# Automate everything with Shuffle Let's begin by installing Shuffle on Ubuntu. ```bash sudo apt update && sudo apt install -y docker.io docker-compose sudo systemctl enable docker sudo systemctl start docker git clone https://github.com/Shuffle/Shuffle.git cd Shuffle sudo docker-compose up -d ``` After the installation is complete, access the application by navigating to `http://your-ip:3001` in your web browser.

After executing these commands, we will proceed to create an account and log in. ```bash sudo chown -R 1000:1000 shuffle-database sudo swapoff -a sudo docker restart shuffle-opensearch ```

After creating the workflow, you may notice that several applications are missing. To address this, we need to take the following steps.

Now, let's proceed with creating a new workflow.

Next, we need to set up a webhook to receive alerts from the Wazuh dashboard.

On the Wazuh server, open the `/var/ossec/etc/ossec.conf` file. Insert the webhook URL within the `` tags. ```bash sudo nano /var/ossec/etc/ossec.conf ``` ```xml shuffle http://192.168.204.151:3001/api/v1/hooks/webhook_82a81730-b6b5-476f-8eab-225c6b165fda 100002 json ```

Here, I aim to receive alerts for Rule ID **100002**, which we previously configured for Mimikatz detection. You can modify the rule to capture additional alerts based on your requirements or adjust the alert level as needed. After saving the changes, let's restart the Wazuh manager to apply the new configuration: ```bash systemctl restart wazuh-manager ``` Next, let's run Mimikatz again to verify whether the alert generated by Wazuh is successfully sent to Shuffle.

Now, let's verify whether any alerts have been triggered in the Shuffle workflow.

#### **Workflow**: 1. **Mimikatz Alert Trigger** – A Mimikatz alert is generated and sent to Shuffle. 2. **Alert Processing in Shuffle** – Shuffle receives the alert and extracts the SHA-256 hash of the detected file. 3. **Reputation Check** – The extracted hash is queried against VirusTotal to assess its reputation score. 4. **Alert Creation in TheHive** – The analysis details are forwarded to TheHive to generate an incident alert. 5. **Notification to SOC Analyst** – A notification is sent to the SOC Analyst through telegram bot, prompting them to initiate an investigation. Next, we need to obtain the file's hash to verify it on VirusTotal. To do this, let's follow these steps.

Hover over the **Execution Argument**.

Next, we need to create a regular expression specifically designed to extract only the SHA-256 hash.

Let's rename it from **Wazuh\_Receive\_alerts** to **SHA256**. We now need to submit this SHA-256 hash to VirusTotal for analysis.

Please retrieve your API key from your VirusTotal account and enter it here.

Let's run it again.

Let's check the **attributes**.

This means that 65 security scanners have identified the file as malicious. Next, we need to forward the results provided by VirusTotal to TheHive.

Let's transition to TheHive and proceed with creating a new organization along with user accounts for it.

Now, let's create new users.

Now, we need to set a password for Omar's account and generate an API key for the SOAR account.

Now, we will use this API key to establish a connection with Shuffle.

Certain fields need to be completed. ```json Summary -> Mimikatz Activity Detected on host: $exec.text.win.system.computer and the Process Id: $exec.text.win.eventdata.processId and the Commandline: $exec.text.win.eventdata.commandLine Description -> Mimikatz Detected on host:$exec.text.win.system.computer ``` Let's execute the workflow again.

Next, we need to rerun the process to ensure everything functions correctly.

Now, let's log in to TheHive using the previously created account, "Omar," to check for any alerts.

The alert has been successfully sent to TheHive. The next step is to notify the analyst via telegram boot. You can see how to create telegram boot to send alerts via this link:

```json Time:$exec.text.win.eventdata.utcTime\n Title: $exec.title\n Host: $exec.text.win.system.computer\n ``` Now, let's rerun the process and verify the functionality of our Telegram bot.