This guide will set up the complete SentinelPrime stack with all three security layers:
- ZTNA (Zero Trust Network Access)
- EDR (Endpoint Detection & Response)
- NDR (Network Detection & Response)
- Minimum: 8GB RAM, 4 CPU cores, 50GB disk
- Recommended: 16GB RAM, 8 CPU cores, 100GB disk
- Docker 20.10+ and Docker Compose 2.0+
- Network access for external repositories
- (Optional) Root/admin access to endpoints for agents
┌─────────────────────────────────────────────────────────┐
│ Docker Environment │
│ ┌──────────────┐ ┌──────────┐ ┌────────────────┐ │
│ │Control Plane │ │ Kafka │ │ Neo4j/Redis │ │
│ │ (FastAPI) │ │(Redpanda)│ │ Elastic/Kibana│ │
│ └──────┬───────┘ └────┬─────┘ └────────────────┘ │
└─────────┼────────────────┼─────────────────────────────┘
│ │
│ Events via Kafka
│ │
┌─────────▼────────────────▼─────────────────────────────┐
│ Native Agents (on hosts) │
│ ┌──────────┐ ┌──────────┐ ┌───────────┐ │
│ │ Wazuh │ │ osquery │ │ Zeek │ (ZTNA) │
│ │ Agent │ │ │ │ Sensor │ Optional │
│ └──────────┘ └──────────┘ └───────────┘ │
└─────────────────────────────────────────────────────────┘
cd SentinelPrime
# Start the complete stack
./deploy.sh
# This will start:
# - Control Plane API (port 8000)
# - Kafka/Redpanda (port 9092)
# - Neo4j (ports 7474, 7687)
# - Redis (port 6379)
# - Elasticsearch (port 9200)
# - Kibana (port 5601)
# - Prometheus (port 9090)
# - Grafana (port 3000)You have 3 options:
Best for: Testing, demos, development
# Run attack simulation
python3 experiments/lateral_movement.py
# View results immediately
curl http://localhost:8000/api/v1/telemetry/statsPros: Instant setup, no additional software Cons: Simulated data only, not real security monitoring
Best for: Testing with real data, proof of concept
Install one or more real components on your laptop/VM:
# Install osquery on this machine
./scripts/install-osquery.sh
# Configure to send to SentinelPrime
./scripts/configure-osquery.sh --kafka localhost:9092
# Start monitoring
sudo systemctl start osquerydPros: Real endpoint data, easy to set up Cons: Limited to endpoints you control
Best for: Production deployment, complete testing
Deploy all components across infrastructure:
- Wazuh agents on servers
- osquery on workstations
- Zeek on network tap
- (Optional) OpenZiti/Pomerium for ZTNA
Pros: Complete real-world deployment Cons: Requires infrastructure access
- Clone and configure:
git clone <repo-url> SentinelPrime
cd SentinelPrime
# Create configuration
cp .env.example .env
# Edit configuration (optional)
nano .env- Deploy infrastructure:
# Make deployment script executable
chmod +x deploy.sh
# Deploy everything
./deploy.sh
# Wait for services to be ready (2-3 minutes)- Verify core services:
# Check all services are running
docker-compose ps
# Test Control Plane
curl http://localhost:8000/health
# Should return: {"status": "healthy"}On Wazuh Manager (can be Docker or separate VM):
# Option 1: Add to existing docker-compose.yml
nano docker-compose.yml
# Add wazuh-manager service (see deployment/wazuh-docker.yml)
docker-compose up -d wazuh-manager
# Option 2: Separate VM installation
# See: edr/wazuh/INSTALLATION.mdOn Each Endpoint to Monitor:
# Download and run agent installer
curl -o install-wazuh-agent.sh \
https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-app/install-wazuh-agent.sh
# Install and configure
sudo WAZUH_MANAGER='<MANAGER_IP>' \
bash install-wazuh-agent.shConfigure Kafka Integration:
# On Wazuh Manager
./scripts/configure-wazuh-kafka.sh \
--kafka-host kafka:9092 \
--topic sentinel-edr-eventsOn Each Endpoint:
# Use provided installer script
./scripts/install-osquery.sh
# Configure for SentinelPrime
./scripts/configure-osquery.sh \
--kafka localhost:9092 \
--topic sentinel-edr-events
# Start service
sudo systemctl start osqueryd
sudo systemctl enable osquerydVerify EDR Layer:
# Check events are flowing
docker-compose exec kafka kafka-console-consumer \
--bootstrap-server localhost:9092 \
--topic sentinel-edr-events \
--max-messages 5On Network Tap/SPAN Port or Gateway Server:
# Install Zeek
curl -o install-zeek.sh https://zeek.org/get-zeek
sudo bash install-zeek.sh
# Deploy SentinelPrime Zeek configs
sudo cp ndr/zeek/local.zeek /usr/local/zeek/share/zeek/site/
sudo cp -r ndr/zeek/scripts /usr/local/zeek/share/zeek/site/
# Configure interface
sudo nano /usr/local/zeek/etc/node.cfg
# Set interface=eth0 (or your monitoring interface)
# Configure Kafka output
./scripts/configure-zeek-kafka.sh \
--kafka-host kafka:9092 \
--topic sentinel-ndr-events
# Start Zeek
sudo zeekctl deployOn Same Network Monitoring Point:
# Install Suricata
sudo apt-get install suricata
# Deploy SentinelPrime rules
sudo cp ndr/suricata/custom-sentinel.rules \
/etc/suricata/rules/
