Security Automation with Shuffle SOAR

Introduction

I  set up a SOAR platform, Shuffle SOAR, to connect with Wazuh agents using Wazuh's webhook API. In this scenario, when a Mimikatz alert is detected by Wazuh, it's sent to Shuffle SOAR for further action. Shuffle SOAR then receives the Mimikatz alert and extracts the SHA256 hash from the file using a regular expression (regex). Next, this SHA256 hash is sent to VirusTotal to check its reputation score.

Explanation:

• Integration Setup: Configure Shuffle SOAR to communicate with Wazuh agents via Wazuh's webhook API. This integration allows Shuffle SOAR to receive alerts generated by Wazuh, such as the detection of Mimikatz activity.
• Alert Handling: When Wazuh detects suspicious activity, such as Mimikatz usage, it generates an alert and sends it to Shuffle SOAR in real-time through the webhook integration.
• Hash Extraction Upon receiving the Mimikatz alert, Shuffle SOAR extracts the SHA256 hash associated with the file mentioned in the alert. This is done using a regular expression (regex) pattern, which helps identify and extract specific patterns from the alert data.
• VirusTotal Check Once the SHA256 hash is extracted, Shuffle SOAR automatically sends it to VirusTotal help of virustotal api, a widely used online service for analyzing files and URLs to detect malicious content. VirusTotal calculates a reputation score for the file based on its analysis and historical data.
• Reputation Score Analysis: Shuffle SOAR receives the reputation score from VirusTotal and analyzes it to determine the level of risk associated with the file. A high reputation score indicates a lower likelihood of the file being malicious, while a low score raises red flags and triggers further investigation.

hashes:SHA1=E3B6EA8C46FA831CEC6F235A5CF48B38A4AE8D69,MD5=29EFD64DD3C7FE1E2B022B7AD73A1BA5,SHA256=61C0810A23580CF492A6BA4F7654566108331E7A4134C968C2D6A05261B2D8A1,IMPHASH=55EE500BB4BDFC49F27A98AE456D8EDF
regex - SHA256=([A-Fa-f0-9]{64})

Benefits:

Automated Response: By integrating Wazuh alerts with Shuffle SOAR and automating the process of extracting and analyzing file hashes, you streamline incident response and reduce manual effort.

Enhanced Threat Visibility: The integration with VirusTotal provides valuable insights into the reputation of files associated with security alerts, enabling quicker and more informed decision-making.
Proactive Threat Mitigation: With automated reputation checks, potential threats can be identified and addressed promptly, minimizing the risk of compromise to your organization's systems and data.

Overall, this scenario demonstrates how leveraging Shuffle SOAR alongside Wazuh and VirusTotal can  your cybersecurity defenses by automating alert handling and threat intelligence analysis.