End-to-End Alert Automation: Wazuh → Shuffle → TheHive

🏗️ Final Part: SOC Automation Project

Building the lab diagram
Installing and configuring tools
Generating telemetry data

🎯 Today's Goal

We'll connect Shuffle (SOAR platform) with Wazuh and TheHive, allowing: ✅ Wazuh to send alerts to Shuffle ✅ Shuffle to forward alerts to TheHive and email analysts

🔗 Installing and Setting Up Shuffle on Ubuntu

1. Install Dependencies

To begin, update the package list and install Docker and Docker Compose:

sudo apt update && sudo apt install -y docker.io docker-compose

Then, enable and start the Docker service:

sudo systemctl enable docker
sudo systemctl start docker

2. Clone the Shuffle Repository

Download the Shuffle source code from GitHub:

git clone https://github.com/Shuffle/Shuffle.git
cd Shuffle

3. Deploy Shuffle with Docker Compose

Run the following command to start the Shuffle services:

sudo docker-compose up -d

4. Access the Web Interface

Once the installation is complete, open your web browser and navigate to:

http://your-server-ip:3001

You should now see the Shuffle login page.

Post-Installation Steps

5. Set File Ownership and Restart Services

Run the following commands to fix ownership issues and restart necessary services:

sudo chown -R 1000:1000 shuffle-database
sudo swapoff -a
sudo docker restart shuffle-opensearch

These steps ensure proper functioning of the database and avoid issues related to system swap.

7. Create a New Workflow

Once Shuffle is installed and running, you can start automating tasks by creating workflows:

1️⃣ Create an Account

Sign up and log in
Click Workflows > New Workflow
Name it SOC Automation Lab
Select any use case and click Done.

2️⃣ Add a Webhook Trigger

Click Triggers (middle tab)
Drag & drop Webhook into the workspace
Name it wazuh-alerts
Copy the Webhook URL (you’ll need it later)
Click Change Me and set:
- Execution type: Repeat back to me
- Remove Hello World
- Click + > Execution Argument
- Save

⚙️ Configuring Wazuh to Connect with Shuffle

1️⃣ Edit Wazuh’s Configuration

SSH into Wazuh Manager
Open the config file:
```
sudo nano /var/ossec/etc/ossec.conf
```
Scroll to the section (or anywhere in the file)

Add this:

<integration>
    <name>shuffle</name>
    <hook_url>https://shuffler.io/api/v1/hooks/webhook_ad498563-e028-4652-b63f-f918b0abb537 </hook_url>
    <rule_id>100002</rule_id>
    <alert_format>json</alert_format>
  </integration>

Replace PASTE_WEBHOOK_URL_HERE with your copied Webhook URL
Ensure proper indentation (use spaces, not tabs)

2️⃣ Restart Wazuh

Save and exit (CTRL + X, then Y, then Enter)
Restart Wazuh:
```
sudo systemctl restart wazuh-manager
```
Check the status:
```
sudo systemctl status wazuh-manager
```
If it says running, We're good to go

🚀 Testing Mimikatz Alert

1️⃣ Run Mimikatz

On your Windows Client:
```
.\totally-not-mimktaz.exe
```
This simulates an attack and should trigger an alert

2️⃣ Check Shuffle for Events

Go back to Shuffle
Click on Webhook
Click Start > Person Icon (bottom tab)
Click Test Workflow
You should see the execution arguments (alert details from Wazuh)

🔄 Automating Further with VirusTotal & TheHive

Once alerts reach Shuffle, we can:

Extract the file hash (from Mimikatz alert)
Check the reputation on VirusTotal
Create a case in TheHive
Send an email to the SOC analyst

To extract hashes correctly:

Add Action → Search "Regex Capture Group" → Add it.
Set Input → Use $exec.text.win.eventdata.hashes.
Enter Regex → SHA256=([A-Fa-f0-9]{64}).
Save & Test → Run to check extraction.

🔍Send the Hash to VirusTotal

Get a VirusTotal API Key

Go to 🔗 and Sign Up.
After signing up, go to your account settings and copy the API key.

