Integrating Wazuh with Shuffle
The Wazuh unified XDR and SIEM platform now has out-of-the-box integration with Shuffle SOAR. Shuffle is a general-purpose security automation platform. The Shuffle integration introduced in Wazuh version 4.4 extends the capabilities of Wazuh by enabling response on any device or technology that Shuffle already integrates with. The user simply needs to add a webhook URI from Shuffle to the Wazuh server configuration, then specify the rule ID, rule group, or alert level of events that Wazuh should forward to Shuffle.
The general steps for performing the integration are described below:
1. Create a workflow on Shuffle and add a webhook trigger.
2. Copy the webhook URI and start the webhook.
3. Edit the Wazuh server configuration file /var/ossec/etc/ossec.conf and add a configuration similar to the following with a Shuffle webhook URI:
<integration> <name>shuffle</name> <hook_url>http://<YOUR_SHUFFLE_URL>/api/v1/hooks/<HOOK_ID></hook_url> <level>3</level> <alert_format>json</alert_format> </integration>
You simply need to add the copied webhook URI in between the <hook_url>.
The example above will forward all alerts of level 3 and above to Shuffle. The highlighted line can be replaced with any of the following:
<rule_id>: To forward a specific alert.<group>: To forward all alerts belonging to a rule group.<event_location>: To forward alerts from a specified event location.
4. Create the complete workflow on Shuffle to configure actions that Shuffle should take on the alerts received.
We show detailed steps on how to create a Shuffle workflow and integrate with Wazuh in the next section.
Generic Wazuh-Shuffle configuration
This section aims to integrate Wazuh and Shuffle and show that Shuffle can receive and process Wazuh alerts.
Requirements
1. A pre-built ready-to-use Wazuh OVA 4.4. Follow this guide to download the virtual machine.
2. A Shuffle SOAR instance. Follow this guide to set up Shuffle in a Docker environment, or try it out with Shuffle Cloud (SaaS).
Shuffle SOAR
Perform the steps below on the Shuffle dashboard to create a new workflow and extract the webhook URI.
1. Create a new workflow on Shuffle titled “Wazuh integration test.”
2. Click on the Triggers tab in the bottom left and drag the Webhook to the workspace.
3. Click on the webhook and rename it to Wazuh alerts. Copy and save the webhook URI because we use it when configuring the Wazuh server. Start the webhook. The webhook URI looks like the following: https://<YOUR_SHUFFLE_URL>/api/v1/hooks/webhook_18cdc939-5e7b-428e-b82f-e1481ffc8fe6.
Wazuh server
Perform the steps below on the Wazuh server to configure Wazuh to send alerts to Shuffle for analysis.
1. Add the following configuration in between the <ossec_config> block of the Wazuh server /var/ossec/etc/ossec.conf file:
<integration> <name>shuffle</name> <hook_url><YOUR_SHUFFLE_URL>/api/v1/hooks/<HOOK_ID></hook_url> <level>3</level> <alert_format>json</alert_format> </integration>
Where:
<name>: This is the name of the integration.<hook_url>: This is the webhook URI copied from the Shuffle webhook. Your Shuffle URL depends on your deployment, for example,http://<SHUFFLE_IP>:3001for a Shuffle on-premise deployment andhttps://shuffler.iofor Shuffle Cloud.<level>: This is used to forward a specific alert level.<alert_format>: This forwards alerts to Shuffle in JSON format.
For more information on available options, check out this guide.
2. Restart the Wazuh manager service to apply changes:
$ sudo systemctl restart wazuh-manager
Shuffle SOAR
1. Click on the Shuffle Tools app named “Change me” and rename it to Receive_Wazuh_alerts. Set the call option to “$exec”, and save the workflow. This Shuffle app now repeats the events that are received by the Wazuh alerts webhook. This allows us to test that Shuffle can receive Wazuh alerts.
2. Click on the show executions button.
3. Select any execution and expand it for details. You should see a Wazuh alert in the output.
Note
You may need to wait for a duration of time for Wazuh alerts to appear in Shuffle. This is dependent on the number of events generated in your environment. To manually trigger alerts, restart the Wazuh manager service on the Wazuh server.
This shows that Wazuh is sending alerts to Shuffle and the integration is successful. The webhook trigger can be configured with other apps to perform various functions in a workflow. To demonstrate this, we show a use case where we use a Shuffle Active Directory application to disable a user account when we detect credential dumping with Wazuh.
Use case: Detecting and responding to Windows SAM credential dumping
The SAM database is a crucial part of a Windows system, holding essential details about user accounts like usernames and password hashes. Accessing this information without authorization can pose a severe risk to the system’s security and its users.
While Active Directory stores user account information, the SAM database is still present on each individual Windows endpoint and holds local account information. Dumping the SAM database from a Windows endpoint can allow attackers to obtain local user account information and escalate privileges or move laterally across the network. In an Active Directory environment, dumping the SAM database is often part of a larger attack campaign targeting a specific system or user account.
In this use case, we show how Wazuh detects SAM credential dumping and triggers a response to disable the Active Directory user account that attempted the dump. The response action to disable the user account is performed with the Shuffle integration. The user account is disabled pending the completion of an investigation to ascertain the impact of such a compromise.
Requirements
In addition to the Wazuh server and the Shuffle SOAR setup, the following requirements are needed to test this use case:
1. Windows Server 2022 acting as a domain controller with Active Directory enabled.
- A Wazuh agent installed on the endpoint and enrolled to the Wazuh server.
- In addition to the in-built user Administrator, create another domain administrator with the username wazuhuser.
2. A Windows 11 endpoint registered to the previously configured Active Directory.
- A Wazuh agent installed on the endpoint and enrolled to the Wazuh server.
- We assume that the threat actor has already gained access to this endpoint via the wazuhuser account.
Windows 11 configuration
1. Download Sysmon from the Microsoft Sysinternals page.
2. Download the Sysmon configuration file: sysmonconfig.xml.
3. Install Sysmon with the downloaded configuration file using PowerShell (as administrator):
.\sysmon64.exe -accepteula -i .\sysmonconfig.xml
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file to specify the location to collect Sysmon logs:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
Restart-Service -Name wazuh
Configure Shuffle to respond to SAM credential dumping
We create a workflow that disables a user account when Wazuh sends an alert for SAM credential dumping to the Shuffle webhook trigger. The JSON alert event data sent by Wazuh contains the username of the account Shuffle should disable. We configure the workflow to extract the username from the alert event data.
1. Take steps 1 to 3 in the Generic Wazuh-Shuffle configuration section to create a new workflow titled “Registry SAM dump”.
2. Configure the Shuffle tool to extract the username of the account used to dump the SAM from the Wazuh alert. The username of the account performing the SAM dump is in the data.win.eventdata.user field of the Wazuh alert. Therefore we parse the log to extract it.
- Change the name of the tool to
extract_username. - Change the action to Execute bash.
- Enter the following code to the code section:
echo '$exec.all_fields.data.win.eventdata.user' | rev | cut -d'\' -f1 | rev. This is a bash command that filters the string to extract only the username of the account performing the credential dump. This is necessary because the username is usually in the form<DOMAIN_NAME>\\<USERNAME>, and we need only the username.
Note
We recommend that you modify the code to exclude usernames of domain administrator accounts when in production. This will prevent account lockout in case of a breach.
<EXCLUDED_USER> as an example: output=$(echo '$exec.all_fields.data.win.eventdata.user' | rev | cut -d'\' -f1 | rev); if [ "$output" = "<EXCLUDED_USER>" ]; then echo ""; else echo "$output"; fi
Replace <EXCLUDED_USER> with the username of the domain account you wish to exclude.
3. Add an Active Directory app as shown below.
4. In the Active Directory app settings, click AUTHENTICATE ACTIVE DIRECTORY and enter your Active Directory server credentials.
Note
To get the value of base_dn, open PowerShell on the domain controller and run the command Get-ADDomain. Get your value from the UsersContainer field in the output. For example, CN=Users,DC=wazuhtest,DC=local.
Click SUBMIT after filling out the form with the required data.
5. Select Disable user under Find Actions, set the Samaccountname to $extract_username, and save the workflow.
6. Copy the Wazuh alerts webhook URI, and start the trigger if it is not currently running. We configure the Wazuh server to forward relevant alerts to the URI.
Configure the Wazuh server to forward registry SAM dump alerts to Shuffle
Wazuh has an in-built rule 92026 which triggers an alert when a user attempts to dump the SAM database from the registry. Perform the following steps to configure the Wazuh server to send registry SAM dump alerts to Shuffle SOAR for further action.
1. Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf file. Replace the value of <hook_url> with the webhook URI copied from the Wazuh alerts trigger on the Shuffle dashboard:
<integration> <name>shuffle</name> <hook_url>https://<SHUFFLE_URL>/api/v1/hooks/<HOOK_ID></hook_url> <rule_id>92026</rule_id> <alert_format>json</alert_format> </integration>
2. Restart the Wazuh manager service to apply changes:
$ sudo systemctl restart wazuh-manager
Dump credentials from the SAM database
In this section, we perform the registry SAM dump to test our configuration. We expect that Wazuh will trigger an alert when we dump the SAM database, and Wazuh will also trigger the Shuffle workflow which will disable the user account that performs the action. Take the following steps to dump the SAM database:
1. Run PowerShell as an administrator. Authenticate with the wazuhuser account when prompted to enter credentials.
2. Run the following command to dump the SAM database:
reg save hklm\sam c:\sam
The command dumps the SAM database to the file path c:\sam.
The image below shows alerts on the Wazuh dashboard when the attack is executed on the endpoint. Rule 92026 triggers when we dump the SAM database, and rules 60110 and 60111 trigger when Shuffle disables the user account in response to the dump.
Alerts for rules 60110 and 60111 prove that the workflow executed as expected, and the account is disabled. To further confirm that the account is disabled, go to the Windows Server (domain controller) and open Active Directory Users and Computers. Perform the following steps to verify that the wazuhuser account has been disabled:
1. Open the Users tab.
2. Rick-click on the account that was used to dump the SAM database (wazuhuser in our case) and view its properties.
3. Click on the Account tab to view the account options. The account options show that wazuhuser is now disabled.
Conclusion
In this blog post, we have shown how to configure the Shuffle integration with Wazuh. This out-of-the-box integration introduced in Wazuh 4.4 gives a robust approach to security data analytics, threat detection and response. The generic steps shown are applicable to every use case you want to consider. Once the desired alerts are delivered to Shuffle, the rest is up to the user to design the Shuffle workflow actions according to the playbook. In this case, we have shown a simple workflow that uses the Active Directory app to disable a user account that attempts to dump the SAM database. This use case shows how Wazuh and Shuffle complement each other to improve attack detection and timely response.