SOC Automation Lab Series 4

Now we will combine all of out tools and create an playbook on shuffler.io which is like an automation

The Commoness

~4 min read · April 13, 2026 (Updated: April 13, 2026) · Free: Yes

https://shuffler.io/

create an account >>click workflow>create workflow

try dragging the webhook account from triggers and attach to changeme>click on webhook and copy the webhook uri which would be shown in the side of you're screen

copy webhook uri to modify the wazuh manager tomodify ossec.conf file and update pointing towards this uri of webhook

in ssh> nano /var/ossec/etc/ossec.conf >>when this page opens between global and alert paste the below commands

<integration>
  <name>shuffle</name>
  <hook_url>paste you're webhook uri </hook_url>
  <rule_id>100002</rule_id>
  <alert_format>json</alert_format>
</integration>

ctrl+x ,y,enter

then restart wazuh manager by running this below command

systemctl restart wazuh-manager.service

click on start to listen any events that come in which has ruleid 100002

so now let's go back to window's VM and regenerate the mimikatz alert in powershell

this would trigger an alert >and sent over to shuffler to our webhook >> click on explore runs we could see ther

we could see our data finally >> expand all_fields to see the logs expand others an check the data

we also see TTP for more understanding of mimikatz

by seeing all this details we can get to know our webhook uri is wokring

let's do some more changes in automation let extract sha256 and run into virus total

so first remove change me >>drag shuffle tool from the left side menu in you're screen below the you're apps

change repeat back to me to regex capture group>> and below in regex box when you get type sha256=([0–9a-f]{64})

click on input data >runtime data >select hashes and also if you want anything else select that to >basically it is going to check in under the field of hashes and perform regex pull the value then we will pass into virustotal

we need to drag virustotal and authenticate so lets go to virustotal website

virustotal link https://www.virustotal.com/gui/home/upload create an account

select the api key>>copy that api key

paste you're API key here

change the id value to sha256-reg>> below the page click save >> and then refresh the page and then click only list in group 0

we could see it is working and also sha256 changed colour to green now let drag the hive before that go to hive and create an account

now to link Hive we need to create an account or organization on it so restart all the hive services and login

click on plus to add a new organisation

after creating it will appear on dashboard click on my dfir and let's go into it >click + >

create the normal account and we need to do another service account

click confirm> when find the both names on dashboard >select soar and hover on the eye>select create an API key and also don't forget to creat a password

>add authentication paste the Api key >>paste you're hive IP with the port 9000

>change get alert to creat alert>select advance>remove the character between " " of description >choose +>runtime argument and select title>scroll down u will find the title details been added

Also in TheHive log in with the normal account mydfir@test.com

if everything work's great with virus total then you need to see an alert like this but my shuffler.io was crashing to connect directly with virustotal so I did it in different method of connect shuffle tools to http node and giving the virustotal url in it (i will include that corrections in the last )

just explore by selecting other details to view more in depth on the rules given to it

Now,finally if you have succeeded till here let's hop to the final part to send an email and let's configure that in shuffler.io.

Now let's rerun all the systems and verify if the automation is working properly. If everything runs smoothly congratulations! And for a beginner, truly impressive work great patience and persistence!