docs/architecture.md · SOC Automation Lab

55 lines · markdown

# Architecture
 
## Data flow
 
1. Agents on Windows and Linux endpoints ship logs and Sysmon events to the Wazuh
   manager over an encrypted channel on 1514/tcp.
2. The manager decodes events and runs them against the bundled ruleset plus the
   custom rules in `config/wazuh/rules/local_rules.xml`.
3. Any alert at level 10 or higher matches the `<integration>` block and the
   manager invokes `integrations/custom-thehive`, which forwards a normalized
   payload to the Shuffle webhook.
4. Shuffle resolves the indicator of interest (source or destination IP), pulls
   reputation from VirusTotal and OTX, and computes a verdict score.
5. A TheHive case is opened with the score-derived severity, the indicator is
   attached as an observable flagged as an IOC, and the analyst channel gets a
   message linking the case.
6. Active response is wired for rule 100210 (traffic to a CTI-flagged IP), which
   triggers a local `firewall-drop` with a 10 minute timeout while the analyst
   confirms.
 
## Why these three tools
 
- **Wazuh** gives agent-based collection, FIM, vulnerability detection, and a
  rule language flexible enough to express the detections I cared about without
  bolting on a separate log shipper.
- **Shuffle** is the glue. Keeping the orchestration logic out of Wazuh means the
  enrichment and case-creation logic is versioned and testable on its own, and
  the SIEM only has to know one webhook URL.
- **TheHive** is where the analyst actually works. Cases arrive with the verdict
  and the observable already attached, so triage starts from evidence.
 
## Severity mapping
 
The scoring step in the workflow turns reputation counts into a TheHive severity:
 
| Score | TheHive severity | Trigger |
|-------|------------------|---------|
| 0-1   | Low (1)          | nothing notable on the indicator |
| 2-5   | Medium (2)       | OTX pulses or a couple of VT hits |
| 6+    | High (3)         | multiple VT detections plus OTX pulses |
 
`score = vt_malicious * 2 + otx_pulse_count`.
 
## Threat coverage
 
The custom rules map to MITRE ATT&CK so the cases are tagged with technique IDs:
 
| Rule | Technique |
|------|-----------|
| 100101 process from user-writable path | T1059 |
| 100102 Office spawns script host | T1566 / T1059.001 |
| 100110 LSASS access | T1003.001 |
| 100120 / 100121 service + scheduled task | T1543.003 / T1053.005 |
| 100200 / 100201 SSH + RDP brute force | T1110 |
| 100210-100212 CTI list hits | T1071 / T1204 |

1	# Architecture
2
3	## Data flow
4
5	1. Agents on Windows and Linux endpoints ship logs and Sysmon events to the Wazuh
6	manager over an encrypted channel on 1514/tcp.
7	2. The manager decodes events and runs them against the bundled ruleset plus the
8	custom rules in `config/wazuh/rules/local_rules.xml`.
9	3. Any alert at level 10 or higher matches the `<integration>` block and the
10	manager invokes `integrations/custom-thehive`, which forwards a normalized
11	payload to the Shuffle webhook.
12	4. Shuffle resolves the indicator of interest (source or destination IP), pulls
13	reputation from VirusTotal and OTX, and computes a verdict score.
14	5. A TheHive case is opened with the score-derived severity, the indicator is
15	attached as an observable flagged as an IOC, and the analyst channel gets a
16	message linking the case.
17	6. Active response is wired for rule 100210 (traffic to a CTI-flagged IP), which
18	triggers a local `firewall-drop` with a 10 minute timeout while the analyst
19	confirms.
20
21	## Why these three tools
22
23	- Wazuh gives agent-based collection, FIM, vulnerability detection, and a
24	rule language flexible enough to express the detections I cared about without
25	bolting on a separate log shipper.
26	- Shuffle is the glue. Keeping the orchestration logic out of Wazuh means the
27	enrichment and case-creation logic is versioned and testable on its own, and
28	the SIEM only has to know one webhook URL.
29	- TheHive is where the analyst actually works. Cases arrive with the verdict
30	and the observable already attached, so triage starts from evidence.
31
32	## Severity mapping
33
34	The scoring step in the workflow turns reputation counts into a TheHive severity:
35
36	\| Score \| TheHive severity \| Trigger \|
37	\|-------\|------------------\|---------\|
38	\| 0-1 \| Low (1) \| nothing notable on the indicator \|
39	\| 2-5 \| Medium (2) \| OTX pulses or a couple of VT hits \|
40	\| 6+ \| High (3) \| multiple VT detections plus OTX pulses \|
41
42	`score = vt_malicious * 2 + otx_pulse_count`.
43
44	## Threat coverage
45
46	The custom rules map to MITRE ATT&CK so the cases are tagged with technique IDs:
47
48	\| Rule \| Technique \|
49	\|------\|-----------\|
50	\| 100101 process from user-writable path \| T1059 \|
51	\| 100102 Office spawns script host \| T1566 / T1059.001 \|
52	\| 100110 LSASS access \| T1003.001 \|
53	\| 100120 / 100121 service + scheduled task \| T1543.003 / T1053.005 \|
54	\| 100200 / 100201 SSH + RDP brute force \| T1110 \|
55	\| 100210-100212 CTI list hits \| T1071 / T1204 \|