Reach Us

Optimizing Security Operations with a SOAR-Driven SOC

In our previous blogs we discussed how to create and optimize SIEM and case management systems for SOC. Both these systems need to be integrated via an automation platform for an efficient SOC.

A Security Orchestration, Automation, and Response (SOAR) platform is a comprehensive solution designed to enhance the efficiency and effectiveness of Security Operations Centers (SOCs) by integrating security orchestration, automation, and incident response capabilities into a single framework. Shuffle, specifically, enhances these capabilities by offering customizable workflows, integration with a wide range of security tools, and advanced automation features. In this blog, we will discuss how to set up a SOAR platform for the SOC.

Why Shuffle?

Shuffle is a  SOAR platform that allows you to collect, enrich, automate, and respond to security events with little to no human interaction required. Workflows are the part of Shuffle where everything comes together. Using Apps, Triggers, and Variables, Shuffle gives you access to all the tools you need to make your platforms talk to each other.

Enhancing SOC with Shuffle

With SOAR in your SOC, it’s like having a superhero sidekick who never sleeps or takes lunch breaks!

  1. Shuffle Deployment

We deployed Shuffle as a cluster setup with EFS (Elastic File System) to ensure data persistence and Multi-AZ availability, allowing high reliability for our SOC. This setup provides continuous operation even in the event of an AZ failure, ensuring that our automated workflows are always available.

2. Incident Response Workflow

This workflow is designed to automate the response to alerts generated by Wazuh either by creating cases or triggering incident response automation workflows.

The process is as follows:

Triggering the Workflow:The workflow is triggered via a webhook when a Wazuh alert is received. Depending on the rule_id in the alert, the workflow determines the next steps.

Branch Condition Based on Known rule_id:

If the rule_id is in the known list, indicating predefined rules for automated responses:

  • The event is saved in a file and uploaded to an S3 bucket
  • The S3 bucket has a Lambda event trigger for object creation, which parses the rule_id from the payload and triggers the respective Lambda function to handle the incident response

Upon completion, the status is published via SNS to notify the appropriate team

If the rule_id is not in the known list:

  • We retrieve the severity, title, and description based on alert metadata.

Rule-level mapping:

  • Wazuh’s rule_level (ranging from 1-15) is mapped to TheHive severity (1-4) using a Python script, with the following mapping:
  • Rule level 1-4 → Low severity
  • Rule level 5-9 → Medium severity
  • Rule level 10-12 → High severity
  • Rule level >12 → Critical severity
  • Based on the alert location (e.g., wazuh-aws, rootcheck, wazuh-monitord), an appropriate owner is assigned to the case.
  • If the alert contains observables with a source_ip_address, the case is updated with the IP as an Indicator of Compromise (IOC).
  • The case is then exported to MISP via a Python script for threat intelligence correlation.

3. Case Management Notification workflow:

This workflow handles notifications for case creation and closure events in TheHive, ensuring real-time communication with the SOC team.

Here’s how it operates:

  • Triggering the Workflow: The workflow is triggered when TheHive sends case creation or closure events to the Shuffle webhook.
  • Event Handling:

The event data is copied to a file and uploaded to an S3 bucket.

The S3 bucket has a Lambda function triggered by object creation events. The function parses the event and generates the appropriate message.

The message is then published to Slack or Email via SNS, notifying the SOC team of case changes in real-time.

Shuffle Workflow Diagram

Benefits

  • Automated Case Creation and Threat Correlation: Case creation time has been reduced by 80%, cutting manual work and enabling faster threat correlation with MISP integration allowing analysts to resolve incidents more efficiently, reducing Mean Time to Detect (MTTD) by 50% enhancing overall cloud security
  • Automated Incident Workflow Triggers: With automated workflows, the incident response process is triggered instantly, reducing the Mean Time to Respond (MTTR) by up to 60%, resulting in faster threat mitigation and less downtime
  • Unified Notification Channel: A centralized notification system ensured that case management, incident response updates, and workflow alerts reach the right teams within seconds, improving overall communication efficiency by 40% and ensuring no important alerts are missed
  • Parallel Processing of Alerts: Increased alert handling capacity by 7x leveraging parallel processing of Shuffle, significantly reducing alert backlog and ensuring real-time response to security threats

Conclusion

In this blog, we have discussed how integrating SOAR platforms like Shuffle into Security Operations Centers (SOCs) significantly enhances their efficiency and effectiveness. Shuffle’s capabilities in creating customizable workflows, seamlessly integrating with various security tools, and automating incident response processes make it an indispensable tool for modern cybersecurity operations. This orchestration and automation reduce manual intervention, ensuring that incidents are promptly addressed with accurate and actionable intelligence enhancing cloud governance and security

In our next blog, we will explore how to visualize SOC data to derive meaningful insights. Stay tuned for more on optimizing your SOC operations and enhancing your organization’s security strategy.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us