This project automates SOC workflows using open-source tools like Wazuh, Shuffle, and TheHive. It aims to streamline event collection, alerting, and incident response to enhance SOC efficiency.
The project integrates multiple tools and systems to automate and enhance SOC operations. Below is the design layout for reference:
To ensure the smooth functioning and optimal performance of the SOC Automation system, the following system requirements must be met:
| Requirement | Specification |
|---|---|
| Storage | 150 GB (SSD Recommended) |
| RAM | 32 GB (Cloud PC Recommended for < 32 GB RAM) |
| OS | Windows 11 (Primary) |
| Name | Usage |
|---|---|
| VMware/VirtualBox | Virtualization software for creating and managing virtual machines. |
| Windows 11 | Primary operating system serving as the Wazuh agent host. |
| Ubuntu Server 22.04 | Lightweight OS for hosting Wazuh and TheHive on separate VMs. |
| Sysmon | Windows system monitor for detailed logging of process activities. |
| Mimikatz | Penetration testing tool to simulate security breaches. |
| SquareX | Browser extension for disposable email usage. |
| Draw.io | Tool for creating project architecture and design diagrams. |
| Wazuh Manager | Centralized agent-based monitoring and analysis solution. |
| Wazuh Dashboard | Visualization and management interface for Wazuh. |
| Wazuh Indexer | Backend storage and search engine for Wazuh. |
| TheHive | Incident response platform for managing alerts and cases. |
| Cassandra | Database used as a backend for TheHive. |
| Elasticsearch | Search engine for indexing and querying TheHive data. |
| VirusTotal | Online file and URL analysis service for threat detection. |
| Ngrok | Port forwarding to connect local TheHive setup with Shuffle cloud. |
| UFW | Firewall configuration to manage network traffic. |
| Shuffler.io | Workflow automation platform for SOC processes. |
-
Day 1 - Design:
- Create a logical diagram of the project using draw.io.
- Diagram includes the architecture and flow between Wazuh, TheHive, Shuffle, and email.
- Watch Design Video
-
Day 2 - Install:
- Install Wazuh and TheHive on an Ubuntu Server VM.
- Set up virtual machines and install the required applications.
- Watch Installation Video
- Download Sysmon for Windows 10/11
- Download sysmonconfig.xml file
-
Day 3 - Configure:
- Configure Wazuh and TheHive servers and endpoints.
- Ensure both systems are communicating and processing telemetry.
- Watch Configuration Video
- /etc/cassandra/cassandra.yaml
- /etc/elasticsearch/elasticsearch.yml
- /etc/thehive/application.conf
- /etc/elasticsearch/jvm.options.d/jvm.options
- /etc/wazuh-indexer/jvm.options
-
Day 4 - Telemetry:
- Generate telemetry using Mimikatz at endpoints.
- Trigger and ingest telemetry into Wazuh for analysis.
- Watch Telemetry Generation Video
- Download Mimikatz
-
Day 5 - SOAR:
- Create an automated workflow between Wazuh, TheHive, Shuffle, and email to notify SOC analysts when alerts are triggered.
- The workflow will automatically send alerts to TheHive and email them to SOC analysts.
- Fork thehive app to configure create alert api from /api/v1/alert to /api/alert.
- Create an account on https://ngrok.com/ for port forwarding thehive local setup as Shuffle is unable to send alerts to our local setup thehive from Cloud Shuffle setup.
- Watch SOAR Automation Video
- Create Account on Shuffle
- Create Account on VirusTotal
- Wazuh monitors logs and security events from various endpoints.
- When potential threats are detected, Wazuh generates alerts that notify security teams about possible issues.
- Alerts generated by Wazuh are processed by a SHA256 REGEX component.
- This component extracts SHA256 hash values from the alerts, which are crucial for identifying files involved in the potential threats.
- An email notification (Email 1) is automatically sent out if a threat is identified.
- The email alerts the relevant parties (e.g., security analysts or response teams) to investigate the potential threat.
- The extracted SHA256 hash values are sent to VirusTotal for malware analysis.
- VirusTotal checks the hash values against its database of known malware to determine if they are flagged as malicious.
- Based on the results from VirusTotal, an incident is automatically created in TheHive 5.
- Security analysts and response teams can investigate and respond to the incident within TheHive 5, which provides tools for managing and tracking the progress of investigations.
While working on this project, I gained valuable knowledge and skills, including:
- SIEM and XDR: Learned about SIEM and XDR concepts using Wazuh.
- Case Management:
- Explored case management systems through TheHive.
- Learned about backend database systems like Elasticsearch and Cassandra, which power TheHive.
- SOAR:
- Understood SOAR workflows by integrating Shuffle.
- Built integrations between Wazuh, Shuffle, TheHive, and VirusTotal:
- Wazuh: Generates alerts for potential security events.
- Shuffle: Automates workflows, such as sending Wazuh alerts to TheHive for case management.
- TheHive: Manages cases for incidents triggered by Wazuh alerts.
- VirusTotal: Provides file and URL reputation analysis for enhanced incident investigation.
- Email Integration: Configured email notifications in Shuffle to send alerts directly to SOC analysts, ensuring they are informed in real-time about critical security events.
- Virtual Machine Configurations: Configured virtual machines, including network adapters, memory, CPU cores, and storage.
- Firewall Configuration: Set up and managed firewalls using UFW.
- Security Breach Simulation: Simulated security breaches using Mimikatz.
- Port Forwarding: Learned port forwarding through Ngrok to connect TheHive (local) with Shuffle (cloud).
- System Monitoring: Understood system monitoring mechanisms with Sysmon.
- Memory Management: Managed memory resources effectively while running resource-heavy servers like Wazuh and TheHive alongside testing on Windows 11.
- Patience and Research:
- Faced several challenges, such as memory shortages, dependency issues, networking errors, and firewall configuration problems.
- Kept patience, researched solutions, and overcame frustrations.
- The project was initially expected to be completed in 7 days, but due to unforeseen difficulties, it took 14 days.
- Helping Others: I created this GitHub repository to document what I have learned and help others save time and effort when building a similar project.
If you have any queries or need assistance with the project, feel free to reach out:
Email: miteshofficial007@gmail.com