# End-to-End Alert Automation: Wazuh → Shuffle → TheHive ## 🏗️ Final Part: SOC Automation Project * Building the lab diagram * Installing and configuring tools * Generating telemetry data ### 🎯 Today's Goal We'll connect **Shuffle (SOAR platform)** with **Wazuh** and **TheHive**, allowing: \ ✅ Wazuh to send alerts to Shuffle \ ✅ Shuffle to forward alerts to TheHive and email analysts *** ## 🔗 Installing and Setting Up Shuffle on Ubuntu ### **1. Install Dependencies** To begin, update the package list and install Docker and Docker Compose: ```bash sudo apt update && sudo apt install -y docker.io docker-compose ``` Then, enable and start the Docker service: ```bash sudo systemctl enable docker sudo systemctl start docker ``` ### **2. Clone the Shuffle Repository** Download the Shuffle source code from GitHub: ```bash git clone https://github.com/Shuffle/Shuffle.git cd Shuffle ``` ### **3. Deploy Shuffle with Docker Compose** Run the following command to start the Shuffle services: ``` sudo docker-compose up -d ``` ### **4. Access the Web Interface** Once the installation is complete, open your web browser and navigate to: ``` http://your-server-ip:3001 ``` You should now see the Shuffle login page. *** ## **Post-Installation Steps** ### **5. Set File Ownership and Restart Services**

Run the following commands to fix ownership issues and restart necessary services: ``` sudo chown -R 1000:1000 shuffle-database sudo swapoff -a sudo docker restart shuffle-opensearch ``` These steps ensure proper functioning of the database and avoid issues related to system swap.

*** ### **7. Create a New Workflow** Once Shuffle is installed and running, you can start automating tasks by creating workflows: #### 1️⃣ Create an Account * Sign up and log in * Click **Workflows** > **New Workflow** * Name it **SOC Automation Lab** * Select any use case and click **Done.**

#### 2️⃣ Add a Webhook Trigger * Click **Triggers** (middle tab) * Drag & drop **Webhook** into the workspace * Name it **wazuh-alerts** * Copy the **Webhook URL** (you’ll need it later)

* Click **Change Me** and set: * **Execution type**: Repeat back to me * Remove **Hello World** * Click **+** > **Execution Argument** * Save

*** ### ⚙️ Configuring Wazuh to Connect with Shuffle #### 1️⃣ Edit Wazuh’s Configuration * SSH into Wazuh Manager * Open the config file: ``` sudo nano /var/ossec/etc/ossec.conf ``` * Scroll to the section (or anywhere in the file) * Add this: ```html shuffle https://shuffler.io/api/v1/hooks/webhook_ad498563-e028-4652-b63f-f918b0abb537 100002 json ``` * Replace `PASTE_WEBHOOK_URL_HERE` with your **copied Webhook URL** * Ensure proper indentation (use spaces, not tabs)

#### 2️⃣ Restart Wazuh * Save and exit (`CTRL + X`, then `Y`, then `Enter`) * Restart Wazuh: ``` sudo systemctl restart wazuh-manager ``` * Check the status: ``` sudo systemctl status wazuh-manager ``` If it says **running**, We're good to go :rocket: *** ### 🚀 Testing Mimikatz Alert #### 1️⃣ Run Mimikatz * On your **Windows Client**: ``` .\totally-not-mimktaz.exe ``` * This simulates an attack and should trigger an alert #### 2️⃣ Check Shuffle for Events * Go back to **Shuffle** * Click on **Webhook** * Click **Start** > **Person Icon** (bottom tab)

* Click **Test Workflow**\

* You should see the **execution arguments** (alert details from Wazuh) *** ### 🔄 Automating Further with VirusTotal & TheHive Once alerts reach Shuffle, we can: 1. **Extract the file hash** (from Mimikatz alert) 2. **Check the reputation on VirusTotal** 3. **Create a case in TheHive** 4. **Send an email to the SOC analyst** To extract hashes correctly: * **Add Action** → Search **"Regex Capture Group"** → Add it.

* **Set Input** → Use `$exec.text.win.eventdata.hashes`.
* **Enter Regex** → `SHA256=([A-Fa-f0-9]{64})`.

* **Save & Test** → Run to check extraction.\

*** ## 🔍**Send the Hash to VirusTotal** #### **Get a VirusTotal API Key** 1. Go to 🔗 [VirusTotal](https://www.virustotal.com/) and **Sign Up**. 2. After signing up, go to your **account settings** and **copy the API key**.\ ![](/files/sFPtF6CMUcGcsSHvPtni) #### **Connect VirusTotal to Shuffle** 1. In **Shuffle**, go to **Apps** and search for **VirusTotal**. 2. Click on **VirusTotal** and **activate it**. 3. Drag it into your **workflow**. #### **Set Up the VirusTotal Action** 1. Rename it to **VirusTotal**. 2. Under **Find Actions**, choose **"Get a hash report"**. 3. Paste your **API key** in the authentication field.