Connect VirusTotal to Shuffle

In Shuffle, go to Apps and search for VirusTotal.
Click on VirusTotal and activate it.
Drag it into your workflow.

Set Up the VirusTotal Action

Rename it to VirusTotal.
Under Find Actions, choose "Get a hash report".
Paste your API key in the authentication field.
In the Hash Section, select the Regex Output from the previous step.

Now, get the Reputation Score

Verify VirusTotal's Output

Run the workflow again.
Expand VirusTotal's output → Go to Body Data → Attributes → Last Analysis Stats.
Look for the Malicious Score (e.g., 65 scanners detected as malicious).
This number represents how many scanners flagged the file as a threat.

📤Send Data to TheHive

Add TheHive to Shuffle

Search for TheHive in Shuffle Apps and add it to your workflow.
Drag it into your workflow and connect it to VirusTotal.
Wait for TheHive actions to load (refresh if needed).

Configure TheHive

Go to TheHive Web Interface.

Username: admin@thehive.local  
Password: Secret

Create a new organization (e.g., "Osama Team").
Add two users:
- Analyst: theuser@test.com
- Service Account: shuffle@test.com (give it least privilege access).
We need to set a password for Karims's account and generate an API key for the SOAR account.
In Shuffle, configure TheHive action to send alerts based on VirusTotal results.

Now, we must setup the alert configurations details for TheHive and VirusTotal :

Fields (Summary ,Description ):

Summary -> Mimikatz Activity Detected on host: $exec.text.win.system.computer and the Process Id: $exec.text.win.eventdata.processId and the Commandline: $exec.text.win.eventdata.commandLine
Description -> Mimikatz Detected on host:$exec.text.win.system.computer

Note: You might have the same problem here as me

Fixing JSON Issues in TheHive (Shuffle Integration)

Problem

When sending alerts from Shuffle to TheHive, you may encounter a 400 Bad Request error due to an invalid JSON format.

Cause

The execution argument auto-completion in Shuffle inserts incorrect JSON paths.
TheHive requires properly formatted JSON, and incorrect paths cause errors.

Solution

Step 1: Use the Advanced Field

Open your Shuffle Workflow.
Navigate to the TheHive action node.
Click Advanced to manually input the JSON body.

Step 2: Paste the Correct JSON Format

Copy and paste the following JSON into the Body field:

{
  "description": "Mimikatz Detected on host: test-host",
  "externallink": "",
  "pap": 2,
  "severity": 2,
  "source": "Wazuh",
  "sourceRef": "Rule: 100002",
  "status": "New",
  "summary": "Mimikatz Activity Detected on host: test-host and the Process Id: 1234 and the Commandline: mimikatz.exe",
  "tags": ["T1003"],
  "title": "Test Alert",
  "tlp": 2,
  "type": "Internal"
}

Step 3: Save & Test

Save the workflow.
Rerun the execution.
The error should be resolved, and TheHive will receive the alert correctly. 🎯

Now, Log in to TheHive and Check Alerts

To verify any alerts in TheHive, log in using the previously created account:

Open your web browser and navigate to TheHive's login page.
Enter the credentials for the account "Karim" .
Check the dashboard for any alerts or notifications.

Sending a Telegram Message via Shuffle

Steps:

1️⃣ Install & Configure Shuffle

Ensure Shuffle is running on your Ubuntu server.

2️⃣ Use the HTTP App in Shuffle

Go to Shuffle UI → Apps → Install HTTP App.

3️⃣ Create a Workflow

Add HTTP Request as an action.
Set POST as the request method.

URL:

https://api.telegram.org/bot<YOUR-TOKEN>/sendMessage

Body (JSON):

jsonCopyEdit{
  "chat_id": "<CHAT_ID>",
  "text": "Mimiktaz Detected!"
}

4️⃣ Fix Connectivity Issues (if needed)

Restart HTTP App:
```
docker restart <http_container_name>
```

5️⃣ Run the Workflow

Execute the workflow → Message sent to Telegram! ✅

PreviousTracking Mimikatz Activity with Wazuh & Sysmon Logs

Last updated 14 days ago