# Configure
sudo cp ndr/suricata/suricata.yaml \
/etc/suricata/suricata.yaml
# Start Suricata
sudo systemctl start suricata
sudo systemctl enable suricataVerify NDR Layer:
# Check Zeek is running
sudo zeekctl status
# Check Suricata is running
sudo systemctl status suricata
# Verify events
docker-compose exec kafka kafka-console-consumer \
--bootstrap-server localhost:9092 \
--topic sentinel-ndr-events \
--max-messages 5# Install OpenZiti controller
curl -sSLf https://get.openziti.io/quick/ziti-controller-quickstart.sh | bash
# Configure SentinelPrime integration
./scripts/configure-openziti.sh \
--controller https://localhost:1280 \
--username admin \
--password <password># Deploy Pomerium
docker-compose -f deployment/pomerium-docker.yml up -d
# Configure routes
cp ztna/pomerium/config.yaml /etc/pomerium/config.yaml
# Restart
docker-compose restart pomeriumVerify ZTNA Layer:
# Test authentication event
curl -X POST http://localhost:8000/api/v1/telemetry/ztna \
-H "Content-Type: application/json" \
-d '{
"event_type": "auth_success",
"user_id": "test@company.com",
"resource": "app.internal.com"
}'# Run comprehensive test
./scripts/test-all-layers.sh
# Or test individually
./edr/test-edr.sh # Test EDR
./ndr/test-ndr.sh # Test NDR
./ztna/test-ztna.sh # Test ZTNA# Simulate lateral movement
python3 experiments/lateral_movement.py
# Check detection
curl http://localhost:8000/api/v1/decisions/assess \
-H "Content-Type: application/json" \
-d '{
"entity_id": "192.168.1.100",
"entity_type": "host"
}'# Check if events are being correlated
curl http://localhost:8000/api/v1/telemetry/stats
# Should show events from all sources:
{
"events_by_source": {
"edr": 150,
"ndr": 89,
"ztna": 45
}
}- Kibana: http://localhost:5601 - View all events
- Grafana: http://localhost:3000 - Metrics and alerts
- Neo4j: http://localhost:7474 - Attack graph visualization
- API Docs: http://localhost:8000/docs - Interactive API
# All services status
docker-compose ps
# Control Plane health
curl http://localhost:8000/health
# Check logs
docker-compose logs -f control-plane# Real-time event monitoring
docker-compose exec kafka kafka-console-consumer \
--bootstrap-server localhost:9092 \
--topic sentinel-edr-events
# Control Plane event stats
watch -n 5 'curl -s http://localhost:8000/api/v1/telemetry/stats'# Get recent decisions
curl http://localhost:8000/api/v1/decisions?limit=10
# View enforcement history
docker-compose exec control-plane cat /var/log/enforcement.log# Check Docker resources
docker system df
# Check logs
docker-compose logs <service-name>
# Restart specific service
docker-compose restart <service-name># Check Kafka topics exist
docker-compose exec kafka kafka-topics --list \
--bootstrap-server localhost:9092
# Create missing topics
docker-compose exec kafka kafka-topics --create \
--bootstrap-server localhost:9092 \
--topic sentinel-edr-events \
--partitions 3 \
--replication-factor 1# Check network connectivity
ping <control-plane-host>
telnet <control-plane-host> 9092
# Check firewall rules
sudo ufw status
# Check agent logs
# Wazuh: tail -f /var/ossec/logs/ossec.log
# osquery: journalctl -u osqueryd -f
# Zeek: tail -f /usr/local/zeek/logs/current/reporter.logAll configuration files are in:
SentinelPrime/
├── .env # Main configuration
├── docker-compose.yml # Infrastructure
├── edr/
│ ├── wazuh/config.yaml
│ └── osquery/osquery.conf
├── ndr/
│ ├── zeek/local.zeek
│ └── suricata/suricata.yaml
└── ztna/
├── openziti/
└── pomerium/
# Core + Simulations
./deploy.sh
python3 experiments/lateral_movement.py# Core in Docker on one server
# osquery on all workstations
# Zeek on gateway/router
# Wazuh on critical servers# Core in Kubernetes cluster
# Wazuh with clustered managers
# Zeek on multiple network taps
# Full ZTNA deployment- ✅ Infrastructure deployed → Test with simulations
- ✅ Agents installed → Monitor real activity
- ✅ Events flowing → Tune correlation rules
- ✅ Tested detection → Configure enforcement
- ✅ Enforcement working → Enable auto-response
Before production:
- Change all default passwords
- Enable TLS/SSL on all services
- Configure firewall rules
- Set up backup procedures
- Enable audit logging
- Configure alerting
- Test disaster recovery
- Documentation: See
docs/directory - Installation Issues: Check
TROUBLESHOOTING.md - API Reference: http://localhost:8000/docs
- Examples: See
experiments/directory
For most users, we recommend this order:
- Week 1: Deploy core infrastructure + simulations
- Week 2: Add osquery to your own machines
- Week 3: Deploy Wazuh on test servers
- Week 4: Add Zeek on network monitoring point
- Week 5: Tune detection and correlation
- Week 6: Enable automated enforcement
This gradual approach lets you learn each component before adding complexity!