# Shuffle Sample Workflow: IOC Enrichment and Incident Routing Use this workflow in Shuffle UI for the SOC flow: Wazuh -> Shuffle -> soc-integrator -> IRIS/PagerDuty ## Workflow Name `SOC IOC Enrichment - Sample` ## Trigger - App: `Shuffle Tools` - Function: `Webhook` (or workflow execute API) - Expected input payload example: ```json { "ioc_type": "domain", "ioc_value": "malicious.example", "source_event": { "event_id": "evt-123", "asset": {"hostname": "fw01"}, "network": {"src_ip": "198.51.100.25"} } } ``` ## Steps 1. Parse Input - Read `ioc_type` and `ioc_value`. - Normalize lowercase for domains. 2. Enrichment (HTTP or app connectors) - Query one or more sources: - VirusTotal - AbuseIPDB (for IP) - OTX / MISP (optional) - Extract fields: - `confidence` (0.0-1.0) - `reputation` (`malicious|suspicious|unknown|benign`) - `evidence` (short text) 3. Decision - If `reputation in [malicious, suspicious]` OR `confidence >= 0.7` => `matched=true` - Else `matched=false` 4. Callback to soc-integrator - HTTP POST to: - `http://soc-integrator:8080/mvp/ioc/evaluate` - Headers: - `Content-Type: application/json` - `X-Internal-API-Key: dev-internal-key` (replace in production) - Body: ```json { "ioc_type": "${ioc_type}", "ioc_value": "${ioc_value}", "source_event": { "event_id": "${source_event.event_id}", "asset": "${source_event.asset}", "network": "${source_event.network}", "shuffle": { "matched": "${matched}", "confidence": "${confidence}", "reputation": "${reputation}", "evidence": "${evidence}" } } } ``` 5. Optional Escalation Branch - If `matched=true` and `confidence >= 0.9`, also call: - `http://soc-integrator:8080/action/create-incident` ## Expected Result - soc-integrator receives IOC evaluation. - MVP pipeline creates/updates incident. - IRIS case and PagerDuty stub actions follow your existing policy. ## Notes - Keep final decision in soc-integrator to centralize policy. - Use Shuffle for enrichment and automation fan-out. - Rotate API keys before production use.