Streamlining Incident Management: Integrating Copilot with Shuffle for Enhanced SIEM Alert Handling

SOCFortress
3 min readSep 17, 2024

--

In this guide, we’ll explore how to integrate Copilot with Shuffle to automate and streamline your incident management process by connecting your SIEM alerts with third-party tools like Jira, ConnectWise, or even email notifications.

Why Integrate Copilot with Shuffle?

Copilot: The Data Presenter

Copilot is a powerful tool that processes and presents alert data from your SIEM stack. It acts as the bridge between your security alerts and the automation workflows you wish to implement.

Shuffle: The Automation Engine

Shuffle is an open-source security automation platform that allows you to automate virtually any task. It works by executing workflows triggered by specific events — in this case, SIEM alerts provided by Copilot.

By integrating Copilot with Shuffle, you can:

  • Automatically generate tickets in systems like Jira or ConnectWise.
  • Send email notifications to clients or team members.
  • Integrate with custom applications or other third-party tools.
  • Interact with SIEM stack components like Wazuh Manager API for additional automation.

Prerequisites

  • Copilot installed and configured in your environment.
  • Shuffle deployed either on-premises or using Shuffle’s cloud environment.
  • Access to third-party tools (e.g., Jira, ConnectWise) with API capabilities.
  • Basic understanding of APIs and workflow automation.

Step-by-Step Integration Guide

1. Configure Copilot to Send Data to Shuffle

a. Obtain Shuffle API Key

  1. Log into Shuffle: Access your Shuffle environment (cloud or on-premises).
  2. Navigate to Organization Settings: Go to your organization and select “Users.”
  3. Copy API Key: Locate your API key and copy it for later use.

b. Update Copilot with Shuffle Credentials

  1. Access Copilot Connectors: In Copilot, navigate to the “Connectors” section.
  2. Select Shuffle Connector: Choose the Shuffle connector and click “Update.”
  3. Enter Shuffle URL and API Key:
  • URL: If using Shuffle Cloud, enter https://shuffler.io.
  • API Key: Paste the API key you copied from Shuffle.

2. Create a Workflow in Shuffle

a. Set Up a New Workflow

  1. Create Workflow: In Shuffle, click on “New Workflow.”
  2. Name Your Workflow: Give it a descriptive name (e.g., “Jira Ticket Automation”).
  3. Copy Workflow ID: After creation, copy the workflow ID from the URL (https://shuffler.io/workflow/<workflow-id>).

b. Associate Workflow with Copilot Customer

  1. Go to Copilot Customers: In Copilot, select “Customers.”
  2. Choose Customer: Click on the customer you want to associate with the workflow.
  3. Add Notification Workflow:
  • Enable Notification: Turn on the notification toggle.
  • Paste Workflow ID: Enter the workflow ID you copied from Shuffle.
  • Save Configuration: Click “Submit” to save.

3. Customize Alert Data Fields

  1. Define Field Names in Copilot:
  • Navigate to the Wazuh alert source configuration in Copilot.
  • Specify the field names you want to include in the alert context.
  1. Ensure Data Availability:
  • Only fields with data will be sent to Shuffle.
  • Customize fields based on what is relevant for your incident management.

4. Build the Workflow to Create Jira Tickets

Add Jira Node in Shuffle Workflow

  1. Edit Workflow: Open your workflow in Shuffle.
  2. Add Jira App: Drag and drop the Jira app into the workflow.
  3. Configure Jira Node:
  • Action: Select “Create Issue.”
  • Authentication: Add your Jira credentials (API token and URL).
  • Body Parameters:
{
"fields": {
"project": {
"key": "SOC"
},
"summary": "$exec.execution_arguments.alert_title",
"issuetype": {
"name": "Problem"
},
"description": {
"type": "doc",
"version": 1,
"content": [
{
"type": "paragraph",
"content": [
{
"text": "Alert triggered for $exec.execution_arguments.customer_code",
"type": "text"
}
]
}
]
}
}
}

Dynamic Fields: Use dynamic placeholders like {$exec.execution_arguments.alert_title} and {$exec.execution_arguments.customer_code} to populate fields with alert data.

5. Extend Workflow with Additional Actions

You can enhance the workflow by adding more nodes:

  • Email Notifications: Use the Email app in Shuffle to send notifications.
  • ConnectWise Tickets: Add a ConnectWise node to create service tickets.
  • Custom Integrations: Utilize APIs of other tools your clients may use.

Benefits of This Integration

  • Automated Incident Management: Reduce manual efforts in creating and assigning tickets.
  • Real-Time Notifications: Keep your team and clients informed instantly.
  • Customizable Workflows: Tailor automation processes to fit different client needs.
  • Scalability: Easily add more clients or tools without significant overhead.

Conclusion

Integrating Copilot with Shuffle opens up a world of possibilities for automating your incident management processes. By connecting your SIEM alerts with tools like Jira or ConnectWise, you streamline your operations, reduce response times, and enhance overall security posture.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet