Integration Steps

Step 7: Integration IRIS and Wazuh

Execute step 7.

It will ask the IRIS API key. To get the API Key, go to IRIS page, select Administrator profile > My Settings. The API Key will show up as illustrated in Figure 11.

Copy and paste it to the installation. Wait until the process is finished.

Then check the integration by select Alert menu in the left panel of the IRIS. It should be still "0 Alert".

We need to trigger the alert, by execute the step 14 (Brute Force Use Case). After that, refresh the page and the first alert should be show up as illustrated in Figure 12.

Step 8: Integration MISP and Wazuh

Execute the step 8. Wait until it finished.

Step 9: Integration VirusTotal and Wazuh

Execute step 9.

It will ask the VirusTotal API key. If you not yet have the VirusTotal account, please create the VirusTotal account first. If you already have it, Log in to VirusTotal, then click your profile name, select API Key.

Copy and paste it to the installation. Wait until the process is finished.

Step 10: Integration Shuffle, Wazuh, and IRIS

In your browser, go to your Shuffle (http://<ip>:3001).

Select Workflow > New Workflow.

Enter your workflow name > select Done.

Select the Shuffle icon in the middle panel, then it will show up the configuration panel on the right. In the "Call" parameter, change it to $exec, then click Save button, as illustrated in Figure 13.

Next, in the left panel, select Trigger tab, then drag the Webhook to the middle panel as illustrated in FIgure 14.

The Webhook module, will be as an alert/event feed from Wazuh.

To integrate the Webhook with Wazuh, click on Webhook module. On the right panel, go to "Webhook URI" parameter and copy it, also click the Start button as illustrated in Figure 15.

Go back to installer and execute step 10.

It will ask the Shuffle Hook URL, paste the Webhook URI to it. Wait the process until it finished.

Take a look at your Shuffle in the browser, click the Show Executions button (people run icon). It will show the All Workflow Runs, just select one of it. We can see that the Shuffle already receive the alert from Wazuh as illustrated in Figure 16.

Next, on the left panel, select Apps tab, type "IRIS" in the Search Active Apps bar. Click IRIS module (not IRIS V2), and wait until the IRIS v2 is show up. Then drag it to the middle panel as illustrated in Figure 17.

Click IRIS Module, then fill the following parameters:

• Find Actions: Add a new case

• Apikey: (insert your IRIS API Key)

• Url: (your IRIS url)

Next, scroll down to the Body parameter, and click the Expand Window button. Change the body content with the following:

{  
"case_customer": "1",  
"case_description": "Test from Shuffle",
"case_name": "$change_me.title",
"case_soc_id": "123",
}

Then, click Try It button on the top right. Wait until the result is show up in the bottom. After that, click Submit button on the bottom right.

Then, click Save button.

Go to Show Executions button again, then click Refresh button as illustrated in Figure 20.

It should be exist the IRIS process. Inside the IRIS module, the Status value should be 200, means that the automation of ticket creation is success, as illustrated in Figure 21.

We can also check in the IRIS page (https://<your_ip>:8443), select Manage Case tab on the left panel. We can see the ticket created from Shuffle is exist.

We have several use case that can be used and described in the next page.