About This Architecture

SOC National ANTIC deploys a distributed Wazuh cluster architecture across five security zones, with a centralized Wazuh Master managing five regional slave nodes (Telecoms, Finance, Administration, Energy, Transport) and aggregating logs into a three-node OpenSearch cluster. Data flows from diverse collection points—Wazuh agents, FortiGate firewalls, OPNsense, and Suricata/Zeek probes—through zone-specific collectors to slave nodes, then to the OpenSearch indexers for centralized storage and analysis. Analysts access the infrastructure via Apache Guacamole bastion behind FortiGate perimeter firewalls, with threat intelligence from MISP/Cortex, incident management via TheHive, and automation through Shuffle and Grafana dashboards feeding back to the Wazuh Master. This multi-zone, multi-sector design isolates critical infrastructure domains while maintaining unified visibility and response orchestration across telecommunications, financial, administrative, energy, and transport networks. Fork this diagram on Diagrams.so to customize collector endpoints, add additional slave nodes, or adapt the threat intelligence integrations for your SOC's specific operational requirements.

People also ask

How do you architect a distributed Wazuh security operations center across multiple critical infrastructure sectors with centralized threat intelligence and incident response?

SOC National ANTIC uses a five-zone architecture: a Wazuh Master node managing five regional slave nodes (Telecoms, Finance, Administration, Energy, Transport), a three-node OpenSearch cluster for log indexing, FortiGate perimeter firewalls, and integrated MISP/Cortex, TheHive, and Shuffle platforms for threat intelligence, incident management, and automated response workflows.