sample-ioc-playbook.md 2.1KB
Shuffle Sample Workflow: IOC Enrichment and Incident Routing
Use this workflow in Shuffle UI for the SOC flow: Wazuh -> Shuffle -> soc-integrator -> IRIS/PagerDuty
Workflow Name
SOC IOC Enrichment - Sample
Trigger
- App:
Shuffle Tools - Function:
Webhook(or workflow execute API) - Expected input payload example:
{
"ioc_type": "domain",
"ioc_value": "malicious.example",
"source_event": {
"event_id": "evt-123",
"asset": {"hostname": "fw01"},
"network": {"src_ip": "198.51.100.25"}
}
}
Steps
- Parse Input
- Read
ioc_typeandioc_value. Normalize lowercase for domains.
Enrichment (HTTP or app connectors)
Query one or more sources:
- VirusTotal
- AbuseIPDB (for IP)
- OTX / MISP (optional)
Extract fields:
confidence(0.0-1.0)reputation(malicious|suspicious|unknown|benign)evidence(short text)
Decision
If
reputation in [malicious, suspicious]ORconfidence >= 0.7=>matched=trueElse
matched=falseCallback to soc-integrator
HTTP POST to:
http://soc-integrator:8080/mvp/ioc/evaluate
Headers:
Content-Type: application/jsonX-Internal-API-Key: dev-internal-key(replace in production)
Body:
{
"ioc_type": "${ioc_type}",
"ioc_value": "${ioc_value}",
"source_event": {
"event_id": "${source_event.event_id}",
"asset": "${source_event.asset}",
"network": "${source_event.network}",
"shuffle": {
"matched": "${matched}",
"confidence": "${confidence}",
"reputation": "${reputation}",
"evidence": "${evidence}"
}
}
}
- Optional Escalation Branch
- If
matched=trueandconfidence >= 0.9, also call:http://soc-integrator:8080/action/create-incident
Expected Result
- soc-integrator receives IOC evaluation.
- MVP pipeline creates/updates incident.
- IRIS case and PagerDuty stub actions follow your existing policy.
Notes
- Keep final decision in soc-integrator to centralize policy.
- Use Shuffle for enrichment and automation fan-out.
- Rotate API keys before production use.