shuffle/workflows/wazuh-thehive-enrichment.json

122 lines · json

{
  "name": "Wazuh -> TheHive Enrichment",
  "description": "Enrich the offending indicator from a Wazuh alert, open a TheHive case with the verdict, and notify the analyst channel.",
  "workflow_type": "standalone",
  "triggers": [
    {
      "id": "trigger_webhook",
      "app_name": "Webhook",
      "name": "wazuh_alert",
      "trigger_type": "WEBHOOK",
      "status": "running",
      "parameters": [
        { "name": "tmp", "value": "" }
      ]
    }
  ],
  "actions": [
    {
      "id": "action_route",
      "app_name": "Shuffle Tools",
      "app_version": "1.2.0",
      "name": "router",
      "label": "Pick indicator",
      "parameters": [
        {
          "name": "input_data",
          "value": "$exec.src_ip || $exec.dst_ip"
        }
      ]
    },
    {
      "id": "action_vt",
      "app_name": "VirusTotal",
      "app_version": "1.1.0",
      "name": "get_ip_report",
      "label": "VirusTotal lookup",
      "parameters": [
        { "name": "apikey", "value": "${vt_api_key}" },
        { "name": "ip", "value": "$action_route.output" }
      ]
    },
    {
      "id": "action_otx",
      "app_name": "AlienVault OTX",
      "app_version": "1.0.0",
      "name": "get_indicator",
      "label": "OTX pulses",
      "parameters": [
        { "name": "apikey", "value": "${otx_api_key}" },
        { "name": "indicator_type", "value": "IPv4" },
        { "name": "indicator", "value": "$action_route.output" }
      ]
    },
    {
      "id": "action_score",
      "app_name": "Shuffle Tools",
      "app_version": "1.2.0",
      "name": "execute_python",
      "label": "Score verdict",
      "parameters": [
        {
          "name": "code",
          "value": "vt = int($action_vt.last_analysis_stats.malicious or 0)\notx = int($action_otx.pulse_info.count or 0)\nscore = vt * 2 + otx\nseverity = 3 if score >= 6 else (2 if score >= 2 else 1)\nreturn {\"score\": score, \"severity\": severity, \"vt_malicious\": vt, \"otx_pulses\": otx}"
        }
      ]
    },
    {
      "id": "action_case",
      "app_name": "TheHive",
      "app_version": "1.4.0",
      "name": "create_case",
      "label": "Open TheHive case",
      "parameters": [
        { "name": "apikey", "value": "${thehive_api_key}" },
        { "name": "url", "value": "${thehive_url}" },
        { "name": "title", "value": "[Wazuh] $exec.rule_description" },
        { "name": "description", "value": "Agent: $exec.agent_name ($exec.agent_ip)\nRule: $exec.rule_id level $exec.rule_level\nIndicator: $action_route.output\nVirusTotal malicious: $action_score.vt_malicious\nOTX pulses: $action_score.otx_pulses\n\n$exec.full_log" },
        { "name": "severity", "value": "$action_score.severity" },
        { "name": "tags", "value": "wazuh,automated,$exec.mitre.id" },
        { "name": "tlp", "value": "2" }
      ]
    },
    {
      "id": "action_observable",
      "app_name": "TheHive",
      "app_version": "1.4.0",
      "name": "create_observable",
      "label": "Attach indicator",
      "parameters": [
        { "name": "apikey", "value": "${thehive_api_key}" },
        { "name": "url", "value": "${thehive_url}" },
        { "name": "case_id", "value": "$action_case.id" },
        { "name": "data_type", "value": "ip" },
        { "name": "data", "value": "$action_route.output" },
        { "name": "ioc", "value": "true" },
        { "name": "tags", "value": "cti,wazuh" }
      ]
    },
    {
      "id": "action_notify",
      "app_name": "Slack",
      "app_version": "1.1.0",
      "name": "post_message",
      "label": "Notify analysts",
      "parameters": [
        { "name": "apikey", "value": "${slack_token}" },
        { "name": "channel", "value": "#soc-alerts" },
        { "name": "text", "value": ":rotating_light: New case from Wazuh rule $exec.rule_id (sev $action_score.severity)\nIndicator $action_route.output - VT $action_score.vt_malicious / OTX $action_score.otx_pulses\nTheHive case: $action_case.id" }
      ]
    }
  ],
  "branches": [
    { "source_id": "trigger_webhook", "destination_id": "action_route" },
    { "source_id": "action_route", "destination_id": "action_vt" },
    { "source_id": "action_route", "destination_id": "action_otx" },
    { "source_id": "action_vt", "destination_id": "action_score" },
    { "source_id": "action_otx", "destination_id": "action_score" },
    { "source_id": "action_score", "destination_id": "action_case" },
    { "source_id": "action_case", "destination_id": "action_observable" },
    { "source_id": "action_case", "destination_id": "action_notify" }
  ]
}