4. In the **Hash Section**, select the **Regex Output** from the previous step.

*** ### **Now, get the Reputation Score** #### **Verify VirusTotal's Output** 1. **Run the workflow again**. 2. Expand **VirusTotal's output** → Go to **Body Data → Attributes → Last Analysis Stats**.

3. Look for the **Malicious Score** (e.g., `65 scanners detected as malicious`). 4. This number represents how many scanners flagged the file as a **threat**. *** ### 📤**Send Data to TheHive** #### **Add TheHive to Shuffle** 1. Search for **TheHive** in **Shuffle Apps** and add it to your **workflow**. 2. Drag it into your **workflow** and **connect it** to **VirusTotal**. 3. Wait for **TheHive actions** to load (refresh if needed).

#### **Configure TheHive** 1. Go to **TheHive Web Interface**. 2. Log in with **default credentials**: ``` Username: admin@thehive.local Password: Secret ``` 3. Create a **new organization** (e.g., "Osama Team").

4. Add **two users**: * **Analyst**:

* **Service Account**: (give it **least privilege** access).

5. We need to set a password for Karims's account and generate an API key for the SOAR account.\

6. In **Shuffle**, configure **TheHive action** to send **alerts** based on **VirusTotal results**.\

7. Now, we must setup the alert configurations details for TheHive and VirusTotal :\
Fields (Summary ,Description ): ``` Summary -> Mimikatz Activity Detected on host: $exec.text.win.system.computer and the Process Id: $exec.text.win.eventdata.processId and the Commandline: $exec.text.win.eventdata.commandLine Description -> Mimikatz Detected on host:$exec.text.win.system.computer ```

## :warning: Note: You might have the same problem here as me

### Fixing JSON Issues in TheHive (Shuffle Integration) ### Problem When sending alerts from **Shuffle** to **TheHive**, you may encounter a **400 Bad Request** error due to an **invalid JSON format**. ### Cause * The **execution argument auto-completion** in Shuffle inserts incorrect JSON paths. * TheHive requires properly formatted JSON, and incorrect paths cause errors. ### Solution #### Step 1: Use the Advanced Field 1. Open your **Shuffle Workflow**. 2. Navigate to the **TheHive** action node. 3. Click **Advanced** to manually input the JSON body.

#### Step 2: Paste the Correct JSON Format Copy and paste the following JSON into the **Body** field: ```json { "description": "Mimikatz Detected on host: test-host", "externallink": "", "pap": 2, "severity": 2, "source": "Wazuh", "sourceRef": "Rule: 100002", "status": "New", "summary": "Mimikatz Activity Detected on host: test-host and the Process Id: 1234 and the Commandline: mimikatz.exe", "tags": ["T1003"], "title": "Test Alert", "tlp": 2, "type": "Internal" } ``` #### Step 3: Save & Test 1. Save the workflow. 2. Rerun the execution. 3. The error should be resolved, and TheHive will receive the alert correctly. 🎯

## **Now, Log in to TheHive and Check Alerts** To verify any alerts in TheHive, log in using the previously created account: 1. Open your web browser and navigate to TheHive's login page. 2. Enter the credentials for the account **"Karim" .** 3. Check the dashboard for any **alerts** or **notifications**.

## **Sending a Telegram Message via Shuffle**

**Steps:** 1️⃣ **Install & Configure Shuffle** * Ensure Shuffle is running on your Ubuntu server. 2️⃣ **Use the HTTP App in Shuffle** * Go to **Shuffle UI → Apps** → Install **HTTP App**. 3️⃣ **Create a Workflow** * Add **HTTP Request** as an action. * Set **POST** as the request method. * URL: ``` https://api.telegram.org/bot/sendMessage ``` * Body (JSON): ```json jsonCopyEdit{ "chat_id": "", "text": "Mimiktaz Detected!" } ```

4️⃣ **Fix Connectivity Issues (if needed)** * Restart HTTP App: ```bash docker restart ``` 5️⃣ **Run the Workflow** * Execute the workflow → **Message sent to Telegram! ✅**

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://osamaa.gitbook.io/osama_homepage/cybersecurity-soc-analyst-labs/automation-lab-home-project/end-to-end-alert-automation-wazuh-shuffle-thehive.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.