Shuffle + Wazuh + TheHIVE + Cortex = Automation Bliss

Update : if you are watching this video in 2024
you dont need to put the custon-shuffle any more wazuh put this files by default in the integration folder , you may just need to modify the ossec.conf file !

Amazing tutorial! I just finished the Wazuh Shuffle TheHive setup and It worked perfectly!
thank you and keep up the good job!

DUde Discord integration so nice! Thank You for this keep it coming with the shuffle integrations! I LOVE AUTOMATION!!! Thanks again kind sir

Very informative tutorial, Kindly correct me if I am wrong. Firstly the alert generated in Wazuh manager and automatically comes in TheHive via webhook & shuffle. And later you automate the case creation in TheHive. In last you also automate the cortex to run observables. So from the start to end of this SOAR tutorial it shows the Security Orchestration and Automation BUT the Response part is missing. You have successfully demonstrate SOA part of SOAR but can you guide how we achieve the Response? As SOAR is not completed without Response to alerts. I mean after cortex find the IP is malicious then how will it block or quarantine that IP or domain etc? Or how will it ask wazuh manager to block that ip?? Will the cortex responders take action?? And one another question, you have used discord for sending messages whenever the alerts triggers. Can you please guide us how can we send email when there will be alert from wazuh manager to thehive case?
Thanks again. You are so talented.

The Curl statmet worked for me with no problem, I guess it have been fixed

Please, can you make a video for incident response in shuffle through cortex responder? Maybe, as the completion of this particular automation. Thank you.

you're amazing!! thank you so much

Hi Taylor, can you provide us with a new video to explain how to integrate cortex and misp with shuffle workflow from scratch?

Thanks your are great man, hatts-off to your great effort. Always thankful to you

Thanks for the great tutorial, can you advise what are the system requirements for each VM/system?

hi taylor thank for your videos ! great job !!
i'm just starting with that and i wanna know if we can install all of theses tools on the same machine !!

Anyone please help me thehive is showing an error as timeout error how to fix it?

Why do we need shuffle.
Cant we directly send a webhook from wazuh to create a case on hive ?

First off all, I really enjoyed your tutorials, so thank you so much and keep up the hard work ... for the app create case it worked for me .. all I did is create a new template (for that u will need to create at least one custom field too) and if u fill all the app's gaps it will work fine just as the others ... I have one question about how to make a workflow using the email trigger either for gmail or o365 (the triggers) ... when I try to authenticate the tell me that I need to change something in the API config if I am the shuffle's developer to allow a specific domain name to make API calls !!!

Can we connect iris with shuffle i couldn’t find any resource

Hello, i have a question. I setup a webhook to alert me on case rule id 5710 triggers, but nothing happens on the webhook on shuffle, it appears that shuffle doesn't work. Please help me Taylor Walton.

Does anyone know if thehive csn be substituted for dfir-iris since thehive5 is more limited with the free version?

I deployed ELK but I was struck in log pushing I don't know, i tried a lot but failed ,

Hi, Thank you for your efforts .
I did same configuration but webhook did not received any data . please your support.
Best Regards

Great work. I shutdown my vm and now the workflow is not working. By tailing the logs I can see that the wazuh is still sending the logs but the shuffle is not receiving through the http hook. How to start the workflow again.

I get this error when Shuffle tries to send alert to TheHIVE, btw, I have followed all your tutorials, simply amazing never had an issue, I actually have deployed this several times in production. For shuffle I cannot figure this one out.
"Results for Alert_Creation":{2 items
"type":"NotFoundError"
"message":"/alert"
}

i getting an error Failed getting hook 3e423d8b-be6f-444f-bd9a-8178f8d066fc (callback): Hook doesn't exist can anyone help me to resolve this issue

I would like to request you please make a video on simple project of ELK , wazuh, for very beginner.
I know you already uploaded multiple videos .

Can you comment on Alient Vault, please?

i'm using docker, after create integrations and the configuration same with your video tutorial, and after that restart wazuh-master , i got this output "Failed to get D-Bus connection: Operation not permitted". Can u help me what's going on?

Hey was going through your videos and coincidentally I was thinking of doing SOC automation for my masters project in MSc Cybersec, so does this automation using Shuffle + Wazuh + TheHIVE + Cortex , is it possible to run on my workstation which consist of 16 GB RAM can run this project - Automation of SOC ?

...Activate Windows

Hello and thank you very much for this tutorial.
I had a problem at 22:50 of the video. When I execute with the appropriate rule, I receive the error in the execution:
"exception":"Alert create error: HTTPConnectionPool(host='localhost', port=9000): Max retries exceeded with url: /api/alert (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))"
However, I did indicate localhost:9000 (which works very well), as well as the api and the name of the organization.
This may be due to the version of TheHive? I'm on 4.1.12-1

You did great for this tutorial, hope you make the next part of the video. Appreciate it 🔥

It will be helpful if we can know the version of each Tools. (wazuh, Thehive+cortex, Shuffle)

Simply wow, i so waited for this video, hope to have soon continues shuffle logic video, thank you

great content, thank you very much. I would like to know the video was published that would be the continuation of this case, referring to only sending a malignant ip to discord. If so, can someone send me the link please?

thankyou ssssssooooooooooooooooooooooooooooooooooooo much i was stuck but just bz of you now i can continue my project
thankyou again

Thanks for posting such informative content. Its a request can you make one with windows-10 being the agent-vm. as I am facing an issue that is logs are not being forwarded by filebeat to wazuh manager. Thanks!

small note, the "create_case_from_alert" that didn't work at 32:00 needs a case template even tho it says it is not required, it actually is

What software is Taylor using for the terminal caonnections? Amazing content!!!!!!!!!!! I feel like such a noob!!!!!

DUDE You are Awesome! Really Enjoying your content. Wondering if you would do something with Geo-IP and Android syslog. Dreaming of creating a Geo-fence for remote users.

Hi Guys ! Awesome tutorial ! Congrats ! For each type of incident on Wazuh we need to create a specific Workflow? There are any generic Fields for all alerts and than customize each one in update case?

Hey what is that terminal you are using it looks amazing!

Thank you....!!!!

Great

Simply beautiful