Skip to content

Add BASTION plugin: Wazuh SIEM integration for detection validation #3232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
seosamuel02 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add BASTION plugin: Wazuh SIEM integration for detection validation #3232

seosamuel02 wants to merge 1 commit into from

Conversation

@seosamuel02
Copy link

@seosamuel02 seosamuel02 commented Dec 12, 2025
edited
Loading

Summary

BASTION (Bridging Attack Simulations To Integrated Observability Network) is a new plugin that integrates Caldera with Wazuh SIEM for automated detection validation and security posture assessment.

Features

  • Automated Agent Correlation: Maps Caldera agents to Wazuh agents via client.keys parsing
  • Real-time Detection Validation: Correlates attack simulations with SIEM detections
  • MITRE ATT&CK Coverage: Visual heat map showing technique coverage and detection gaps
  • Security Posture Scoring: Quantified assessment based on detection rates
  • Cyber Command Center Dashboard: Professional SOC-style interface

Use Cases

  • Purple Team Operations: Validate that attacks are being detected
  • Detection Gap Analysis: Identify which MITRE techniques lack detection coverage
  • Security Posture Assessment: Measure and track detection capabilities over time
  • SOC Training: Practice correlating attacks with detections

Technical Details

  • Backend: Python/aiohttp with OpenSearch client for Wazuh Indexer
  • Frontend: Vue 3 Composition API with Chart.js
  • Integration: Wazuh Manager API (55000) + Wazuh Indexer (9200)
  • Self-contained: All code within plugins/bastion/, no core modifications

Repositories

Repository Description
caldera-bastion Standalone plugin (for submodule integration)
BASTION Full development environment with Docker Compose (Caldera + Wazuh stack)

Screenshots

Dashboard provides real-time visibility into:

  • Security posture score (0-100 with letter grade)
  • Detection rate and MTTD metrics
  • MITRE ATT&CK tactic coverage chart
  • Attack vs Detection timeline
  • Technique-level gap analysis table

Dependencies

  • opensearch-py
  • python-dateutil

Installation (for users)

# Add to conf/local.yml
plugins:
  - bastion

# Install dependencies
pip install -r plugins/bastion/requirements.txt

Quick Start (Full Environment)

For testing with the complete Caldera + Wazuh environment:

git clone https://github.com/seosamuel02/BASTION.git
cd BASTION/bastion
docker-compose up -d
# Access: http://localhost:8888/plugins/bastion

Testing

Tested with:

  • Caldera 5.3.0
  • Wazuh 4.14.1
  • Ubuntu 22.04 agents

I'm open to feedback and happy to make any changes needed to meet Caldera's plugin standards.

@continue
Copy link

continue bot commented Dec 12, 2025

All Green - Keep your PRs mergeable

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 12, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seosamuel02