Overview
Developed a comprehensive SOAR/SIEM integration platform at Apphaz that automates incident triage, containment, and response workflows, significantly reducing manual effort and improving response times.
Key Achievements
- Designed and deployed SOAR/SIEM playbooks using Wazuh, TheHive, and Shuffle to automate incident triage and containment workflows, reducing escalations by 25% in 3 months
- Integrated CTI feeds with automated response workflows and tuned correlation rules to enhance Red/Purple Team detection capability by 30%
Architecture
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Wazuh │────> │ N8N │────>│ TheHive │
│ (SIEM) │ │ (SOAR) │ │ (Case Mgmt)│
└─────────────┘ └─────────────┘ └─────────────┘
│ │
▼ ▼
┌─────────────┐ ┌─────────────┐
│ Log Sources │ │ Analysts │
└─────────────┘ └─────────────┘
Playbooks Developed
1. Malware Detection Response
Automated workflow triggered when Wazuh detects potential malware:
- Extract IOCs from alert
- Enrich with VirusTotal, AbuseIPDB
- Create TheHive case
- Isolate endpoint if high severity
- Notify SOC team
2. Brute Force Detection
trigger: wazuh_alert
condition: rule.id == "5710" AND data.srcip != "internal"
actions:
- enrich_ip:
service: abuseipdb
ip: "{{data.srcip}}"
- block_ip:
firewall: pfsense
duration: 24h
- create_case:
platform: thehive
severity: medium
3. Phishing Email Analysis
Automated analysis of reported phishing emails including:
- URL extraction and reputation check
- Attachment sandboxing
- Sender verification
- Auto-response to reporter
Results
| Metric | Before | After |
|---|---|---|
| MTTR (Mean Time to Respond) | 45 min | 12 min |
| Escalations per week | 40 | 30 |
| Detection accuracy | 70% | 91% |
| Analyst workload | High | Moderate |
Technologies Used
- Wazuh: SIEM and log analysis
- n8n: SOAR workflow automation
- TheHive: Case management
- Shuffle: SOAR orchestration
- MISP: Threat intelligence sharing
- Python: Custom integrations