| 1 | # Screenshots |
| 2 | |
| 3 | These come from the running stack. Bring it up with `./scripts/deploy.sh`, enroll an |
| 4 | agent, and fire a test alert, then capture the shots below. Drop the files in this |
| 5 | directory with the names listed and they'll render in the main README. |
| 6 | |
| 7 | Capture at a consistent width (1280-1440), and annotate the call-out in each shot |
| 8 | (a red circle/arrow is enough). |
| 9 | |
| 10 | Captured from the running lab (detection layer): |
| 11 | |
| 12 | - `01-wazuh-threat-hunting.png` - Threat Hunting dashboard with the SSH brute-force |
| 13 | alerts and their MITRE ATT&CK breakdown. |
| 14 | - `02-wazuh-agent.png` - the enrolled Linux endpoint, active and reporting in. |
| 15 | |
| 16 | Still to capture from the SOAR side, once the workflow is imported and a case has run |
| 17 | through it: |
| 18 | |
| 19 | | File | Where | Annotate | |
| 20 | |------|-------|----------| |
| 21 | | `03-shuffle-workflow.png` | Shuffle → the imported `Wazuh -> TheHive Enrichment` workflow canvas | the enrichment → scoring → case-creation path | |
| 22 | | `04-shuffle-run.png` | Shuffle → a finished run of that workflow | the VirusTotal/OTX result feeding the severity score | |
| 23 | | `05-thehive-case.png` | TheHive → the auto-created case | the severity, the MITRE tags, and the attached IOC observable | |
| 24 | |
| 25 | ## Triggering a test alert |
| 26 | |
| 27 | The quickest way to get a case end-to-end without waiting for real activity: |
| 28 | |
| 29 | ```bash |
| 30 | # from an enrolled endpoint, make a DNS lookup / connection to a value |
| 31 | # you've placed in one of the CTI lists, e.g. cdn-jquery-min.net |
| 32 | # or replay a sample brute-force against SSH to trip rule 100200 |
| 33 | ``` |
| 34 | |
| 35 | That fires a level-12 rule, which hits the integration, which runs the Shuffle |
| 36 | workflow, which opens the TheHive case - giving you shots 01 through 04 from a single |
| 37 | event. |