2023 9th International Conference on Smart Computing and Communications (ICSCC)
Implementation of SOC using ELK with Integration
of Wazuh and Dedicated File Integrity Monitoring
2023 9th International Conference on Smart Computing and Communications (ICSCC) | 979-8-3503-1409-0/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICSCC59169.2023.10334992
Akshai Sankar NS
Department of Computer Science
Muthoot Institute of Technology and Science
Abstract—The Security Operations Center (SOC) is currently
a crucial component of the protection strategy and data security
system that reduces the degree of vulnerability of information
systems to both internal and external hazards. The SOC will
gather events from various security components, evaluate them,
spot anomalies, and establish alerting protocols. The implemen-
tation of a SOC architecture will center on agents running on
monitored hosts and forwarding log data to a central server that
serves as a hub.ELK and Wazuh are the different tools that we
shall employ. Elasticsearch, Logstash, and Kibana are the three
open-source technologies that make up the ELK Stack. Wazuh
integration with ELK to gather and aggregate security data for
spotting threats, intrusions, and behavioral anomalies. Several
rules that will set off alarms when odd or suspicious activity
takes place will be configured.With this architectural paradigm,
we can create and keep a situational image of the organization’s
security while responding quickly to any changes that may occur.
Our goal is to build a SOC environment that enables dynamic
security and serves as a true fortress of analysis, monitoring,
prevention, and restoration.FIM usually falls under data loss
prevention policy of organisations but it is inbuilt in this tool.
Index Terms—FIM,SOC,SIEM,Elasticsearch,Logstash,Kibana.
I. INTRODUCTION
The advent of PCs and organizations has significantly
altered the world. Nearly everything in this era of com-
puterization is connected to organizations and accessible to
anyone from a distance. This entails concern for educa-
tional, contemporary,Organizations in business and govern-
ment where information is extremely important. In light of
this, maintaining lesser levels of data or information secu-
rity is currently unsatisfactory for associations.To protect the
frameworks against these new, advanced threats, the public
and private sectors should collaborate on the research efforts.
To provide appropriate reactions to the association’s defense
against Cyber-attacks and hazards it encounters on a step-
by-step basis, a cooperative and focused approach to the
execution of the safety component is now required. A key
component of today’s insurance and information assurance
frameworks that reduces the degree of vulnerability of data
systems to both internal and external threats is the Security
979-8-3503-1409-0/23/$31.00 © 2023 IEEE
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:32:14 UTC from IEEE Xplore. Restrictions apply.
350
Fasila K. A.
Department of Computer Science
Muthoot Institute of Technology and Science
Operations Center (SOC).SOC refers to a committed stage
and group affiliation to prevent, recognize, investigate, and
address network security threats and occurrences. In other
words, the SOC will compile incidents from diverse security
areas, deconstruct them, identify anomalies, and define tactics
for warnings. Hence, the SOC, which depends on multimaster
capabilities, has a crucial role to play in ensuring the secu-
rity of the IS. To be sure, the analysis reveals continuous
improvement in terms of activity, which makes it possible
to support the organization’s security administration.Without
SOC contributions, digital criminal activities might go un-
detected for a while since businesses lack the resources to
quickly identify and address threats. We can keep bringing
up the example of Yahoo, whose accounts have been hacked
for a very long time without anyone being informed.Thus, a
SOC will enable groups to have a better understanding of their
existing situation, as well as to have capabilities, processes,
and ongoing improvement.Many offices are focusing their
security efforts on avoidance and location as attacks become
increasingly routine. What’s happening is the sophistication,
nature, and delicacy of attacks; it’s not the Computers getting
aroused with infections, worms, trojans, or hacked by pan-
tomime. Digital undercover operations, distributed denial-of-
service (DDoS), advance persistent threats (APT) like Stuxnet
and Flame, and other attacks can do significant harm to the
target organization or perhaps the entire nation.Beyond what
might be anticipated, digital threats outweigh any residual
dangers. Due to the frequency and severity of high-profile
incidents, such as the NotPetya attack in 2017, digital risks and
dangers have increased among respondent associations’ top
worries in 2019. Globally, 79% of respondents ranked digital
hazards as their association’s No. 5 concern, up from 62% in
2017.The projects are using innovation to mitigate these risks.