1	{
2	"name": "Wazuh -> TheHive Enrichment",
3	"description": "Enrich the offending indicator from a Wazuh alert, open a TheHive case with the verdict, and notify the analyst channel.",
4	"workflow_type": "standalone",
5	"triggers": [
6	{
7	"id": "trigger_webhook",
8	"app_name": "Webhook",
9	"name": "wazuh_alert",
10	"trigger_type": "WEBHOOK",
11	"status": "running",
12	"parameters": [
13	{ "name": "tmp", "value": "" }
14	]
15	}
16	],
17	"actions": [
18	{
19	"id": "action_route",
20	"app_name": "Shuffle Tools",
21	"app_version": "1.2.0",
22	"name": "router",
23	"label": "Pick indicator",
24	"parameters": [
25	{
26	"name": "input_data",
27	"value": "$exec.src_ip \|\| $exec.dst_ip"
28	}
29	]
30	},
31	{
32	"id": "action_vt",
33	"app_name": "VirusTotal",
34	"app_version": "1.1.0",
35	"name": "get_ip_report",
36	"label": "VirusTotal lookup",
37	"parameters": [
38	{ "name": "apikey", "value": "${vt_api_key}" },
39	{ "name": "ip", "value": "$action_route.output" }
40	]
41	},
42	{
43	"id": "action_otx",
44	"app_name": "AlienVault OTX",
45	"app_version": "1.0.0",
46	"name": "get_indicator",
47	"label": "OTX pulses",
48	"parameters": [
49	{ "name": "apikey", "value": "${otx_api_key}" },
50	{ "name": "indicator_type", "value": "IPv4" },
51	{ "name": "indicator", "value": "$action_route.output" }
52	]
53	},
54	{
55	"id": "action_score",
56	"app_name": "Shuffle Tools",
57	"app_version": "1.2.0",
58	"name": "execute_python",
59	"label": "Score verdict",
60	"parameters": [
61	{
62	"name": "code",
63	"value": "vt = int($action_vt.last_analysis_stats.malicious or 0)\notx = int($action_otx.pulse_info.count or 0)\nscore = vt * 2 + otx\nseverity = 3 if score >= 6 else (2 if score >= 2 else 1)\nreturn {\"score\": score, \"severity\": severity, \"vt_malicious\": vt, \"otx_pulses\": otx}"
64	}
65	]
66	},
67	{
68	"id": "action_case",
69	"app_name": "TheHive",
70	"app_version": "1.4.0",
71	"name": "create_case",
72	"label": "Open TheHive case",
73	"parameters": [
74	{ "name": "apikey", "value": "${thehive_api_key}" },
75	{ "name": "url", "value": "${thehive_url}" },
76	{ "name": "title", "value": "[Wazuh] $exec.rule_description" },
77	{ "name": "description", "value": "Agent: $exec.agent_name ($exec.agent_ip)\nRule: $exec.rule_id level $exec.rule_level\nIndicator: $action_route.output\nVirusTotal malicious: $action_score.vt_malicious\nOTX pulses: $action_score.otx_pulses\n\n$exec.full_log" },
78	{ "name": "severity", "value": "$action_score.severity" },
79	{ "name": "tags", "value": "wazuh,automated,$exec.mitre.id" },
80	{ "name": "tlp", "value": "2" }
81	]
82	},
83	{
84	"id": "action_observable",
85	"app_name": "TheHive",
86	"app_version": "1.4.0",
87	"name": "create_observable",
88	"label": "Attach indicator",
89	"parameters": [
90	{ "name": "apikey", "value": "${thehive_api_key}" },
91	{ "name": "url", "value": "${thehive_url}" },
92	{ "name": "case_id", "value": "$action_case.id" },
93	{ "name": "data_type", "value": "ip" },
94	{ "name": "data", "value": "$action_route.output" },
95	{ "name": "ioc", "value": "true" },
96	{ "name": "tags", "value": "cti,wazuh" }
97	]
98	},
99	{
100	"id": "action_notify",
101	"app_name": "Slack",
102	"app_version": "1.1.0",
103	"name": "post_message",
104	"label": "Notify analysts",
105	"parameters": [
106	{ "name": "apikey", "value": "${slack_token}" },
107	{ "name": "channel", "value": "#soc-alerts" },
108	{ "name": "text", "value": ":rotating_light: New case from Wazuh rule $exec.rule_id (sev $action_score.severity)\nIndicator $action_route.output - VT $action_score.vt_malicious / OTX $action_score.otx_pulses\nTheHive case: $action_case.id" }
109	]
110	}
111	],
112	"branches": [
113	{ "source_id": "trigger_webhook", "destination_id": "action_route" },
114	{ "source_id": "action_route", "destination_id": "action_vt" },
115	{ "source_id": "action_route", "destination_id": "action_otx" },
116	{ "source_id": "action_vt", "destination_id": "action_score" },
117	{ "source_id": "action_otx", "destination_id": "action_score" },
118	{ "source_id": "action_score", "destination_id": "action_case" },
119	{ "source_id": "action_case", "destination_id": "action_observable" },
120	{ "source_id": "action_case", "destination_id": "action_notify" }
121	]
122	}