KhushdeepFollow
3 min read
·
Aug 27, 2025
Introduction
Security Orchestration, Automation, and Response (SOAR) is a critical piece of modern SOC operations, enabling faster detection, analysis, and response to threats. In this lab, we’ll walk through setting up a practical SOAR environment using three core components:
- Wazuh — an open-source SIEM and endpoint security solution.
- TheHive — an open-source Security Incident Response Platform (SIRP).
- n8n — an open-source automation platform.
The goal is to build a functional mini-SOC where n8n manages alerts from Wazuh and flows into TheHive for case management, sending alerts to SOC and also automated response workflows.
Since this is a hands-on implementation, this guide will be divided into several parts to keep things clear and manageable. Each part will cover a major step in the setup process, from preparing the environment to deploying integrations and running playbooks.
Lab Roadmap
The series will be broken into several parts:
Part 1 — Introduction
Part 2 — Setup
Part 3 — Configuration & Testing
Part 4— Configuration customer alerts and telemetries
Part 5 — Bringing everything together and wrapping up
Lab Requirements
Before we start, here’s what you’ll need:
Hardware / System Requirements
- Host PC: Windows x64 (recommended)
- Minimum: 16 GB RAM (to comfortably run multiple VMs)
- At least 100 GB disk space
Virtualization Setup
We’ll run a combination of on-prem VMs and cloud-hosted services:
On the Host (Windows PC):
- Virtualization tool: VirtualBox, VMware, or Hyper-V
- VM1: A Windows client (ISO will be created and used in the lab)
Cloud Environment:
- Deploy Wazuh Manager (SIEM)
- Deploy TheHive (SIRP)
- Cloud provider options: Will be using AWS for this lab, but you can use your own cloud provider
If you want to know how to set up AWS for the labs for free, you can refer to my previous medium article.
Setting up Honeypot at home using T-Pot
Introduction
Architecture and Workflow
Here’s the architecture of the lab we will implement:
Get Khushdeep’s stories in your inbox
Join Medium for free to get updates from this writer.Subscribe
Windows Client
- Generates security events (logs, suspicious activities, etc.).
- Sends events to Wazuh Manager for analysis.
Wazuh Manager (SIEM)
- Receives events from the Windows client.
- Triggers alerts when suspicious activity is detected.
- Forwards alerts to Shuffle.
n8n (mini-SOAR)
- Receives alerts from Wazuh.
- Performs enrichment of IOCs (e.g., IP reputation, domain checks, file hash lookups).
- Sends enriched alerts to theHive for case management.
- Sends telegram message to the SOC Analyst.
theHive (Case Management)
- Receives enriched alerts as cases.
- Allows SOC Analyst to review, investigate and decide on response actions.
SOC Analyst
- Receives email notification from Shuffle.
- Reviews the case in TheHive.
- Sends response actions back to Shuffle (e.g., block IP, isolate host).
Summary
In this first part, we laid the foundation for our SOAR lab. We introduced the core components Wazuh, Shuffle, TheHive, and a Windows client, and defined how they will interact in a real-world SOC workflow. We also outlined the hardware and software requirements, the lab roadmap and walked through the architecture design to give you a clear picture of the end-to-end flow.
By now, you should have a solid understanding of the overall design and objectives of the lab:
- Windows Client generates events → Wazuh triggers alerts → Shuffle enriches and orchestrates → TheHive manages cases → SOC Analyst reviews/responds.
- Responses loop back through Shuffle and Wazuh to the Windows Client.
With the blueprint in place, we’re ready to roll up our sleeves and start building.
In Part 2, we’ll set up the environment:
- Install and configure the virtual machines.
- Prepare the Windows client.
- Deploy Wazuh and TheHive on a cloud server.
This will give us the working infrastructure needed to start wiring everything together in later parts of the series.
Leave a Reply