SOC Automation is the process of automating security monitoring, detection, investigation, and response workflows using Security Orchestration, Automation, and Response (SOAR) platforms, SIEM tools, and machine learning techniques.
Key Objectives:- Reduce response time (MTTR) — Quickly detect and mitigate threats.
- Improve accuracy — Reduce false positives through automated correlation.
- Increase efficiency — Handle large volumes of alerts without analyst burnout.
- Standardize responses — Ensure consistent and policy-compliant actions.
- Project Title: Automated Security Operations Center (SOC) Workflow using Wazuh, Shuffle, and TheHive
- Context: This project demonstrates the implementation of a full-cycle automated incident response workflow, integrating leading open-source security tools. This design fulfills the requirements for a modern, efficient Security Operations Center (SOC).
- Primary Goal: To reduce the Mean Time To Respond (MTTR) to security incidents by leveraging Security Orchestration, Automation, and Response (SOAR) capabilities. This allows for rapid alert triage, enrichment, and initial containment, freeing human analysts to focus on complex investigation and threat hunting.
The system is a classic three-tiered architecture consisting of Detection, Orchestration, and Case Management components, all linked via the Internet, as designed in the Figure 1.
| Component | Role | Specific Tool |
|---|---|---|
| Detection & Monitoring (SIEM/HIDS) | Collects endpoint events, analyzes logs, and generates alerts based on rules. | Wazuh Manager |
| Orchestration & Automation (SOAR) | Acts as the central "brain," ingesting alerts and coordinating automated actions across tools. | Shuffle |
| Incident & Case Management (SIRP) | Centralizes alerts, facilitates human analyst investigation, and documents the incident lifecycle. | TheHive |
| Endpoint | Generates events and executes response actions. | Windows 10 Client (Wazuh Agent) |
The following describes the logical flow of a high-severity security alert through the automated system, corresponding to the numbered steps in the diagram:
- Event Collection and Ingestion (1. Send Events & 2. Receive Events):
- The Wazuh Agent installed on the Windows 10 Client monitors system activity (logs, file integrity, process execution) and forwards these security events over the network (via the Router and Internet) to the Wazuh Manager.
- Alert Generation and Forwarding (3. Send Alerts):
- The Wazuh Manager processes the incoming events. When an event matches a high-severity rule (e.g., a known malicious command is executed), it triggers a security Alert.
- This alert is immediately sent to Shuffle, which acts as the SOAR platform, often via a Webhook.
- Alert Enrichment (4. Enrich IOC's):
- Shuffle ingests the raw Wazuh alert and triggers an automation playbook.
- The playbook extracts Indicators of Compromise (IOCs), such as file hashes or IP addresses, and queries external Threat Intelligence platforms (e.g., VirusTotal, AbuseIPDB) via the Internet to enrich the alert data with reputation scores and context.
- Case Creation and Notification (5. Send Alerts & 6. Send Emails):
- Based on the enriched data, Shuffle automatically creates a new Alert (which often converts into a Case) in TheHive, providing the human SOC Analyst with all collected evidence in one central location.
- Concurrently, Shuffle sends an email notification to the SOC Analyst containing a summary of the incident and a link to the new case in TheHive.
- Human Triage and Response Decision (7. Send & Receive Emails):
- The SOC Analyst reviews the enriched case in TheHive and the email. Crucially, the email often contains a call to action, such as an embedded button or link that allows the analyst to select a Response Action (e.g., "Isolate Host," "Close False Positive").
- The analyst sends this Response Action back to Shuffle via the Internet/Email interface.
- Action Orchestration and Execution (8. Send Response Action & 8. Perform Response Action):
- Shuffle receives the analyst's chosen response action.
- It translates this high-level action into a specific command and sends a Response Action instruction to the Wazuh Manager.
- The Wazuh Manager then uses its Active Response capability to command the Wazuh Agent on the Windows 10 Client to Perform the Response Action (e.g., blocking an IP in the firewall, terminating a process, or isolating the host from the network).
