How to Build a Fully Automated SOC Lab: Wazuh, Sysmon, Shuffle SOAR, TheHive, and VirusTotal Integration for Detection Engineering + Video

Listen to this Post

Featured Image

Introduction:

In the modern cybersecurity landscape, the sheer volume of security alerts often overwhelms even the most seasoned analysts. The key to effective defense lies not just in detection, but in automated response and streamlined case management. This article explores a comprehensive end-to-end SOC automation lab that bridges the gap between endpoint telemetry and incident response, utilizing a powerful open-source stack to simulate a real-world security operations center.

Learning Objectives:

  • Understand the architecture and integration points between SIEM (Wazuh), SOAR (Shuffle), and Case Management (TheHive).
  • Learn how to create custom detection rules for adversary techniques like credential dumping (MITRE ATT&CK T1003).
  • Gain hands-on experience in automating enrichment, alerting, and case creation through webhooks and API integrations.

You Should Know:

  1. Setting Up the Core Components: Wazuh and Sysmon for Endpoint Visibility

The foundation of this lab lies in robust data collection. Wazuh serves as the SIEM (Security Information and Event Management) platform, ingesting logs and generating alerts. Sysmon (System Monitor), a Windows service, provides deep telemetry into process creation, network connections, and file changes, feeding this rich data to Wazuh for analysis.

Step-by-step guide explaining what this does and how to use it:
This setup ensures that every critical action on the endpoint is logged. Sysmon logs are forwarded to the Wazuh manager, where they are parsed and correlated against a set of rules.

Implementation Steps:

  1. Install Wazuh Manager and Indexer: Deploy the Wazuh stack (Manager, Indexer, and Dashboard) on a Ubuntu server using the quickstart script or a manual installation.
  2. Deploy Wazuh Agent on Windows: Install the Wazuh agent on a Windows machine (the target endpoint) and configure it to point to the Wazuh Manager’s IP.
  3. Install and Configure Sysmon: Download Sysmon from Microsoft Sysinternals and install it with a configuration file (like SwiftOnSecurity’s sysmon-config) to log specific events.
    Windows Command to install Sysmon with a config
    .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
    
  4. Configure Wazuh Agent for Sysmon: Edit the `ossec.conf` file on the Wazuh agent to ensure it reads Sysmon events (usually via Windows Event Channel Microsoft-Windows-Sysmon/Operational). This allows Wazuh to generate alerts based on Sysmon data.

  5. Creating Custom Detection Rules: Detecting Mimikatz Execution (T1003)

The heart of detection engineering is creating rules that accurately identify adversary behavior. In this lab, a custom rule was created to detect the execution of Mimikatz, a well-known tool used for credential dumping, mapped to MITRE ATT&CK technique T1003.

Step-by-step guide explaining what this does and how to use it:
This rule is written in an XML format and placed on the Wazuh manager. It triggers an alert when a process named `mimikatz.exe` is executed, regardless of the command-line arguments.

Implementation Steps:

  1. Navigate to the Wazuh Rules Directory: On the Wazuh manager, go to /var/ossec/etc/rules/.
  2. Create a Custom Rule File: Create a new file, e.g., local_rules.xml.
  3. Define the Rule: Add the following XML rule to alert on the Mimikatz process creation event.
    <group name="windows,attack,credential_access,">
    <rule id="100200" level="15">
    <if_group>sysmon_event1</if_group> <!-- Process creation event -->
    <field name="win.eventdata.image" type="pcre2">(?i)mimikatz.exe</field>
    <description>Mimikatz execution detected - T1003</description>
    <mitre>
    <id>T1003</id>
    </mitre>
    </rule>
    </group>
    
  4. Restart Wazuh Manager: Apply the new rule by restarting the Wazuh manager service.
    Linux Command to restart Wazuh manager
    sudo systemctl restart wazuh-manager
    

3. Automating the Workflow with Shuffle SOAR

A SIEM is only as effective as the response it triggers. Shuffle, an open-source SOAR (Security Orchestration, Automation, and Response) platform, is used to automate the workflow. When Wazuh generates an alert, it sends a webhook to Shuffle, initiating a pre-defined automation chain.

Step-by-step guide explaining what this does and how to use it:
The workflow receives the alert data, extracts the file hash, sends it to VirusTotal for enrichment, and then creates a new case in TheHive with all the context.

