Simplify Your SOAR Implementation with Shuffle and SEIM Integration

SOCFortress
2 min readJul 1, 2024

--

Introduction

In this tutorial, we will explore how to simplify the implementation of Shuffle, an open-source SOAR (Security Orchestration, Automation, and Response) platform, and integrate it seamlessly with your existing SEIM (Security Information and Event Management) stack. This guide will demonstrate leveraging Shuffle Cloud to ease the deployment process and enhance your automation capabilities.

What is Shuffle?

Shuffle is an open-source SOAR platform that allows you to create workflows to automate various tasks within your SEIM stack or other environments. Shuffle simplifies the complexity of programming and integrates multiple services necessary for its operation.

Hybrid Approach for Seamless Integration

To simplify the deployment and maintenance of Shuffle, we will use a hybrid approach. This involves using Shuffle Cloud to host the frontend while deploying the Shuffle worker container within your local data center. This approach leverages your existing infrastructure and ensures efficient workflow automation.

Steps to Implement

  1. Create a Shuffle Account: — Start by creating an account on Shuffle Cloud. — This process is entirely free and leverages their open-source offering. https://shuffler.io/
  2. Deploy Shuffle Worker: — Within the Shuffle Cloud environment, create a new organization and add an environment. — Copy the provided command to deploy the Shuffle worker container on your local VM. — Ensure your VM’s Docker settings are configured correctly, particularly for your local DNS server.
  3. Create and Test Workflows: — Once the worker container is running, create a new workflow in Shuffle Cloud. — You can choose where the workflow runs, either in Shuffle Cloud or on your local worker node.

Example Workflow with Wazuh Integration

To demonstrate, we will create a workflow that interacts with the Wazuh manager API to list agents.

  1. Authentication: — Use a curl command to get a JWT token for authentication. — Configure the HTTP app in Shuffle to use this token for subsequent requests.
  2. List Agents: — Create a new workflow node to list agents using the Wazuh API. — Configure the node to use the obtained JWT token and the appropriate API endpoint.

Conclusion

By leveraging a hybrid approach, we can simplify the maintenance and deployment of Shuffle while ensuring seamless integration with our local SEIM stack. This method allows us to enjoy the best of both worlds, using Shuffle Cloud for the frontend and local infrastructure for workflow execution. Big thanks to the Shuffle team for providing this innovative solution. Implementing Shuffle in your environment can greatly enhance your automation capabilities and streamline your security operations. *For more detailed steps and commands, refer to the Shuffle Cloud documentation and follow along with the provided video tutorial.* — — Feel free to customize and expand this guide as per your specific requirements. Happy automating!

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).