The complexity of the threats is also growing swiftly along
with innovation. Without assistance, associations are unable
to respond to the evolving, multi-layered threats. All security
resources are known and may be sent quickly because SOC is
a concentrated region. The efficient awareness of the situation
and the deployment of resources are essential to maintaining
the security of the work force and resources. Finally, this
 ensures that an association is functionally congruent. Data loss
prevention is an important factor for any organization; it is
necessary to make sure that all the files are safe and not
tampered with. The files could be modified by external as
well as internal entities, so it’s important to safeguard them.
Various mechanisms are used; one of them is FIM.

II. LITERATURE REVIEW

• Pierre Jacobs and Alapan Arnab developed a classifi-
cation matrix and a method to score security operation
centers. A framework for evaluating service capabilities
and maturity level was also shown by them. They noted
that SOC takes proactive measures to avert network
incidents, which provides better results than CSIRTs. But
no conclusive results were given to say the proposed
model was correct.[3]
• Stefan Asanger and Andrew Hutchison proposed a model
that used unsupervised anomaly detection and had better
performance in anomaly detection. Different examples of
anomalies are also shown. Due to the hectic nature and
need for high resources, this may lead to time stamp
inefficiencies in certain cases. Thus, the proposed method
is not applicable in an organizational setting.[9]
• A detection mechanism that checks inner and outer
intrusions to the network was utilised by Brough Davis
and Jim Horwat to propose a SIEM model focused on
preventing and mitigating data loss. But the paper does
not match up with incidence responses.[10] Fig. 1. Miniature design of the proposed project

III. RESEARCH METHODOLOGY

An agent-based SOC architecture that is running on a
management host and sending log data to a central server is
the technique employed here. It can actively submit log data
through syslog or regularly update configuration modifications
to send data back to a central server. It also supports non-agent
devices (such as firewalls, switches, routers, access points,
etc.). The input data is decoded and parsed by a central
server, and the results are then sent to the Elasticsearch cluster
for indexing and storage. Three sections make up the full
procedure:
• Agent Processes
• Manager Processes
• Elastic Process
All processes running on endpoint devices are included in
the agent processes. All the operations required for examining
the logs are included in the manager processes. The Elastic
processes inform us of the many procedures needed for the
visualization of the analysis’s processed data. Although if the
process begins with the agent pushing the logs, moves via the
manager processes, and then ends with the elastic processes,
this technique cannot be used when implemented in a live
scenario. Every agent needs a server in order to push data.
So, we must deploy the server machines and components first,
and only then can we move on to the agents.
An overview of this methodology is shown in Figure 1.
The main components are Wazuh, ELK stck (Elasticsearch,
Logstash and Kibana): Wazuh is a decentralized, open-source
platform for identifying threats, monitoring security, respond-
ing to episodes, and maintaining administrative consistency.
On January 28, 2020, Wazuh released version 3.11.3 of its
stable code. It is frequently used to examine endpoints, cloud
services, and storage areas, as well as to evaluate and analyze
data from other sources. The specialist who detects abrupt
spikes in demand for each observed host, the server that
dissects information obtained from the specialist, and agentless
roots like syslog are Wazuh’s main new components.Similarly,
the server sends occasion data to an Elasticsearch group where
data is logged and saved. Wazuh is a have-based interruption
location framework that is free and open source (HIDS).
Log analysis, honesty checking, Windows vault observation,
rootkit recognition, time-sensitive alarms, and dynamic re-
sponse are some of the tasks it may carry out. The majority
of operating systems, including Linux, OpenBSD, FreeBSD,
macOS, Solaris, and Windows, receive interruption location
from it. Wazuh’s unified, cross-stage architecture enables the
observation and adaptation of many frameworks [5].
The three open-source projects Elasticsearch, Logstash, and
Kibana are referred known as ”ELK” combined. The Apache
Lucene web index is the sole source of data for the open
source full-text search and analysis engine Elasticsearch. A

Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:32:14 UTC from IEEE Xplore. Restrictions apply.
351
 log aggregator called Logstash gathers data from numerous
sources, updates and modifies it, and then distributes the
information to different yield objections that have been upheld.
With a representation layer that enables users to examine and
visualize the data, Kibana challenges Elasticsearch’s domi-
nance.
We can examine the several machines that are integrated to
the server in the Wazuh app of the Kibana dashboard after
successfully integrating the three separate Wazuh agents to
the Wazuh management. Figures 2 and 3 show the several
machines that are connected to the server.
Fig. 2. Dashboard of Wazuh app in Kibana which shows total number of
agents,active agents and disconnected hosts.
Fig. 3. Agent-preview page of Kibana displaying all the informations related
to agents.
• FILE INTEGRITY MONITORING
Operating system (OS), database, and application software
files are tested and examined using the IT security procedure
and technology known as file integrity monitoring (FIM) to
see if they have been altered or corrupted. FIM, a kind of
change auditing, verifies and validates these files by contrast-
ing their most recent iterations with a recognized, dependable
”baseline.” FIM can produce warnings if it discovers that
files have been modified, updated, or compromised. This
will guarantee that additional investigation and, if necessary,
remediation, takes place. Both proactive, rule-based active
monitoring and reactive (forensic) audits are included in file
integrity monitoring.
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:32:14 UTC from IEEE Xplore. Restrictions apply.
352
A. Importance of FIM
FIM software will scan, analyze, and report on unexpected
changes to important files in an IT environment.By doing
this, file integrity monitoring adds a crucial layer of data,
application, and file security and speeds up incident response.
The following are the top four use cases for file integrity
monitoring:
• Detecting Illicit Activity
You need to know if a cyber attacker attempts to change
any files that are essential to your operating systems
or apps if they intrude into your IT environment. FIM
can still identify changes to significant components of
your IT environment even if log files and other detection
methods are ignored or modified. You can keep an eye on
and safeguard the security of your files, apps, operating
systems, and data with FIM in place.
• Pinpointing Unintended Changes
File changes are frequently unintentionally made by an
administrator or another employee. The effects of these
modifications sometimes have minor effects that are ig-
nored. Other times, they can lead to security backdoors,
problems with business continuity, or both. By assisting
you in locating the mistaken change so you can undo it
or take other corrective action, file integrity monitoring
makes forensics simpler.
• Verifying Update Status and Monitoring System Health
By using the post-patch checksum to scan installed
versions on various devices and locations, users may
determine whether files have been updated to the most
recent version.
• Meeting Compliance Mandates
Compliance with legal requirements like GLBA, SOX,
HIPAA, and PCI DSS necessitates the capacity to audit
modifications and monitor and report specific sorts of
activities.
The FIM module is set in the wazuh agent.It runs periodic
scans on the system and will calculate checksums of the mon-
itored files along with other attributes and windows registry
key store them in a local database.It will periodically check
files again if any change is made it will trigger an alert. The
change is noted because of the change in checksum.
IV. RESULTS AND DISCUSSION
The Wazuh expert currently oversees gathering logs and
event data, executing strategy observing outputs, differentiat-
ing malware and rootkits, and activating alarms when checked
records are modified. It communicates with the Wazuh server
over a verified and encrypted route. On the local machine, the
manager also functions as an agent, therefore it has all the
capabilities of an agent.Major results of the work are:
• Successful integration of Agents to the manager.
• Successful Log Transferring form agent to the manager.
• Alarms triggering based on rules.
• successful implementation of FIM.
 The agents are deployed on three different machines with
three different operating systems, namely Ubuntu Linux,
Windows, and Mac. They successfully pushed logs to the
manager. The major function of this agent is to push the live
logs. The method used is a manual method of registering
agents using the command line (CLI). In order to register the
agent, a 32-character-long key was used. The visualization
part is performed with the help of Kibana. We visualize the
log in the manager.
The system detects attacks,intrusions,misuse
software,configuration issues,application errors,
malware,rootkits,system anomalies, or breaches of security
policy with the rules that are defined by us. The rules
are written in XML format primarily because it is easy to
configure and understand it.The XML labels used to configure
rules are listed here. The rules were implemented for all the
integrated machines. The implementation of rules will allow
us to receive alerts. The rules were created for detecting
things such as authentication failures for login attempts,
authentication failures, file modifications, and vulnerability
detections. All rules are working as per the parameters
mentioned in the rule.
The figures 4,5 and 6 shows alarms being triggered based on
results.
Fig. 4. Security Events.
Fig. 5. File Modification Alerts.
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:32:14 UTC from IEEE Xplore. Restrictions apply.
of
Fig. 6. Vulnerability detection alert.
V. CONCLUSION
The project was about establishing a SOC environment
using free and open source SIEM tools. Thus, all the tools
selected were open-source tools. It is important to secure your
environment from harmful violations that are costly; this can
be achieved with a security event management tool without
consuming too much of the budget. Each of the available free
solutions has its own set of advantages. A free SIEM solution
can thus provide a clear and simple idea, which helps small
organizations and startups formulate how they want the tool
to be.
Due to the decentralized nature of open-source solutions, there
are frequently more independent options and supplements
produced as a result of community-led development. Tools
that are free but have limited capability are a good alternative
to expensive tools for renowned businesses who invest a lot
of money in tools. Many aspects of several of these free
tools are provided without the need for updates. In other
instances, free tools, particularly those that are completely
functioning in every environment, offer a great chance to judge
an instrument’s applicability. You can make sure that your
gadget complies with your IT needs either way.
The different tools we used were ELK and Wazuh. We used
Ubuntu Linux for creating the server side and for the client
part we used three different operating systems, Ubuntu Linux,
MAC, and Windows. We installed agents on every client
machine and after integrating them to the manager, we started
monitoring the log files. We configured different rules that
will trigger alarms when unusual or suspicious activities occur.
Making use of this architectural model, we can establish and
maintain a situational picture of the organization’s security,
while reacting rapidly to possible changes in it. This study
demonstrates the method’s enormous potential. The following
list of potential areas for more research and development:
• Create more rulesets for detection.
• Integrate IOC databases so that it becomes easy to
identify threats.
• Integrate IPS to this architecture.
353
 REFERENCES
[1] Ibrahim Yahya Mohammed AL-Mahbashi, Dr. M. B. Potdar, Mr.
Prashant Chauhan. (2017) “Network Security Enhancement through
Effective Log Analysis Using ELK” International Conference on Com-
puting Methodologies and Communication (ICCMC), 978-1- 5090-
4890-8/17.
[2] Kwon, “Performance of ELK Stack and Commercial System in Security
Log Analysis”
[3] “Open-Source Search Analytics” elastic, [online].
[4] “SwiftOnSecurity/sysmon-config” github [Online].
[5] “AutorunsToWinEventLog” github [Online].
[6] “Sysmon - Windows Sysinternals” docs.microsoft [Online].
[7] Mar´ıa del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel
Sánchez Pérez, Linda Karina Toscano. “Intrusion Detection Using
Indicators of Compromise Based on Best Practices and Windows Event
Logs” International Conference on Internet Monitoring and Protection
(ICIMP 2016), 978-1-61208-475-6
[8] Automating Threat Intelligence for SDL Raghudeep Kannavara; Jacob
Vangore; William Roberts; Marcus Lindholm; Priti Shrivastav 2018
IEEE Cybersecurity Development (SecDev)
[9] Using Entropy and Mutual Information to Extract Threat Actions from
Cyber Threat IntelligenceGhaith Husari; Xi Niu; Bill Chu; Ehab Al-
Shaer 2018 IEEE International Conference on Intelligence and Security
Informatics (ISI)
[10] Extracting cyber threat intelligence from hacker forums: Support vector
machines versus convolutional neural networksIsuf Deliu; Carl Leichter;
Katrin Franke 2017 IEEE International Conference on Big Data (Big
Data)
[11] Assessing Quality of Contribution in Information Sharing for Threat
Intelligence Aziz Mohaisen; Omar Al-Ibrahim; Charles Kamhoua; Kevin
Kwiat; Laurent Njilla 2017 IEEE Symposium on Privacy-Aware Com-
puting (PAC)
[12] A New Threat Intelligence Scheme for Safeguarding Industry 4.0 Sys-
temsNour Moustafa; Erwin Adi; Benjamin Turnbull; Jiankun Hu;IEEE
Access 2018
[13] Graph Mining-based Trust Evaluation Mechanism with Multidimen-
sional Features for Large-scale Heterogeneous Threat Intelligence;Yali
Gao ; Xiaoyong Li ; Jirui Li ; Yunquan Gao ; Ning Guo;2018 IEEE
International Conference on Big Data (Big Data)
[14] Performance of ELK stack and commercial system in security log
analysis;Sung Jun Son ; Youngmi Kwon;2017 IEEE 13th Malaysia
International Conference on Communications (MICC)
[15] Geo-identification of web users through logs using ELK stack;Tarun
Prakash ; Misha Kakkar ; Kritika Patel;2016 6th International Confer-
ence - Cloud System and Big Data Engineering (Confluence)

Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:32:14 UTC from IEEE Xplore. Restrictions apply.
354