Repository files navigation

This project demonstrates how to integrateShuffle SOAR withWazuh SIEM andTheHive to automate incident response.

✅Receiving security alerts from Wazuh.
✅Enriching alerts using external threat intelligence (VirusTotal, AbuseIPDB).
✅Creating an incident in TheHive for case management.
✅Sending notifications to a Discord channel.
✅(Bonus) Auto-mitigating threats (e.g., blocking malicious IPs).

By implementing this SOAR workflow, you canautomate security operations, reduce response time, and improve efficiency in aSOC environment.

Specifications

• RAM: 12GB+
• HDD: 60GB+
• OS: Ubuntu 24.04 LTS

Follow the official Wazuh installation guide:
🔗Wazuh Installation Guide

1. Update and Upgrade:

   apt-get update&& apt-get upgrade

2. Install Wazuh 4.10:

   curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh&& sudo bash ./wazuh-install.sh -a

3. Extract Wazuh Credentials:

   sudo tar -xvf wazuh-install-files.tar

4. Wazuh Dashboard Credentials:

   • User: admin
   • Password: ***************

5. Access Wazuh Dashboard:

   • Open your browser and go to:https://<Public IP of Wazuh>

Follow the official documentation for installing TheHive:
🔗TheHive Installation Guide

1. Install Dependencies:

   apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl  software-properties-common python3-pip lsb-release

2. Install Java:

   wget -qO- https://apt.corretto.aws/corretto.key| sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpgecho"deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main"|  sudo tee -a /etc/apt/sources.list.d/corretto.sources.listsudo apt updatesudo apt install java-common java-11-amazon-corretto-jdkecho JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"| sudo tee -a /etc/environmentexport JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

3. Install Cassandra:

   wget -qO -  https://downloads.apache.org/cassandra/KEYS| sudo gpg --dearmor  -o /usr/share/keyrings/cassandra-archive.gpgecho"deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main"|  sudo tee -a /etc/apt/sources.list.d/cassandra.sources.listsudo apt updatesudo apt install cassandra

4. Install ElasticSearch:

   wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch|  sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpgsudo apt-get install apt-transport-httpsecho"deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"|  sudo tee /etc/apt/sources.list.d/elastic-7.x.listsudo apt updatesudo apt install elasticsearch

5. Install TheHive:

   wget -O- https://archives.strangebee.com/keys/strangebee.gpg| sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpgecho'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main'| sudo tee -a /etc/apt/sources.list.d/strangebee.listsudo apt-get updatesudo apt-get install -y thehive

6. Default Credentials for TheHive:

   • Port: 9000
   • Credentials: 'admin@thehive.local' with a password of 'secret'

Specifications

• RAM: 4GB+
• HDD: 40GB+
• OS: Ubuntu 24.04 LTS

Run the following commands to installShuffle SOAR on Ubuntu:
🔗Shuffle Installation Guide

# Install Docker if not already installedsudo apt update&& sudo apt install -y docker.io docker-compose# Enable and start Dockersudo systemctlenable dockersudo systemctl start docker# Clone the Shuffle repositorygit clone https://github.com/Shuffle/Shuffle.gitcd Shuffle# Build and run Shuffle with Docker Composesudo docker-compose up -d

Access Shuffle Web UI athttp://YOUR-IP:3001

1. Go to yourDiscord Server →Settings →Integrations →Webhooks
2. ClickNew Webhook → Name itSOC Alerts
3. Copy theWebhook URL (you will need it later)

1. Edit Cassandra Config File:

   nano /etc/cassandra/cassandra.yaml

2. Change Cluster Name:

   cluster_name:'SOAR-Flow'

3. Update Listen Address:

   listen_address:<public IP of TheHive>

4. Update RPC Address:

   rpc_address:<public IP of TheHive>

5. Update Seed Provider:

   -seeds:"<Public IP Of the TheHive>:7000"

6. Stop Cassandra Service:

   systemctl stop cassandra.service

7. Remove Old Files:

   rm -rf /var/lib/cassandra/*

8. Restart Cassandra Service:

   systemctl start cassandra.service

1. Edit ElasticSearch Config File:

   nano /etc/elasticsearch/elasticsearch.yml

2. Update Cluster Name and Host:

   cluster.name:thehivenode.name:node-1network.host:<Public IP of your TheHive instance>http.port:9200discovery.seed_hosts:["127.0.0.1"]cluster.initial_master_nodes:["node-1"]

3. Start ElasticSearch Service:

   systemctl start elasticsearchsystemctlenable elasticsearchsystemctl status elasticsearch

1. Ensure Proper Ownership:

   ls -la /opt/thpchown -R thehive:thehive /opt/thp

2. Edit TheHive Configuration File:

   nano /etc/thehive/application.conf

3. Update Database and Index Configuration:

   db.janusgraph {  storage {    backend = cql    hostname = ["<Public IP of TheHive>"]    cql {      cluster-name = SOAR-Flow      keyspace = thehive    }  }}index.search {  backend = elasticsearch  hostname = ["<Public IP of TheHive>"]  index-name = thehive}application.baseUrl = "http://<Public IP of TheHive>:9000"

4. Start TheHive Services:

   systemctl start thehivesystemctlenable thehivesystemctl status thehive

This workflow automates incident response using Shuffle:
1️⃣Receive alerts from Wazuh SIEM when suspicious activity is detected.
2️⃣Enrich the alert using VirusTotal & AbuseIPDB API.
3️⃣Create an incident in TheHive for case tracking.
4️⃣Send a notification to Discord with alert details.
5️⃣(Optional) Perform auto-mitigation (e.g., blocking malicious IPs).

🔹Step 1: Add Wazuh Alert as Trigger

• In Shuffle, create anew workflow and add aWebhook trigger.
• Configure Wazuh to send alerts viawebhooks.

🔹Step 2: Enrich Data with VirusTotal & AbuseIPDB

• Add anHTTP Request node to check IPs/Hashes using VirusTotal API.
• Add another HTTP Request to query AbuseIPDB for malicious IPs.

🔹Step 3: Create an Incident in TheHive

• Use TheHive API to create anew case with alert details.

🔹Step 4: Send Alert to Discord

• Use the Discord Webhook to send a formatted message to a SOC channel.

🔹Step 5: (Optional) Auto-Mitigation

• If the IP ishigh risk, trigger a firewall rule toblock the attacker.

Edit the Wazuhossec.conf file to send webhook alerts:

<integration>  <name>custom-webhook</name>  <hook_url>http://<shuffle-ip>:5001/webhook</hook_url>  <event_format>json</event_format></integration>

Restart Wazuh to apply changes:

sudo systemctl restart wazuh-manager

Generate an API key in TheHive and add it to Shuffle’s HTTP Request node.

Use theDiscord Webhook URL in the ShuffleHTTP Request node.
Example payload:

{"content":"**🚨 New Security Alert 🚨**\n\nIP: 192.168.1.100\nSeverity: High\nSource: Wazuh SIEM"}

• Trigger an alert in Wazuh (e.g., failed SSH logins).
• Verify the incident is created in TheHive.
• Check if the alert is sent to Discord.

✅TheHive Incident Created:

[INFO] New Incident Created in TheHive:- Title: Suspicious SSH Login Attempts- Severity: High- Source: Wazuh SIEM

✅Discord Alert:

🔹 Add auto-mitigation (e.g., blocking attacker IPs via firewall rules).
🔹 Integrate more threat intelligence feeds (e.g., MISP, Shodan API).
🔹 Expand automation to handle different types of incidents.

This project is licensed under theMIT License.

👤Author:Nitin Sharma
💻Instagram:Malwarekid
📧LinkedIn:Connect