SOC Automation Project with wazuh and thehive

Bit_PickerFollow

5 min read

·

Jun 28, 2025

8

As a Cyber Security enthusiast focused on real-world blue team operations, I wanted to go beyond theory and build a functional SOC lab from scratch — integrating Wazuh on a cloud server and monitoring a Windows VM running locally on VirtualBox. This project not only tested my technical skills, but also helped me understand how detection engineering and automation come together in a real SOC environment.

why wazuh:

1. Open Source
2. HIDS (Host Based Intrusion Detection System
3. Integrated with many compliances
4. Cost-Effective & Community-Driven
5. Automation & SOAR integration
6. Real-time event detection

Project Goals

1. Setup Wazuh on Cloud
2. Setup Shuffle
3. Creating automated Email for Security Analyst
4. Detecting malware and creating rule

Designing the Architecture

Before diving into installations, we need a clear architectural plan.
Just like building a house, a solid blueprint avoids misconfigurations and helps each component work together smoothly.

Graph View

Lets Understand Data Flow from the Diagram

1. Window tiny 10: The journey begins at the endpoint. This will send Event to Wazuh Manager. These include process executions, network connections, script usage, and more.
2. Wazuh Manager: The manager receives raw logs and processes them using decoders and detection rules.
   When a rule match is found — such as unauthorized PowerShell usage or file execution from suspicious directories — Wazuh generates an alert with relevant metadata and context.

3. Shuffle (SOAR Platform)

Once an alert is received, Shuffle takes over and automates the response pipeline:

• IOC Enrichment: IPs, domains, or hashes are queried against public threat intel sources like VirusTotal.
• Case Creation: A case is automatically generated in TheHive, including enriched data, alert summary, and priority level.
• Analyst Notification: An email with all the relevant details is sent to the SOC analyst for triage.

4. SOC Analyst:

• The analyst receives the email alert and opens the corresponding case in TheHive.
• They review the timeline, indicators, and contextual data to decide whether it’s a true positive, false positive, or something that requires further investigation.

5. Automated or Manual Response:

If remediation is necessary, the analyst initiates a response action. This may be automated or manually triggered:

Flow:
SOC Analyst → Shuffle → Wazuh → Windows Client

The final action may include:

• Quarantining a malicious file
• Terminating a process
• Blocking a malicious IP
• Disabling a compromised user account

Tools Used:

Here’s what we’re working with in the lab setup:

• Windows tiny 10: Host machine with Wazuh agent installed
• Wazuh Manager: Collects logs and generates alerts
• Shuffle: SOAR platform that automates actions
• TheHive: Case management for alert investigations
• Email: Alert delivery to SOC analyst
• VirtualBox: For Setuping Window machine

Step-by-Step Implementation:

A. VirtualBox Setup (on Ubuntu):

1. Install VirtualBox on Ubuntu(You can follow official Page of VirtualBox for installing in window) :

sudo apt update && sudo apt install virtualbox -y

2. Download Windows ISO: You can install official window 10, if you have at least 8 GB RAM of free space, But I used Window tiny 10 , You can install from archive website.

Get Bit_Picker’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

3. Create New VM in VirtualBox

• Name : Window-SOC
• RAM :2 GB or More
• CPU : 1 or more
• Storage: Default or at least 20 GB

4. Other things keep default

B. Windows VM Configuration (Endpoint/Agent):

1. Access Window : Access the machine from the Virtual Box by clicking on the option start

2. Download Sysmon and Config:

• You can download Sysmon by searching on the google and then just visit on the official website and then donwload ,
• Extract the sysmon file
• You can download the Config from the link:
  https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml

3. Setup Config(Ensure both these are in the same directory):

.\Sysmon64.exe -accepteula -i sysmon-config.xml

C. Hosting VM on CLoud :

Create your account on Digital Ocean or any other cloud , where you can host your wazuh and thehive machine. (You can get 200 free credit if you have verified github student account and then just login with your github)

1. Create the Droplet (Cloud Server)

• Region: Choose nearest (e.g., Bangalore, Frankfurt, Toronto)
• Image: Ubuntu 22.04 LTS
• Specs: Minimum: 2 or 4 vCPU, 4 or 8 GB RAM, 160 GB SSD
• Authentication: Use SSH key (recommended) or a strong root password
• Hostname: wazuh

2. Set Up a Firewall

• Navigate to: Networking → Firewalls
• Create new firewall rules:
• Allow SSH (port 22) from your IP only

3. Access and Update the Server

SSH into your new droplet and update everything:

sudo apt-get update && sudo apt-get upgrade

4. Install Wazuh

Run the official Wazuh installation script:

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
sudo bash ./wazuh-install.sh

This installs:

• Wazuh Indexer
• Wazuh Manager
• Wazuh Dashboard

Note:Keep the ID and Password that showen after the installation

5. Access web portal:

• allow the server to access it by using the command :

ufw allow 443

• open browser and then follow the following pattern of web portal

http://wazuh-ip:443/

• enter id and password and access it

D: Setup TheHive(Cloud)

1. Create the Droplet (Cloud Server)

• Region: Same as above
• Image: Ubuntu 22.04 LTS
• Specs: Minimum: 2 or 4 vCPU, 8 GB RAM, 160 GB SSD
• Authentication: Use SSH key (recommended) or a strong root password
• Hostname: thehive

2. Access:

• Access thehive server using ssh
• Now first update and upgrade

sudo apt-get update && sudo apt-get upgrade -y

3. Follow the official setup guide:

As it is long process and following the official document can help you properly setup without an error and it contain up to date setup or you can follow the project by MyDFIR (SOC automation project).

TheHive 5 Documentation

StrangeBee provides cutting edge incident response automation to hundreds of SOC, CERT & CSIRT teams.

docs.strangebee.com

4. Allow access :

ufw allow 9000

5. Now Access web interface of thehive

Username: admin@thehive.local
Password: secret

E: Setup Agent

1. Access Wazuh
2. Go to Agents management > Summary > add agent
3. choose window
4. enter the ip-address of wazuh
5. then name of your agent(hawkeye)
6. Copy the command and then paste it into the window powershell by opening it as administrator
7. after a while the agent will install and then paste the following command

NET START WazuhSvc

The shuffle part you can follow along the video by MyDFIR , as it is really hard to show each and every steps , and also thehive is creating problem while setuping with suffle thats why I didn’t included in the blog,

if you have any problem while setup , you can comment .

Next blog ,we will cover some more cool stuff in the lab, that are not done in the videos by MyDFIR