End-to-End Alert Automation: Wazuh → Shuffle → TheHive

🏗️ Final Part: SOC Automation Project

• Building the lab diagram

• Installing and configuring tools

• Generating telemetry data

🎯 Today's Goal

We'll connect Shuffle (SOAR platform) with Wazuh and TheHive, allowing: ✅ Wazuh to send alerts to Shuffle ✅ Shuffle to forward alerts to TheHive and email analysts

---

🔗 Installing and Setting Up Shuffle on Ubuntu

1. Install Dependencies

To begin, update the package list and install Docker and Docker Compose:

sudo apt update && sudo apt install -y docker.io docker-compose

Then, enable and start the Docker service:

sudo systemctl enable docker
sudo systemctl start docker

2. Clone the Shuffle Repository

Download the Shuffle source code from GitHub:

git clone https://github.com/Shuffle/Shuffle.git
cd Shuffle

3. Deploy Shuffle with Docker Compose

Run the following command to start the Shuffle services:

sudo docker-compose up -d

4. Access the Web Interface

Once the installation is complete, open your web browser and navigate to:

http://your-server-ip:3001

You should now see the Shuffle login page.

---

Post-Installation Steps

5. Set File Ownership and Restart Services

Run the following commands to fix ownership issues and restart necessary services:

sudo chown -R 1000:1000 shuffle-database
sudo swapoff -a
sudo docker restart shuffle-opensearch

These steps ensure proper functioning of the database and avoid issues related to system swap.

---

7. Create a New Workflow

Once Shuffle is installed and running, you can start automating tasks by creating workflows:

1️⃣ Create an Account

• Sign up and log in

• Click Workflows > New Workflow

• Name it SOC Automation Lab

• Select any use case and click Done.

  

2️⃣ Add a Webhook Trigger

• Click Triggers (middle tab)

• Drag & drop Webhook into the workspace

• Name it wazuh-alerts

• Copy the Webhook URL (you’ll need it later)

  
• Click Change Me and set:

  • Execution type: Repeat back to me

  • Remove Hello World

  • Click + > Execution Argument

  • Save

    

---

⚙️ Configuring Wazuh to Connect with Shuffle

1️⃣ Edit Wazuh’s Configuration

• SSH into Wazuh Manager

• Open the config file:

  sudo nano /var/ossec/etc/ossec.conf

• Scroll to the section (or anywhere in the file)

• Add this:

  <integration>
      <name>shuffle</name>
      <hook_url>https://shuffler.io/api/v1/hooks/webhook_ad498563-e028-4652-b63f-f918b0abb537 </hook_url>
      <rule_id>100002</rule_id>
      <alert_format>json</alert_format>
    </integration>

  • Replace PASTE_WEBHOOK_URL_HERE with your copied Webhook URL

  • Ensure proper indentation (use spaces, not tabs)

    

2️⃣ Restart Wazuh

• Save and exit (CTRL + X, then Y, then Enter)

• Restart Wazuh:

  sudo systemctl restart wazuh-manager

• Check the status:

  sudo systemctl status wazuh-manager

  If it says running, We're good to go 🚀

---

🚀 Testing Mimikatz Alert

1️⃣ Run Mimikatz

• On your Windows Client:

  .\totally-not-mimktaz.exe

• This simulates an attack and should trigger an alert

2️⃣ Check Shuffle for Events

• Go back to Shuffle

• Click on Webhook

• Click Start > Person Icon (bottom tab)

  
• Click Test Workflow

  

  
• You should see the execution arguments (alert details from Wazuh)

---

🔄 Automating Further with VirusTotal & TheHive

Once alerts reach Shuffle, we can:

1. Extract the file hash (from Mimikatz alert)

2. Check the reputation on VirusTotal

3. Create a case in TheHive

4. Send an email to the SOC analyst

To extract hashes correctly:

• Add Action → Search "Regex Capture Group" → Add it.

  
• Set Input → Use $exec.text.win.eventdata.hashes.

• Enter Regex → SHA256=([A-Fa-f0-9]{64}).

  
• Save & Test → Run to check extraction.

  

---

🔍Send the Hash to VirusTotal

Get a VirusTotal API Key

1. Go to 🔗 VirusTotal and Sign Up.
2. After signing up, go to your account settings and copy the API key.

Connect VirusTotal to Shuffle

1. In Shuffle, go to Apps and search for VirusTotal.

2. Click on VirusTotal and activate it.

3. Drag it into your workflow.

Set Up the VirusTotal Action

1. Rename it to VirusTotal.

2. Under Find Actions, choose "Get a hash report".

3. Paste your API key in the authentication field.

   
4. In the Hash Section, select the Regex Output from the previous step.

   

---

Now, get the Reputation Score

Verify VirusTotal's Output

1. Run the workflow again.

2. Expand VirusTotal's output → Go to Body Data → Attributes → Last Analysis Stats.

   
3. Look for the Malicious Score (e.g., 65 scanners detected as malicious).

4. This number represents how many scanners flagged the file as a threat.

---

📤Send Data to TheHive

Add TheHive to Shuffle

1. Search for TheHive in Shuffle Apps and add it to your workflow.

2. Drag it into your workflow and connect it to VirusTotal.

3. Wait for TheHive actions to load (refresh if needed).

   

Configure TheHive

1. Go to TheHive Web Interface.

2. Log in with default credentials:

   Username: admin@thehive.local  
   Password: Secret

3. Create a new organization (e.g., "Osama Team").

   

   
4. Add two users:

   • Analyst: theuser@test.com

     
   • Service Account: shuffle@test.com (give it least privilege access).

     

5. We need to set a password for Karims's account and generate an API key for the SOAR account.

   

   
6. In Shuffle, configure TheHive action to send alerts based on VirusTotal results.

   

7. Now, we must setup the alert configurations details for TheHive and VirusTotal :

   Fields (Summary ,Description ):

   Summary -> Mimikatz Activity Detected on host: $exec.text.win.system.computer and the Process Id: $exec.text.win.eventdata.processId and the Commandline: $exec.text.win.eventdata.commandLine
   Description -> Mimikatz Detected on host:$exec.text.win.system.computer

   

   

   

⚠️ Note: You might have the same problem here as me

Fixing JSON Issues in TheHive (Shuffle Integration)

Problem

When sending alerts from Shuffle to TheHive, you may encounter a 400 Bad Request error due to an invalid JSON format.

Cause

• The execution argument auto-completion in Shuffle inserts incorrect JSON paths.

• TheHive requires properly formatted JSON, and incorrect paths cause errors.

Solution

Step 1: Use the Advanced Field

1. Open your Shuffle Workflow.

2. Navigate to the TheHive action node.

3. Click Advanced to manually input the JSON body.

   

Step 2: Paste the Correct JSON Format

Copy and paste the following JSON into the Body field:

{
  "description": "Mimikatz Detected on host: test-host",
  "externallink": "",
  "pap": 2,
  "severity": 2,
  "source": "Wazuh",
  "sourceRef": "Rule: 100002",
  "status": "New",
  "summary": "Mimikatz Activity Detected on host: test-host and the Process Id: 1234 and the Commandline: mimikatz.exe",
  "tags": ["T1003"],
  "title": "Test Alert",
  "tlp": 2,
  "type": "Internal"
}

Step 3: Save & Test

1. Save the workflow.

2. Rerun the execution.

3. The error should be resolved, and TheHive will receive the alert correctly. 🎯

   

Now, Log in to TheHive and Check Alerts

To verify any alerts in TheHive, log in using the previously created account:

1. Open your web browser and navigate to TheHive's login page.

2. Enter the credentials for the account "Karim" .

3. Check the dashboard for any alerts or notifications.

   

   

Sending a Telegram Message via Shuffle

Steps:

1️⃣ Install & Configure Shuffle

• Ensure Shuffle is running on your Ubuntu server.

2️⃣ Use the HTTP App in Shuffle

• Go to Shuffle UI → Apps → Install HTTP App.

3️⃣ Create a Workflow

• Add HTTP Request as an action.

• Set POST as the request method.

• URL:

  https://api.telegram.org/bot<YOUR-TOKEN>/sendMessage

• Body (JSON):

  jsonCopyEdit{
    "chat_id": "<CHAT_ID>",
    "text": "Mimiktaz Detected!"
  }

4️⃣ Fix Connectivity Issues (if needed)

• Restart HTTP App:

  docker restart <http_container_name>

5️⃣ Run the Workflow

• Execute the workflow → Message sent to Telegram! ✅