Wazuh Shuffle Integration - socarium/makarasoc GitHub Wiki

The Wazuh unified XDR and SIEM platform now has out-of-the-box integration with Shuffle SOAR. Shuffle is a general-purpose security automation platform.

Provided the brute-force workflow.

  1. First of all, we need to import the json file from the repository. If you couldn't find it, please downloaded from here

  1. Import the SocariumCase.json file.

  1. Open Shuffle workflow and copy webhook url.

  • Socarium Team placed condition alert on the workflow, so only specific alert that match with the condition, will be allow to pass.

  • From this one, you should have the ability to create another workflow based on many scenarios and many rule id.

  1. Open wazuh_manager.conf file.
sudo nano wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
  1. Copy this script into the wazuh_manager.conf file, and modified the script with the webhook url.
<integration>
  <name>shuffle</name>
  <hook_url>http://<YOUR_SHUFFLE_IP>:3001/api/v1/hooks/<HOOK_ID></hook_url>
  <level>5</level>
  <alert_format>json</alert_format>
</integration>

You simply need to add the copied webhook URI in between the <hook_url>.

name: is the name of the and integration.

hook_url: the webhook url in order to request reception. Your Shuffle URL depends on your deployment, for example, http://<SHUFFLE_IP>:3001 for a Shuffle on-premise deployment and https://shuffler.io for Shuffle Cloud.

level: captures only level 5 and above or you can use <rule_id> </rule_id> as integration script.

alert_format: response in json format rest API.

  1. Execute main.sh by typing this command.
./main.sh

  1. Select Tools Configurations.

  1. Select Integration Wazuh - Shuffle.

  • The process integration is depend on the hardware resources.
  1. Open the create a case to register our local DFIR-IRIS.

  1. Register DFIR-IRIS api key and url.

  1. Open MISP intel to register our local misp.

  1. Register MISP api key and url.

  • The last stage of workflow automation, developer using discord to give the notification to the security operation center.

  • For the notification section, user could change it based on convenient or policy of the users.

  1. Open the notification desc.

  • Register the url and webhook url same as the example below.

If you found the discord is not working, please add the Discord point, copy the all the values from old Discord points to new Discord points. connected into the merge point, remove the old Discord point, and test again the workflow.

⚠️ **GitHub.com Fallback** ⚠️