VM Setup [SOC Automation with AI Implementation]

Project Overview:

Build an automated workflow using n8n. Splunk will ingest logs, create an alert and send it to n8n where ChatGPT can process the alert and output the information on to slack.

Required Files:

VM Environment Software:

  • Oracle VirtualBox (https://www.virtualbox.org/)

OS ISOs:

  • Kali Linux ISO (https://www.kali.org/get-kali/#kali-virtual-machines)
  • Ubuntu Server ISO (https://ubuntu.com/download/server)
  • Windows 10 ISO (https://www.microsoft.com/en-us/software-download/windows10)

VM Setup:

Before I can begin automating anything, I must first set up the Virtual Machine environments that will be used to run the n8n Server, the Splunk Server, the Ubuntu Client, and the Windows Client. I generally prefer to allocate enough resources so as to give the VMs more headroom to allow them to deal with more stress.

Windows Client:

For the installation of the Windows Client, I set the Base Memory to 4GB, the core count to 2, and the Disk Size to 50GB. The installation if fairly straight forward and can mostly be left unattended.



















Kali Linux:

After downloading the VirtualBox files and extracting the folder, double clicking on the ".vbox" file will automatically import a Kali Linux VM.
















After importing the Kali Linux VM, I changed the Base Memory to 4GB and left the rest of the settings the same.




















Ubuntu Server (Splunk):

For the Ubuntu based Splunk Server, I set the Base Memory to 8GB, the core count to 2, and the Disk Size to 100GB. There are two screens that will require user input.


The first instance in which any user input is required is the Profile Configuration screen. The second is for SSH Configuration. I want to make sure that we install the OpenSSH server package to allow me to SSH into the VM using SSH on my host machine. After rebooting, the VM should be ready for use.


















Ubuntu Server (n8n)

The setup for this server is exactly the same as the one for the Splunk VM, so the same steps may be followed.



















Summary and Reflection:

Getting the Virtual Machines set up will give me an easier time installing the different components now that I have laid the groundwork for the rest of the project. Splunk isn't the first SIEM I have experience with so I'm expecting it to go smoother than it did with my first time setting up Wazuh.

Comments

Post a Comment

Popular posts from this blog

About Me

A Quick Introduction: Hello, my name is Erick and I'm an aspiring SOC Analyst who's trying to turn close to two decades of tech experience and passion into a career. I've been the tech guy among my friends and family for almost two decades and have experience troubleshooting and solving hardware, software, and network related computer problems. I've built PCs, hosted game servers, and troubleshoot computer problems both in person and over the phone. Over the years, I've not only learned to solve technical problems quickly, but also how to explain them to both technical and non technical users. What was originally a hobby of mine turned into a deep and growing interest in cybersecurity and IT operations. In pursuit of becoming a SOC Analyst, I have earned my CompTIA Security+ Certificate in September of 2025, strengthening my foundational knowledge in network defense, threat detection, and incident response. Technical Background: Troubleshooting and System Setup: I h...
Read more

Implementing Slack and Putting it all together [SOC Automation with AI Implementation]

Image
  Goal:  To fully integrate ChatGPT using n8n and piece everything together. Workflow Setup: First it's important to disable the Splunk alert for now because we are done with the current test. Then on the n8n server, going back to canvas, we can pin the output so that we don't need to keep triggering the workflow. Before continuing, I created an API Platform account on openai.com. I clicked on "start building" to set it up, naming my organization "Caser" and the API key name "Caser-SOC-Project", and then generated an API key. Once I had this copied it was time to go back and start setting up the workflow. This is where I encountered my first major issue. I went on vacation and during that time I wasn't able to work on the project. This led to my session being timed out, and when I logged back in I was no longer able to pin the webhook trigger event. I spent some time looking to see if there was a way to simply revert it or to see if there was a...
Read more