https://github.com/yasirhamza/wazuh-firewalla
Wazuh SIEM integration for Firewalla with threat intelligence and Windows SRP monitoring
https://github.com/yasirhamza/wazuh-firewalla
docker firewalla security siem threat-intelligence wazuh
Last synced: 2 months ago
JSON representation
Wazuh SIEM integration for Firewalla with threat intelligence and Windows SRP monitoring
- Host: GitHub
- URL: https://github.com/yasirhamza/wazuh-firewalla
- Owner: yasirhamza
- License: mit
- Created: 2025-12-31T12:59:35.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-02-22T20:45:18.000Z (4 months ago)
- Last Synced: 2026-02-23T01:05:26.286Z (4 months ago)
- Topics: docker, firewalla, security, siem, threat-intelligence, wazuh
- Language: Python
- Size: 70.3 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Firewalla-Wazuh SIEM Integration
Integrate your [Firewalla](https://firewalla.com) network security device with [Wazuh](https://wazuh.com) SIEM for centralized security monitoring, threat intelligence correlation, and custom alerting.
## Features
- **MSP API Integration** - Polls Firewalla MSP API for alarms, flows, and device inventory
- **Threat Intelligence** - Automatic correlation with Feodo Tracker and ThreatFox C2 feeds
- **Custom Detection Rules** - 40+ Wazuh rules for Firewalla events with MITRE ATT&CK mappings
- **Security Dashboard** - Pre-built OpenSearch dashboard for network visibility
- **Store-and-Forward** - Resilient to container downtime with 30-day MSP API retention
## Quick Start
```bash
# Clone the repository
git clone https://github.com/yasirhamza/wazuh-firewalla.git
cd wazuh-firewalla
# Configure credentials
cp .env.example .env
nano .env # Set your passwords and MSP token
# Generate SSL certificates
docker compose -f generate-certs.yml run --rm generator
# Start the stack
docker compose up -d
# Wait ~2 minutes, then access dashboard
# https://localhost:443
# Username: admin
# Password: (your INDEXER_PASSWORD from .env)
```
## Architecture
```
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Firewalla MSP │────▶│ msp-poller │────▶│ Wazuh Manager │
│ API │ │ (sidecar) │ │ + Filebeat │
└─────────────────┘ └──────────────────┘ └────────┬────────┘
│
┌─────────────────┐ ┌──────────────────┐ ┌────────▼────────┐
│ Threat Feeds │────▶│ threat-intel │────▶│ Wazuh Indexer │
│ (Feodo/ThreatFox) │ (sidecar) │ │ (OpenSearch) │
└─────────────────┘ └──────────────────┘ └────────┬────────┘
│
┌────────▼────────┐
│ Wazuh Dashboard │
│ (port 443) │
└─────────────────┘
```
## Detection Rules
| Rule ID Range | Category | Description |
|---------------|----------|-------------|
| 100200-100299 | Alarms | Firewalla security alerts (new device, port scan, spoofing) |
| 100300-100399 | Devices | Device inventory changes |
| 100400-100449 | Flows | Network flow analysis (blocked, high bandwidth) |
| 100450-100499 | Threat Intel | C2 IP correlation matches |
| 100500-100504 | Sidecar | Poller health monitoring |
## Requirements
- Docker Engine 20.10+
- Docker Compose v2
- 4GB RAM minimum
- Firewalla MSP account (for API access)
## Documentation
- [SETUP.md](SETUP.md) - Detailed installation and configuration guide
- [CHANGELOG.md](CHANGELOG.md) - Version history
- [CONTRIBUTING.md](CONTRIBUTING.md) - Development guidelines
## License
MIT License - see [LICENSE](LICENSE) for details.
## Acknowledgments
- [Wazuh](https://wazuh.com) - Open source security platform
- [Firewalla](https://firewalla.com) - Network security appliance
- [abuse.ch](https://abuse.ch) - Threat intelligence feeds