library

SOAR home lab (Part 5)

Written by

info@goodiswp.com

in

Khushdeep

KhushdeepFollow

5 min read

·

Oct 9, 2025

51

In this final part of my SOAR Home Lab series, we’ll bring everything together, Wazuhn8n and TheHive to build a fully automated detection and response workflow.

By the end of this part, you’ll have a working automation pipeline that detects Mimikatz execution, extracts file hashes, checks them with VirusTotal and automatically creates a case in TheHive for analyst triage.

Step 1: Boot Up and Prepare

  1. Start your Wazuh droplet and Windows VM.

2. We’ll use n8n for automation, which we’ll install locally.

Step 2: Installing n8n

  1. Download and install Node.js → https://nodejs.org/en/download

2. Open CMD and verify the installation:

node --version

3. Install n8n globally:

npm install n8n -g

4. Launch n8n and visit the dashboard:

n8n

Visit http://localhost:5678

Step 3: Making n8n Public with ngrok

Because Wazuh and TheHive can’t access localhost, we’ll use ngrok to expose n8n to the internet.

1. Install ngrok from the Microsoft Store:
https://apps.microsoft.com/detail/9MVS1J51GMK6

2. In another CMD window (keep n8n running)

3. Making auth token for ngrok, you can copy that from their website https://dashboard.ngrok.com/get-started/setup/windows

ngrok config add-authtoken <your_auth_token>

4. Run ngrok for port 5678(n8n default port)

ngrok http 5678

5. This creates a secure public tunnel for n8n.
Copy the generated HTTPS forwarding URL, we’ll use it later.

Step 4: Creating the Webhook in n8n

1. In n8n, click the ➕ button and choose “On Webhook Call.”

2. Change HTTP method to POST and copy the generated URL.

3. Replace localhost with your ngrok URL, e.g.:

https://<ngrok-url>/webhook-test/181fb61c-b2b6-4f5a-bb77-861b3e991065
Webhook config

4. Paste this inside Wazuh’s config /var/ossec/etc/ossec.conf:

  <integration>
    <name>shuffle</name>
    <hook_url>https://<ngrok_url>/181fb61c-b2b6-4f5a-bb77-861b3e991065</hook_url>
    <rule_id>100002</rule_id>
    <alert_format>json</alert_format>
  </integration>

5. Save and restart Wazuh:

sudo systemctl restart wazuh-manager.service

Step 5: Testing the Webhook

1. In n8n, click “Listen for test event.”

2. On your Windows VM, run Mimikatz from PowerShell, the same way we ran in Part 4.

3. You should now see the alert arrive in n8n, your webhook is working!

Webhook Output

Step 6: Extracting Hashes from Alerts

Add a new node → Data Transformation → Code →Code in Javascript
Paste this:

const items = $input.all();
const sha256Values = items.map((item) => {
  const hashes = item?.json?.body?.all_fields?.data?.win?.eventdata?.hashes;
  const sha256 = hashes?.split(",").find((hash) => hash.startsWith("SHA256="));
  return { sha256: sha256?.split("=")[1] };
});
return sha256Values;

This script extracts the SHA256 hash from Wazuh’s alert.

Javascript SHA256 extraction script

Step 7: Integrate VirusTotal

Before proceeding, create a VirusTotal account and get your API key.

Add an HTTP Request node with the following configuration:

Field: Value

Method: GET

URL: https://www.virustotal.com/api/v3/files/{{$json["sha256"]}}

Get Khushdeep’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

Send Headers: x-apikey: <your_virustotal_api_key>

Virus Total config

Click Test Connection → then Execute Step to verify it works.

Virus total Output

Step 8: Integrate TheHive for Case Creation

Before connecting, generate a TheHive API key.

Configure TheHive:

1. Log into TheHive dashboard

2. Create a new Organization and two users:

  • Normal User: soar@test.com (Analyst profile)
  • Service User: shuffle@test.com (Analyst profile)
Adding users into theHive

3. Generate an API key for the normal user and also password (so that we can access this user dashboard later)

Configure n8n:

1. Add a new node → TheHive 5

2. Connection settings:

  • URL: http://<theHive_IP>:9000
  • API Key: (Your user’s key)
  • Ignore SSL Issues: ✅

3. TheHive node configuration:

Resource: Case

Operation: Create

Title: Mimikatz Execution Detected

Description: {{ $json.data.links.self }}

SeverityHighTags: Wazuh Event ID: {{ $('Webhook').item.json.body.id }}

Summary:{{ $('Webhook').item.json.body.all_fields.data.win.eventdata.user }}

TLP: Amber

PAP: Amber

Status: New

theHive config

Click Execute Step to test.

theHive output

Step 9: Full Workflow Test

1. Save your workflow.

2. Click Execute Workflow in n8n.

3. Run Mimikatz again on your Windows VM.

You should see:

  • Wazuh generates an alert ⚠️
  • n8n webhook captures it
  • Extracted hash sent to VirusTotal
  • TheHive case automatically created 🐝

Step 10: Optional Add-ons

You can extend this workflow:

  • Add Telegram or Email nodes for real-time alerts
Adding telegram message forwarding
  • Add enrichment sources (Shodan, AbuseIPDB, etc.)
  • Build additional automation playbooks

Project Complete!

Congratulations! You’ve successfully built a fully automated SOAR workflow integrating:

  • Wazuh (Detection & Alerting)
  • n8n (Automation & Orchestration)
  • TheHive (Case Management)

This concludes the SOAR Home Lab Project, from architecture to full automation. The entire series walks through the real-world lifecycle of a modern SOC workflowdetect, enrich, respond, and automate.

n8n workflow

Previous Parts:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts