currently bypassed by custom scripts on CT702

FortiGate policies (for reference)

Policy ID Purpose
135 SOC:RProxy→VLAN250-GUI — allows nginx (CT502 in VLAN200) to reach SOC services in VLAN250 on ports 443, 9000, 9001, 3443, 8889
137 CrowdSec:Block-Inbound — DROP IPs from CrowdSec feed (external-resource feed, 1 min refresh)
119 VLAN150→VLAN250 ALL — allows office network into SOC
113 SOC→Internet — VLAN250 → WAN (HTTPS/HTTP/DNS/NTP) for Docker pulls, VirusTotal/AbuseIPDB APIs, MISP feeds

Last updated: 2026-04-15. Reflects state after Tier 2 deployment (2026-04-14) and TheHive 5.5 → 4.1.24 downgrade (2026-04-15).