Implementation Steps:

  1. Set up Shuffle: Deploy Shuffle (using their cloud version or a self-hosted Docker instance).
  2. Create a Webhook Trigger: In Shuffle, create a new workflow with a webhook trigger. Copy the webhook URL.
  3. Configure Wazuh to Send Alerts: Edit the Wazuh manager’s `ossec.conf` to add an integration that sends alerts to the Shuffle webhook URL. This is done by adding an `` block with the webhook URL.
    <integration>
    <name>shuffle</name>
    <hook_url>https://your-shuffle-instance.com/api/v1/hooks/your-token</hook_url>
    <alert_format>json</alert_format>
    </integration>
    

4. Build the Automation in Shuffle:

  • Trigger: Webhook (receives alert from Wazuh).
  • Action – Parse JSON: Extract relevant fields like `file_hash` and `description` from the alert.
  • Action – VirusTotal: Add a VirusTotal app to the workflow, configure it with an API key, and use it to get the reputation of the extracted file hash.
  • Action – Create Case in TheHive: Add TheHive app, configure its API endpoint and key, and map fields (title, description, severity) from the alert and enrichment data to create a new alert in TheHive.
  • Action – Send Email: Configure an email app to send a notification to the analyst’s inbox.

4. Integrating TheHive for Case Management

TheHive acts as the central case management platform, turning raw alerts into manageable, trackable cases. The integration with Shuffle allows for seamless creation of a “Case” with all the relevant details, eliminating the need for manual data entry and triage.

Step-by-step guide explaining what this does and how to use it:
When a high-severity alert is received, TheHive creates a new case and automatically populates it with observables (like the file hash) and the enrichment data from VirusTotal.

Implementation Steps:

  1. Deploy TheHive: Install TheHive (requires Java and Elasticsearch). The official Docker image is the easiest way to get started.
  2. Configure API Key: In TheHive, generate an API key for Shuffle to use. This requires administrative privileges.
  3. Configure Shuffle Workflow: In the Shuffle workflow, use the API URL of your TheHive instance and the generated API key to authenticate. The “Create Alert” action in Shuffle will now have fields for title, description, type, source, and observables.

5. Enrichment with VirusTotal API

To add context and threat intelligence to an alert, the automation pipeline sends a file hash to VirusTotal. This step determines if the file is known malware, providing the analyst with immediate, actionable intelligence.

Step-by-step guide explaining what this does and how to use it:
VirusTotal’s API allows for automated queries. By integrating it into the SOAR workflow, the analyst automatically receives the detection ratio and vendor information, which is then attached to the case in TheHive.

Implementation Steps:

  1. Obtain a VirusTotal API Key: Sign up for a free VirusTotal account to get an API key. (Note: free tier has rate limits).
  2. Add VirusTotal Node in Shuffle: In the Shuffle workflow, search for the VirusTotal community app.
  3. Configure the App: Input your API key and map the `file_hash` from the Wazuh alert into the `hash` field of the VirusTotal node.
  4. Parse the Response: Use a “Parse JSON” node to extract relevant information like positives, total, scan_date, and vendor detections, which can be used to populate the “Description” or “Observables” of the TheHive case.

6. Testing the Pipeline

The final step is to simulate an attack to ensure the entire workflow functions correctly. By executing Mimikatz on the monitored Windows endpoint, the custom Wazuh rule triggers, and the automation pipeline is set in motion.

Step-by-step guide explaining what this does and how to use it:
This test validates the integration between the SIEM, SOAR, and case management tools. A successful test results in a new alert in TheHive within seconds of the Mimikatz execution.

Implementation Steps:

  1. Download and Execute Mimikatz: On the Windows endpoint, run a simple command to trigger the rule, e.g., .\mimikatz.exe.
  2. Monitor the SIEM: Check the Wazuh dashboard for the `Mimikatz execution detected` alert.
  3. Monitor the SOAR: Verify that the Shuffle workflow was triggered.
  4. Monitor TheHive: Check for a new alert created in TheHive, containing the enriched data from VirusTotal and the notification email.

What Undercode Say:

Key Takeaway 1: Automation is the bridge between being overwhelmed by alerts and achieving effective incident response. This lab demonstrates that a fully open-source stack can power a sophisticated SOC pipeline.
Key Takeaway 2: The integration of detection rules (SIEM), enrichment (Threat Intelligence), and case management (TheHive) creates a centralized, efficient workflow, drastically reducing the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Expected Output:

The result of this implementation is a robust, self-contained SOC automation lab. When a Mimikatz execution occurs, a case is auto-created in TheHive with a title like “Mimikatz T1003 – [bash]” and a description containing the user, process details, and VT enrichment results. This provides the analyst with all the context needed to make a swift decision on the alert’s validity and urgency.

Prediction:

+1 The adoption of open-source automation tools like Shuffle and TheHive will democratize advanced SOC capabilities, allowing small and medium-sized teams to compete with large enterprises in detection and response speed.
-1 As automated pipelines become more prevalent, the criticality of securing the automation platform itself increases. A compromised SOAR workflow could be manipulated by adversaries to delete evidence, modify alerts, or cause widespread false positives to mask real attacks.
+1 The use of AI/ML for automated triage and enrichment will be the next logical step in this pipeline, moving beyond simple hash lookup to behavioral analysis and risk scoring, further reducing analyst fatigue and burnout.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Turki Hufais – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky