Update : if you are watching this video in 2024 you dont need to put the custon-shuffle any more wazuh put this files by default in the integration folder , you may just need to modify the ossec.conf file !
Very informative tutorial, Kindly correct me if I am wrong. Firstly the alert generated in Wazuh manager and automatically comes in TheHive via webhook & shuffle. And later you automate the case creation in TheHive. In last you also automate the cortex to run observables. So from the start to end of this SOAR tutorial it shows the Security Orchestration and Automation BUT the Response part is missing. You have successfully demonstrate SOA part of SOAR but can you guide how we achieve the Response? As SOAR is not completed without Response to alerts. I mean after cortex find the IP is malicious then how will it block or quarantine that IP or domain etc? Or how will it ask wazuh manager to block that ip?? Will the cortex responders take action?? And one another question, you have used discord for sending messages whenever the alerts triggers. Can you please guide us how can we send email when there will be alert from wazuh manager to thehive case? Thanks again. You are so talented.
Please, can you make a video for incident response in shuffle through cortex responder? Maybe, as the completion of this particular automation. Thank you.
hi taylor thank for your videos ! great job !! i'm just starting with that and i wanna know if we can install all of theses tools on the same machine !!
Hello, i have a question. I setup a webhook to alert me on case rule id 5710 triggers, but nothing happens on the webhook on shuffle, it appears that shuffle doesn't work. Please help me Taylor Walton.
First off all, I really enjoyed your tutorials, so thank you so much and keep up the hard work ... for the app create case it worked for me .. all I did is create a new template (for that u will need to create at least one custom field too) and if u fill all the app's gaps it will work fine just as the others ... I have one question about how to make a workflow using the email trigger either for gmail or o365 (the triggers) ... when I try to authenticate the tell me that I need to change something in the API config if I am the shuffle's developer to allow a specific domain name to make API calls !!!
Thanks for posting such informative content. Its a request can you make one with windows-10 being the agent-vm. as I am facing an issue that is logs are not being forwarded by filebeat to wazuh manager. Thanks!
great content, thank you very much. I would like to know the video was published that would be the continuation of this case, referring to only sending a malignant ip to discord. If so, can someone send me the link please?
DUDE You are Awesome! Really Enjoying your content. Wondering if you would do something with Geo-IP and Android syslog. Dreaming of creating a Geo-fence for remote users.
Hi Guys ! Awesome tutorial ! Congrats ! For each type of incident on Wazuh we need to create a specific Workflow? There are any generic Fields for all alerts and than customize each one in update case?
Hey Paulo, you could either create a new webhook within shuffle and a new integration block within wazuh for every rule alert you want to send to shuffle. Or you could build out one universal workflow that triggers multiple subflows depending on the contents of the received json fields from the alert.
Great work. I shutdown my vm and now the workflow is not working. By tailing the logs I can see that the wazuh is still sending the logs but the shuffle is not receiving through the http hook. How to start the workflow again.
Hey Waleed, make sure the containers are running with "docker ps", if there are no containers running, navigate to the Shuffle directory, "/opt/Shuffle" is the path in the video and run a "docker-compose up -d"
i'm using docker, after create integrations and the configuration same with your video tutorial, and after that restart wazuh-master , i got this output "Failed to get D-Bus connection: Operation not permitted". Can u help me what's going on?
@@wirasec Make sure you are not using selinux...open up the /etc/selinux/config file and set to disabled and reboot. linuxize.com/post/how-to-disable-selinux-on-centos-7/
Hey was going through your videos and coincidentally I was thinking of doing SOC automation for my masters project in MSc Cybersec, so does this automation using Shuffle + Wazuh + TheHIVE + Cortex , is it possible to run on my workstation which consist of 16 GB RAM can run this project - Automation of SOC ?
Great idea for a Masters project! You may be cutting it close with RAM but if you are not ingesting too many logs and limit the memory that Elasticsearch consumes by setting the jvm options than 16GBs should be ok. Good luck and let me know if I can help!
@@taylorwalton_socfortress Thanks for the reply. Sure will let you know when I need your help. For demonstration of the Automated SOC if I run a DDoS attack on the VM will Wazuh able to alert and then showup on Hive or Kibana, in order to demonstrate this will I need to do more build some additional scripts ? Or the existing configuration handle this ?
I get this error when Shuffle tries to send alert to TheHIVE, btw, I have followed all your tutorials, simply amazing never had an issue, I actually have deployed this several times in production. For shuffle I cannot figure this one out. "Results for Alert_Creation":{2 items "type":"NotFoundError" "message":"/alert" }
Hello and thank you very much for this tutorial. I had a problem at 22:50 of the video. When I execute with the appropriate rule, I receive the error in the execution: "exception":"Alert create error: HTTPConnectionPool(host='localhost', port=9000): Max retries exceeded with url: /api/alert (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))" However, I did indicate localhost:9000 (which works very well), as well as the api and the name of the organization. This may be due to the version of TheHive? I'm on 4.1.12-1
Update : if you are watching this video in 2024
you dont need to put the custon-shuffle any more wazuh put this files by default in the integration folder , you may just need to modify the ossec.conf file !
What if I am watching this in 2022?
Amazing tutorial! I just finished the Wazuh Shuffle TheHive setup and It worked perfectly!
thank you and keep up the good job!
Simply wow, i so waited for this video, hope to have soon continues shuffle logic video, thank you
DUde Discord integration so nice! Thank You for this keep it coming with the shuffle integrations! I LOVE AUTOMATION!!! Thanks again kind sir
You did great for this tutorial, hope you make the next part of the video. Appreciate it 🔥
Very informative tutorial, Kindly correct me if I am wrong. Firstly the alert generated in Wazuh manager and automatically comes in TheHive via webhook & shuffle. And later you automate the case creation in TheHive. In last you also automate the cortex to run observables. So from the start to end of this SOAR tutorial it shows the Security Orchestration and Automation BUT the Response part is missing. You have successfully demonstrate SOA part of SOAR but can you guide how we achieve the Response? As SOAR is not completed without Response to alerts. I mean after cortex find the IP is malicious then how will it block or quarantine that IP or domain etc? Or how will it ask wazuh manager to block that ip?? Will the cortex responders take action?? And one another question, you have used discord for sending messages whenever the alerts triggers. Can you please guide us how can we send email when there will be alert from wazuh manager to thehive case?
Thanks again. You are so talented.
small note, the "create_case_from_alert" that didn't work at 32:00 needs a case template even tho it says it is not required, it actually is
Please, can you make a video for incident response in shuffle through cortex responder? Maybe, as the completion of this particular automation. Thank you.
thankyou ssssssooooooooooooooooooooooooooooooooooooo much i was stuck but just bz of you now i can continue my project
thankyou again
The Curl statmet worked for me with no problem, I guess it have been fixed
hi taylor thank for your videos ! great job !!
i'm just starting with that and i wanna know if we can install all of theses tools on the same machine !!
Hi Taylor, can you provide us with a new video to explain how to integrate cortex and misp with shuffle workflow from scratch?
Thanks for the great tutorial, can you advise what are the system requirements for each VM/system?
Hello, i have a question. I setup a webhook to alert me on case rule id 5710 triggers, but nothing happens on the webhook on shuffle, it appears that shuffle doesn't work. Please help me Taylor Walton.
Why do we need shuffle.
Cant we directly send a webhook from wazuh to create a case on hive ?
It will be helpful if we can know the version of each Tools. (wazuh, Thehive+cortex, Shuffle)
First off all, I really enjoyed your tutorials, so thank you so much and keep up the hard work ... for the app create case it worked for me .. all I did is create a new template (for that u will need to create at least one custom field too) and if u fill all the app's gaps it will work fine just as the others ... I have one question about how to make a workflow using the email trigger either for gmail or o365 (the triggers) ... when I try to authenticate the tell me that I need to change something in the API config if I am the shuffle's developer to allow a specific domain name to make API calls !!!
Can we connect iris with shuffle i couldn’t find any resource
Thanks for posting such informative content. Its a request can you make one with windows-10 being the agent-vm. as I am facing an issue that is logs are not being forwarded by filebeat to wazuh manager. Thanks!
Does anyone know if thehive csn be substituted for dfir-iris since thehive5 is more limited with the free version?
great content, thank you very much. I would like to know the video was published that would be the continuation of this case, referring to only sending a malignant ip to discord. If so, can someone send me the link please?
Anyone please help me thehive is showing an error as timeout error how to fix it?
Simply beautiful
DUDE You are Awesome! Really Enjoying your content. Wondering if you would do something with Geo-IP and Android syslog. Dreaming of creating a Geo-fence for remote users.
Looking to cover adding Geo-IP to an IP field soon! Thanks for watching :)
you're amazing!! thank you so much
What software is Taylor using for the terminal caonnections? Amazing content!!!!!!!!!!! I feel like such a noob!!!!!
can you tell me ?
Thanks your are great man, hatts-off to your great effort. Always thankful to you
Hi Guys ! Awesome tutorial ! Congrats ! For each type of incident on Wazuh we need to create a specific Workflow? There are any generic Fields for all alerts and than customize each one in update case?
Hey Paulo, you could either create a new webhook within shuffle and a new integration block within wazuh for every rule alert you want to send to shuffle. Or you could build out one universal workflow that triggers multiple subflows depending on the contents of the received json fields from the alert.
Hey what is that terminal you are using it looks amazing!
Termius, i love it: termius.com/
Thanks for watching :)
Great work. I shutdown my vm and now the workflow is not working. By tailing the logs I can see that the wazuh is still sending the logs but the shuffle is not receiving through the http hook. How to start the workflow again.
Hey Waleed, make sure the containers are running with "docker ps", if there are no containers running, navigate to the Shuffle directory, "/opt/Shuffle" is the path in the video and run a "docker-compose up -d"
@@taylorwalton_socfortress I will check it. Thanks for replying. Please share the firewall-drop.sh file in the wazuh active response.
i'm using docker, after create integrations and the configuration same with your video tutorial, and after that restart wazuh-master , i got this output "Failed to get D-Bus connection: Operation not permitted". Can u help me what's going on?
it should to whitelist in inbound rules?
@@wirasec Are you running selinux?
@@taylorwalton_socfortress i'm using CentOS 7.9 64-bit
@@wirasec Make sure you are not using selinux...open up the /etc/selinux/config file and set to disabled and reboot. linuxize.com/post/how-to-disable-selinux-on-centos-7/
@@taylorwalton_socfortress hi, i got same problem, and status of selinux is disabled, but get same output
Hi, Thank you for your efforts .
I did same configuration but webhook did not received any data . please your support.
Best Regards
Did you notice any errors in the integrations.log file of the wazuh manager?
@@taylorwalton_socfortress
It's working now, it was mistype in code.
Thank you
i getting an error Failed getting hook 3e423d8b-be6f-444f-bd9a-8178f8d066fc (callback): Hook doesn't exist can anyone help me to resolve this issue
Try deleting and creating a new one
I deployed ELK but I was struck in log pushing I don't know, i tried a lot but failed ,
Were you able to install filebeat?
Can you comment on Alient Vault, please?
Hey, what about alien vault in particular? Do you mean integrating with their OTX api?
Thanks for watching!
I would like to request you please make a video on simple project of ELK , wazuh, for very beginner.
I know you already uploaded multiple videos .
Hey was going through your videos and coincidentally I was thinking of doing SOC automation for my masters project in MSc Cybersec, so does this automation using Shuffle + Wazuh + TheHIVE + Cortex , is it possible to run on my workstation which consist of 16 GB RAM can run this project - Automation of SOC ?
Great idea for a Masters project! You may be cutting it close with RAM but if you are not ingesting too many logs and limit the memory that Elasticsearch consumes by setting the jvm options than 16GBs should be ok. Good luck and let me know if I can help!
@@taylorwalton_socfortress Thanks for the reply. Sure will let you know when I need your help.
For demonstration of the Automated SOC if I run a DDoS attack on the VM will Wazuh able to alert and then showup on Hive or Kibana, in order to demonstrate this will I need to do more build some additional scripts ? Or the existing configuration handle this ?
Thank you....!!!!
Great
...Activate Windows
I get this error when Shuffle tries to send alert to TheHIVE, btw, I have followed all your tutorials, simply amazing never had an issue, I actually have deployed this several times in production. For shuffle I cannot figure this one out.
"Results for Alert_Creation":{2 items
"type":"NotFoundError"
"message":"/alert"
}
I am getting the same error
Can you check that your configured TheHive URL doesn't have a trailing slash in it? 😀😀
Have you been able to
Hello and thank you very much for this tutorial.
I had a problem at 22:50 of the video. When I execute with the appropriate rule, I receive the error in the execution:
"exception":"Alert create error: HTTPConnectionPool(host='localhost', port=9000): Max retries exceeded with url: /api/alert (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))"
However, I did indicate localhost:9000 (which works very well), as well as the api and the name of the organization.
This may be due to the version of TheHive? I'm on 4.1.12-1
Same prob, did you find a solution ?