Welcome to the SIEM (Security Information and Event Management) GraphQL-based project! This project is designed to provide a powerful and flexible security monitoring solution by leveraging the capabilities of GraphQL and TypeScript. The SIEM system collects, analyzes, and correlates security events from various sources, helping you gain insights into potential security threats and vulnerabilities.

• GraphQL API for querying and managing security events.
• Real-time event monitoring and alerting.
• Integration with various data sources and security tools.
• User authentication and authorization.
• Role-based access control (RBAC) for enhanced security.
• Customizable dashboards and visualizations.
• Rule-based event correlation for identifying complex attack patterns.
• Extensible architecture to support future enhancements.

The SIEM project is built using the following technologies:

• GraphQL: Provides a powerful and efficient API for querying and managing data.
• TypeScript: Ensures type safety and scalability for the project.
• Node.js: Server-side JavaScript runtime environment.
• NestJs: Web application framework for Node.js.
• Prisma: TypeScript-based ORM (Object-Relational Mapping) library for database interaction.
• PostgreSQL: Relational database for storing security event data.
• WebSocket: Enables real-time event monitoring and alerting.
• Redis: In-memory data structure store used for pub/sub communication and real-time event distribution.
• JWT (JSON Web Tokens): Used for user authentication and authorization.
• Docker: Containerization for easy deployment and scalability.

Elasticsearch offers several advantages when used as part of a SIEM (Security Information and Event Management) system. SIEM systems are used to collect, analyze, and manage security-related data from various sources to identify and respond to security incidents. Here are some advantages of using Elasticsearch in a SIEM context:

• Fast Data Retrieval: Elasticsearch is designed for high-speed data retrieval and searching, making it well-suited for querying and analyzing large volumes of security data in real-time. This speed is crucial for detecting and responding to security threats promptly.

• Scalability: Elasticsearch is horizontally scalable, meaning you can easily add more nodes to the cluster as your data volume increases. This makes it suitable for handling the ever-growing data generated by various security devices and applications.

• Full-Text Search: Elasticsearch provides powerful full-text search capabilities, enabling you to perform complex searches across logs, events, and other security data. This is essential for uncovering patterns and anomalies in your data.

• Real-Time Analysis: Elasticsearch supports real-time data indexing and analysis. This allows security analysts to monitor events and alerts as they happen, enabling faster response times to potential threats.

• Aggregation and Visualization: Elasticsearch can be integrated with tools like Kibana for data visualization and exploration. This helps security teams create dashboards, graphs, and visual representations of security data, aiding in understanding trends and identifying potential threats.

• Machine Learning: Elasticsearch offers machine learning capabilities, which can be used to build anomaly detection models. These models can help automatically identify abnormal patterns in data, which can be indicative of security breaches.

• Structured and Unstructured Data: Elasticsearch can handle both structured and unstructured data, making it suitable for collecting and analyzing diverse types of security information, including logs, events, network traffic, and more.

• Open Source Community: Elasticsearch is open source, which means there's an active community developing plugins, extensions, and integrations. This can provide you with a wide range of options to enhance and customize your SIEM solution.

• Data Enrichment: Elasticsearch can be used to enrich your security data with additional context, such as geoIP information, threat intelligence feeds, and user information. This helps improve the accuracy of threat detection and incident response.

• Alerting and Notification: Elasticsearch can be configured to trigger alerts and notifications based on predefined conditions or patterns. This ensures that security teams are promptly informed about potential security incidents.

It's important to note that while Elasticsearch offers many advantages, implementing a SIEM solution involves more than just choosing the right technology. Proper architecture, data normalization, integration with various data sources, and the expertise of security analysts are also crucial factors in building an effective SIEM system.

To get started with the SIEM project, follow these steps:

• Clone the repository: git clone https://github.com/BaseMax/SIEMGraphQLTS.git
• Navigate to the project directory: cd SIEMGraphQLTS
• Install dependencies: npm install
• Build the project: npm run build
• Run database migrations: npm run migrations
• Start the server: npm start
• The SIEM GraphQL server should now be up and running on http://localhost:3000.

To run the tests, use the following command:

npm run test:e2e

This will execute the test suite and provide the test results.

also you can run docker compose and start all services(Elasticsearch, Postgressql, Redis and SIEM):

docker compose up

Before running the project, you need to configure the following settings in the .env file:

• DATABASE_URL: This is the connection URL for the PostgreSQL database. Replace postgres with your database username and password, and localhost:5432/student?schema=public with your database host and port.

• ELASTIC_URL: This is the connection URL for the Elasticsearch database. example: http://localhost:9200

• JWT_SECRET_KEY: Set this to a secure secret key for your application.

• REDIS_HOST: this redis connection host.

• REDIS_PORT: this redis connection port.

• MAIL_HOST: The hostname or IP address of the mail server.

• MAIL_PORT: The port number for the mail server.

• MAIL_USER: The username or email address used to authenticate with the mail server.

• MAIL_PASSWORD: The password for the mail server authentication.

Once the server is running, you can interact with the SIEM system using GraphQL queries and mutations. Refer to the API documentation or explore the GraphQL playground (usually available at http://localhost:3000/graphql) to understand the available queries and mutations.

Here's a simple example of a GraphQL query:

query {
  events {
    id
    timestamp
    sourceIP
    destinationIP
    eventType
    severity
  }
}

Remember to authenticate and authorize your GraphQL requests using JWT tokens when required.

• Get a list of all security events.
• Get a specific security event by ID.
• Get the total count of security events.
• Get security events within a specified time range.
• Get security events by source IP address.
• Get security events by destination IP address.
• Get security events by event type (e.g., login, intrusion attempt)
• Get security events by severity (e.g., low, medium, high).
• Get security events sorted by timestamp in ascending order.
• Get security events sorted by severity in descending order.
• Get security events associated with a specific user.
• Get security events from a specific data source (e.g., firewall, antivirus).
• Get security events that match a specific keyword or pattern.
• Get the top N most frequent security events.
• Get the count of security events grouped by event type.
• Get the count of security events grouped by severity.
• Get the count of security events per data source.
• Get the count of security events per user.
• Get the count of security events per IP address.
• Get the count of security events per hour.
• Get the top N users with the highest number of security events.
• Get security events that match a specific regular expression pattern.
• Get security events for a specific user within a time range.
• Get security events for a specific data source within a time range.
• Get security events generated by a specific process or application.
• Get security events caused by a specific malware or virus.
• Get the most common attack types in the last 24 hours.
• Get the least common event types in the last 7 days.
• Get the number of blocked events per data source in the last hour.
• Get the average severity level of security events per user.
• Get the count of security events per event category (e.g., authentication, network).
• Get the top N users with the most successful login attempts.
• Get a list of all data sources.
• Get a specific data source by ID.
• Get a list of all rules.
• Get a specific rule by ID.
• Get security events for a specific data source.
• Get security events for a specific rule.
• Get security events for a specific user and data source.

• Create a new security event with specified attributes.
• Update the details of an existing security event.
• Delete a security event by ID.
• Add a new data source to the SIEM system.
• Update the settings of a data source.
• Remove a data source from the SIEM system.
• Create a new user account with authentication credentials.
• Update the details of an existing user account.
• Delete a user account by ID.
• Change the password for a user account.
• Assign a role to a user (e.g., admin, analyst, auditor).
• Revoke a role from a user.
• Add a new security rule for event correlation.
• Update the settings of an existing security rule.
• Remove a security rule from the SIEM system.
• Enable or disable real-time event monitoring.
• Subscribe to real-time security event notifications.
• Unsubscribe from real-time security event notifications.
• Acknowledge an alert for a security eventType.
• Dismiss an alert for a security eventType.
• Create a new data source mapping for translating external event fields to the SIEM schema.
• Update the settings of an existing data source mapping.
• Remove a data source mapping from the SIEM system.
• Acknowledge all alerts for a specific user.
• Dismiss all alerts for a specific user.
• Suspend real-time monitoring temporarily for maintenance.
• Resume real-time monitoring after maintenance.
• Add a new user group with specific permissions.
• Update the permissions of an existing user group.
• Remove a user group from the SIEM system.

Subscriptions in the SIEM project allow you to receive real-time updates when security events or other relevant data change. This feature is particularly useful for monitoring security events as they occur and taking immediate action. Here's an example of how you can set up and use subscriptions in your GraphQL API.

You can subscribe to real-time security event notifications using GraphQL subscriptions. Whenever a new security event is created, your client will receive a notification with the relevant event details.

To subscribe to real-time security event notifications:

• Use the following subscription query to receive real-time notifications for new security events:

  subscription {
    newSecurityEvent {
      id
      timestamp
      sourceIP
      destinationIP
      eventType
      severity
    }
  }

type User {
  id: ID!
  username: String!
  # You might not want to expose the password field in the schema,
  # as it should only be accessible for mutations, not queries.
  # password: String!

  # Add other user-specific fields like name, role, etc.
}

type SecurityEvent {
  id: ID!
  timestamp: String!
  sourceIP: String!
  destinationIP: String!
  eventType: String!
  severity: String!

  # Add other security event fields as required.
}

type DataSource {
  id: ID!
  name: String!
  description: String
  # Add other fields relevant to the data source.
}

type Rule {
  id: ID!
  name: String!
  description: String
  # Add other fields relevant to the rule.
}

type Query {
  users: [User!]!
  securityEvents: [SecurityEvent!]!

  # Additional queries go here...
}

type Mutation {
  createUser(username: String!, password: String!): User!

  createDataSource(name: String!, description: String): DataSource!

  updateDataSource(id: ID!, name: String!, description: String): DataSource!

  deleteDataSource(id: ID!): Boolean!

  createRule(name: String!, description: String): Rule!

  updateRule(id: ID!, name: String!, description: String): Rule!

  deleteRule(id: ID!): Boolean!

  securityEventsForUserAndDataSource(userId: ID!, dataSourceId: ID!): [SecurityEvent!]!

  createSecurityEvent(
    timestamp: String!
    sourceIP: String!
    destinationIP: String!
    eventType: String!
    severity: String!
  ): SecurityEvent!

  # Additional mutations go here...
}

Contributions to the SIEM project are welcome! If you find any issues or have suggestions for improvements, please open an issue or submit a pull request. Please ensure that you follow the project's coding standards and guidelines.

The SIEM GraphQL-based project is open-source and available under the GPL-3.0 License. Feel free to use, modify, and distribute it as per the terms of the license.

Copyright 2023, Max Base