Learn by Directing AI
All materials

CLAUDE.md

Bhutan Tourism Council -- Security Assessment with SIEM Deployment

Project

Security assessment and continuous monitoring implementation for the Bhutan Tourism Council (BTC), a government body operating three digital portals. Client: Tshering Pem, Director of Digital Services. Driven by Royal Government Directive 2026/CS-04 requiring continuous security monitoring and an independent assessment before the fiscal quarter deadline.

What you're building

A security assessment across three interconnected portals (Tourism Services Portal, Guide Management System, Internal Operations Platform), deployment of Wazuh SIEM alongside the existing Grafana/Loki monitoring stack, cross-SIEM detection rules for critical threats, and a compliance report for the Ministry of Information and Communications.

Tools

  • Nmap -- network reconnaissance
  • sqlmap -- SQL injection testing
  • Wazuh -- SIEM (manager, indexer, dashboard)
  • Grafana + Loki + Alloy -- log aggregation and querying
  • Sigma + sigma-cli -- detection rule authoring and validation
  • pySigma-backend-loki -- Sigma to LogQL conversion
  • pySigma-backend-opensearch -- Sigma to OpenSearch conversion (for Wazuh)
  • Docker -- lab environment
  • MCP -- Loki API connection for AI-directed log queries

Environment

Docker Compose environment with three vulnerable web applications simulating BTC's portal infrastructure:

  • tourism-portal (port 3000) -- Node.js/Express, tourist-facing booking and information
  • guide-system (port 5000) -- Python/Flask, guide licensing and credential management
  • operations-platform (port 8080) -- Python/Flask, staff communications and document management
  • grafana (port 3001) -- monitoring dashboard
  • loki (port 3100) -- log aggregation
  • alloy -- log collection from all three portals

Wazuh stack added during assessment:

  • wazuh-manager (port 1514/1515)
  • wazuh-indexer (port 9200)
  • wazuh-dashboard (port 5601)

Work breakdown

  1. Client discovery and scope definition (from Tshering's memorandum)
  2. Reconnaissance across three portals and API interconnections
  3. Wazuh SIEM deployment alongside existing Loki stack
  4. Engagement memory (CLAUDE.md + AGENTS.md) and MCP connection to Loki
  5. Cross-SIEM detection rules (Sigma converted to LogQL and OpenSearch)
  6. CIS Benchmark hardening of Wazuh deployment + remediation with prevention-plus-detection pairing
  7. Compliance report aligned to Directive 2026/CS-04

Detection rule naming convention

CS-BTC-[ATT&CK TTP ID]-[loki or wazuh]-[version number]

Example: CS-BTC-T1190-loki-v1 (SQL injection detection, Loki variant, version 1)

Log field mappings

Loki (via Alloy)

  • Labels: service, container, level
  • Fields: request_uri, remote_addr, http_method, status_code

Wazuh

  • Fields: rule.id, data.srcip, data.url, rule.description, agent.name

Verification targets

  • All three portals remain functional throughout assessment
  • Wazuh receives events from all three portal containers
  • Detection rules fire on attack data on both Loki and Wazuh
  • Cross-SIEM conversion differences documented
  • CIS Benchmark items assessed for Wazuh deployment
  • Remediation verified by re-running original exploits
  • Compliance report has all six directive sections

Commit convention

Commit after each major milestone: scope definition, reconnaissance complete, Wazuh deployed, engagement memory written, detection rules deployed, remediation verified, compliance report delivered. Descriptive messages following engagement progression.