Every day, the average security operations team receives over 11,000 security alerts (https://start.paloaltonetworks.com/forrester-2020-state-of-secops.html), including suspicious activity, intrusion attempts, privileged user and account monitoring, abnormal external communication, and unauthorized access attempts.

The majority of an analyst’s time (almost 70%) is spent investigating, triaging, or responding to alerts, and the majority of these alerts must be processed manually, greatly slowing down a company’s alert triage process. According to the same report, about 33% of these alerts turn out to be false positives. An SOC analyst can get frustrated with this overwhelming number of security alerts and repetitive false positives. This leads to the need for security automation, and this is where SOAR (Security Orchestration and Automation Response) plays a critical role. SOAR is a set of security features that enables businesses...

According to Gartner, “Security orchestration, automation and response (SOAR) solutions combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.” SOAR tools are used to implement processes such as security playbooks, workflows, or processes to support a security operation analyst or incident analyst. The functionalities of SOAR are as follows:

• Security orchestration: Security orchestration involves the coordination of security tasks and workflows across several security tools and teams. It aims to streamline and optimize a response to security incidents and threats. We can create workflows that automate a sequence of security tasks, such as alert triage, investigation, containment, and remediation. This also involves the integration of a wide range of security tools, such as SIEM, firewalls, endpoint protection, and threat intelligence feeds. An example could be orchestrating...

A Security Operation Center (SOC) analyst is a cybersecurity professional responsible for monitoring, detecting, analyzing and mitigating security incidents in an organization. The SOC analyst leverages a SOAR platform to enhance the efficiency and effectiveness of security operations. By utilizing SOAR, SOC analysts can make jobs easier, cut down on reaction times, and make sure that security incidents are handled in a more coordinated and consistent way. There are several stages within the incident response process where the SOAR platform can be utilized, as shown in the following diagram.

Figure 4.1 – The flow of the incident response and SOAR

Based on the diagram, each stage can be explained as follows:

1. Alert generation: SIEM (Security Information and Event Management) systems, an IDS/IPS (Intrusion Detection System/Intrusion Prevention System), and endpoint security solutions monitor network and system activity...

Shuffle is an open-source interpretation of SOAR. It was built by Fredrik Oedegaardstuen. It brings automation with Plug and Play enterprise apps. Shuffle relies heavily on Docker and microservices, making its design modular and powerful. Let’s discuss some important components and features of Shuffle:

• Apps and workflows: Apps are building blocks in workflows. Workflows are the part of Shuffle where everything comes together. When you first configure Shuffle, it should provide you with more than 100 existing apps. Shuffle covers many of the popular apps, as shown in the following screenshot.

Figure 4.2 – App and workflows in Shuffle

• File analysis: Shuffle can help you upload and analyze an email attachment file with Yara. You can also manually upload a file by going to Admin | Files.

Figure 4.3 – Files for workflows in Shuffle

• Shuffle cache: Shuffle can...

Wazuh and Shuffle SOAR’s combination offers an excellent synergy for automating a variety of security activities. Renowned for its strong threat detection and response capabilities, Wazuh gathers data from multiple sources throughout the infrastructure to produce alerts and insights. When combined with Shuffle, a SOAR platform created to make incident response and automation easier, it makes it possible for these alerts to be coordinated easily. By using Shuffle’s automation features, the integration lets security teams set up predefined responses to Wazuh alerts that are immediately carried out. Shuffle SOAR automates the initial analysis of alerts generated by Wazuh, filtering out false positives and prioritizing alerts based on severity. This helps security analysts focus on relevant security incidents.

This integration makes it possible to automate security tasks that used to be done manually, such as sorting alerts, investigating, and taking...

Shuffle SOAR is capable of automating multiple security operation activities. When it comes to managing the Wazuh manager and its agent, there is a manual element where a security analyst has to manually add/remove/modify different attributes. The good news is that Wazuh provides a Wazuh API to allow a trusted party to communicate and send required data. In this section, we will remotely manage multiple Wazuh-related tasks, such as managing agents, rules, CDB lists, agent groups, and decoders. We will cover the following topics in this section:

• Requirements
• Managing Wazuh agents

Requirement

To remotely manage Wazuh using Shuffle SOAR, we need to set up three things – authentication, JWT token generation, and subsequent API requests.

Authentication

In order to allow Shuffle to talk to the Wazuh manager, Shuffle initiates the authentication process by providing valid authentication. The default credential of the Wazuh API is...

The integration of Wazuh and Shuffle SOAR helps a security team to automate multiple recurring activities. It introduces a paradigm shift in approaching incidents, faster response time, phishing analysis, managing Wazuh, and much more. Shuffle SOAR support integration with hundreds of security tools. In this section, we will discuss some important apps and their integration with Wazuh.

Incident enrichment using TheHive

TheHive is a powerful and a scalable security incident response tool designed for SOCs , CSIRTs (Computer Security Incident Response Teams), and CERTs (Computer Emergency Response Teams). We can use TheHive app in a Shuffle workflow to add enrichment to every alert before conducting a manual security investigation. Once you integrate TheHive with a Shuffle workflow, you can execute multiple tasks on TheHive by using API endpoints, as shown here.

Figure 4.19 – TheHive API endpoints

An API endpoint is essentially...

In this chapter, we learned about the purpose of SOAR and how an SOC analyst uses SOAR in a real-world environment. We also learned how to set up a Shuffle SOAR platform using a Docker Compose environment and fixed some backend related issues. This chapter continued with the integration of Wazuh with Shuffle to receive alerts from Wazuh in real time. Finally, we learned how to remotely manage Wazuh using API integration and also covered some popular third-party integrations with Shuffle.

In the next chapter, we will learn about Wazuh’s active response module to build a proactive incident response system. We will also cover some practical incident response use cases.