Integration Steps

Step 7: Integration IRIS and Wazuh

Execute step 7.

It will ask the IRIS API key. To get the API Key, go to IRIS page, select Administrator profile > My Settings. The API Key will show up as illustrated in Figure 11.

Figure 11. IRIS API Key

Copy and paste it to the installation. Wait until the process is finished.

Then check the integration by select Alert menu in the left panel of the IRIS. It should be still "0 Alert".

We need to trigger the alert, by execute the step 14 (Brute Force Use Case). After that, refresh the page and the first alert should be show up as illustrated in Figure 12.

Figure 12. Triggered Alert Appear in IRIS Alert Page

Step 8: Integration MISP and Wazuh

Execute the step 8. Wait until it finished.

Step 9: Integration VirusTotal and Wazuh

Execute step 9.

It will ask the VirusTotal API key. If you not yet have the VirusTotal account, please create the VirusTotal account first. If you already have it, Log in to VirusTotal, then click your profile name, select API Key.

Copy and paste it to the installation. Wait until the process is finished.

Step 10: Integration Shuffle, Wazuh, and IRIS

In your browser, go to your Shuffle (http://<ip>:3001).

Select Workflow > New Workflow.

Enter your workflow name > select Done.

Select the Shuffle icon in the middle panel, then it will show up the configuration panel on the right. In the "Call" parameter, change it to $exec, then click Save button, as illustrated in Figure 13.

Figure 13. Shuffle Moduel Configuration

Next, in the left panel, select Trigger tab, then drag the Webhook to the middle panel as illustrated in FIgure 14.

Figure 14. Deploy Webhook Module

The Webhook module, will be as an alert/event feed from Wazuh.

To integrate the Webhook with Wazuh, click on Webhook module. On the right panel, go to "Webhook URI" parameter and copy it, also click the Start button as illustrated in Figure 15.

Figure 15. Start Webhook Module

Go back to installer and execute step 10.

It will ask the Shuffle Hook URL, paste the Webhook URI to it. Wait the process until it finished.

Take a look at your Shuffle in the browser, click the Show Executions button (people run icon). It will show the All Workflow Runs, just select one of it. We can see that the Shuffle already receive the alert from Wazuh as illustrated in Figure 16.

Figrue 16. Wazuh Alert in Shuffle

Next, on the left panel, select Apps tab, type "IRIS" in the Search Active Apps bar. Click IRIS module (not IRIS V2), and wait until the IRIS v2 is show up. Then drag it to the middle panel as illustrated in Figure 17.

Figure 17. Deploy IRIS Module

Click IRIS Module, then fill the following parameters:

  • Find Actions: Add a new case

  • Apikey: (insert your IRIS API Key)

  • Url: (your IRIS url)

Figure 18. IRIS Parameters

Next, scroll down to the Body parameter, and click the Expand Window button. Change the body content with the following:

{  
"case_customer": "1",  
"case_description": "Test from Shuffle",
"case_name": "$change_me.title",
"case_soc_id": "123",
}

Then, click Try It button on the top right. Wait until the result is show up in the bottom. After that, click Submit button on the bottom right.

Figure 19. IRIS Body Parameter

Then, click Save button.

Go to Show Executions button again, then click Refresh button as illustrated in Figure 20.

Figure 20. Re-run Button

It should be exist the IRIS process. Inside the IRIS module, the Status value should be 200, means that the automation of ticket creation is success, as illustrated in Figure 21.

Figure 21. Automation of IRIS Ticket Creation

We can also check in the IRIS page (https://<your_ip>:8443), select Manage Case tab on the left panel. We can see the ticket created from Shuffle is exist.

Figrue 22. Ticket Created from Shuffle

We have several use case that can be used and described in the next page.

PreviousInstallation StepsNextUse Case

Last updated