apply_defender_profile

Adds monitoring and detection capabilities to Ludus configurations for blue team training, SOC practice, and threat hunting exercises by deploying SIEM agents, logging, and security rules.

Instructions

Apply defender profile to add monitoring and detection capabilities for blue team training.

This tool enhances an existing Ludus configuration with comprehensive security monitoring, logging, and detection capabilities. Perfect for:

Blue team training and SOC practice
SIEM deployment and configuration
Threat hunting exercises
Purple team defensive exercises
Incident detection and response training

Args: config: The Ludus range configuration to enhance (dict with 'ludus' key) monitoring_level: Level of monitoring to deploy - "basic": SIEM agent + event forwarding - "comprehensive": + Sysmon/Auditd + PowerShell logging - "advanced": + EDR, process monitoring, FIM, network monitoring siem_type: SIEM platform to deploy - "wazuh": Wazuh (open source SIEM/XDR) - "splunk": Splunk Enterprise - "elastic": Elastic Stack (ELK) detection_focus: Optional list of specific attack types to focus detection on (e.g., ["kerberos_attacks", "lateral_movement", "credential_access"])

Returns: Dictionary containing: - status: "success" - profile_type: "defender" - monitoring_level: The applied monitoring level - siem_type: The SIEM platform used - modified_config: Enhanced Ludus configuration - monitoring_enhancements: List of added monitoring capabilities - enhancements_count: Total number of enhancements - siem_added: Whether SIEM server was added - detection_rules: List of detection rules configured - affected_vms: List of VMs that were enhanced - documentation: Implementation and usage documentation - next_steps: What to do after deployment

Examples: # Add comprehensive Wazuh monitoring to all VMs result = await apply_defender_profile( config=my_range_config, monitoring_level="comprehensive", siem_type="wazuh" )

# Add advanced monitoring with Splunk result = await apply_defender_profile( config=my_range_config, monitoring_level="advanced", siem_type="splunk" ) # Focus detection on Kerberos attacks and lateral movement result = await apply_defender_profile( config=my_range_config, monitoring_level="comprehensive", siem_type="wazuh", detection_focus=["kerberos_attacks", "lateral_movement"] )

Monitoring Capabilities: Windows Monitoring: - SIEM agent (Wazuh/Splunk/Elastic) - Event log forwarding - Sysmon (process, network, file monitoring) - PowerShell script block logging - EDR capabilities (advanced level) - Process monitoring (advanced level) - File integrity monitoring (advanced level)

Linux Monitoring: - SIEM agent (Wazuh/Splunk/Elastic) - Syslog forwarding - Auditd (system call auditing) - OSQuery (endpoint visibility) - EDR capabilities (advanced level) - Process monitoring (advanced level) - File integrity monitoring (advanced level) Network Monitoring: - NetFlow collection - Packet capture - Zeek network security monitor (advanced level) - Suricata IDS/IPS (advanced level)

Detection Rules: - Kerberoasting detection (Event ID 4769) - Lateral movement detection (PsExec, WMI) - Credential dumping (LSASS access, Mimikatz) - PowerShell obfuscation - Suspicious process execution - And more based on detection_focus

Notes: - SIEM server will be automatically added if not present - All VMs will have monitoring agents installed - Detection rules are pre-configured but customizable - Dashboard and alerting must be configured post-deployment

Input Schema

TableJSON Schema

Name	Required	Default
`config`	Yes
`monitoring_level`	No	comprehensive
`siem_type`	No	wazuh
`detection_focus`	No

Ludus FastMCP