Steps to Integrate Wazuh, TheHive, and Shuffle in a SOC Automation Lab
4 min read
Table of contents
- Introduction
- Architecture Overview
- Setting Up the Environment
- Testing and Validation
- Viewing Security Events in Wazuh
- Wazuh Agent Configuration File
- Wazuh Dashboard Showing Sysmon Events
- Mimikatz Installed on Windows 10
- Wazuh Manager Configuration for Logging All Events
- Filebeat Configuration for Wazuh Logs
- Index Creation for Wazuh Logs
- Wazuh Dashboard Showing Mimikatz Events
- Custom Rule for Mimikatz in Wazuh
- Security Alert for Mimikatz in Wazuh
- Implementing SOAR with Shuffle
- Conclusion
Introduction
In this post, I'll walk you through building a comprehensive Security Operations Center (SOC) automation lab that integrates Wazuh SIEM/XDR, TheHive for case management, and Shuffle for SOAR capabilities. This setup demonstrates how to automate security incident detection, enrichment, and response workflows in a controlled environment.
Architecture Overview
Logical Diagram of the SOC Automation Lab
The lab consists of the following components:
Windows 10 client with Wazuh agent and Sysmon
Wazuh Manager server (Ubuntu 22.04)
TheHive server (Ubuntu 22.04)
Shuffle for SOAR
Windows 10 SOC analyst workstation
The workflow follows these steps:
The Windows 10 client runs a Wazuh agent that monitors security events through Sysmon
The Wazuh Manager processes these events and generates alerts based on predefined rules
Alerts are forwarded to Shuffle for automation and orchestration
Shuffle enriches the alerts with threat intelligence and forwards them to TheHive
TheHive creates cases for analyst investigation
SOC analysts receive email notifications and can begin their investigation
Setting Up the Environment
1. Windows 10 Client Configuration
Windows 10 Client with Sysmon Installed
First, I set up a Windows 10 VM and installed Sysmon for enhanced logging capabilities. This provides detailed system activity monitoring that will be crucial for our security monitoring.
2. Wazuh Manager Installation
Wazuh Installed on Ubuntu 22.04
On an Ubuntu 22.04 server, I installed Wazuh using the official installation script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash ./wazuh-install.sh -a -i
Wazuh Dashboard Overview
3. TheHive Setup
TheHive installation required several prerequisites and components:
- Java installation
apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release
wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg
echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee -a /etc/apt/sources.list.d/corretto.sources.list
sudo apt update
sudo apt install java-common java-11-amazon-corretto-jdk
echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"
- Cassandra database
wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install cassandra
- Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch
- TheHive application
wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt-get update
sudo apt-get install -y thehive
TheHive Dashboard Overview
4. Agent Deployment
Creating a Wazuh Agent
Installing the Wazuh Agent on Windows 10
Added Agent on Wazuh Dashboard
I deployed the Wazuh agent to the Windows 10 client and configured it to use Sysmon for enhanced monitoring capabilities.
Testing and Validation
To validate the setup, I used Mimikatz as a test case for detecting malicious activity:
Modified the Wazuh agent configuration to properly ingest Sysmon logs
Configured the Wazuh manager to log all changes
Updated filebeat.yml for complete log ingestion
Created a custom index in Wazuh for comprehensive log searching
Viewing Security Events in Wazuh
Wazuh Agent Configuration File
Wazuh Dashboard Showing Sysmon Events
Mimikatz Installed on Windows 10
Wazuh Manager Configuration for Logging All Events
Filebeat Configuration for Wazuh Logs
Index Creation for Wazuh Logs
Wazuh Dashboard Showing Mimikatz Events
Custom Rule for Mimikatz in Wazuh
Security Alert for Mimikatz in Wazuh
Implementing SOAR with Shuffle
Workflow Creation
Created a Shuffle account
Implemented a webhook for Wazuh alerts
Added integration tags to the Wazuh manager configuration
Wazuh Integration with Shuffle
Testing Mimikatz Alert in Shuffle
Alert Enrichment
Regex to Capture SHA256 in Shuffle
SHA256 Results
VirusTotal node added to the workflow
Reputation Score from VirusTotal
The workflow includes:
Parsing SHA256 hashes from alerts using regex
VirusTotal integration for threat intelligence enrichment
Automated case creation in TheHive
TheHive Integration
Alerts in TheHive Case Management Platform
Created a dedicated organization and service account
Generated API keys for Shuffle integration
Configured alert fields mapping
Email Notifications
Configuring the Email Node in Shuffle
Email Notification Received by Analyst
Implemented email notifications using SquareX disposable email service for testing, including:
Computer name
Event timestamp
Alert details
Threat severity
Conclusion
This lab demonstrates a fully functional SOC automation workflow, from initial detection through to analyst notification. The integration between Wazuh, Shuffle, and TheHive provides a solid foundation for automated security operations, with room for additional customization and expansion.
Key benefits of this setup include:
Automated threat detection and alerting
Threat intelligence enrichment
Streamlined case management
Immediate analyst notification
Customizable response workflows
Future improvements could include adding more threat intelligence sources, implementing automated response actions, and expanding the detection rules.