Incident Response Automation in the Home Lab

Building on your Suricata deployment, this step guides you through automating incident response using open-source SOAR (Security Orchestration, Automation, and Response) platforms. You’ll learn how to trigger automated actions based on Suricata alerts, integrate with SIEM, and streamline your response workflows.

Prerequisites

Completed Network Security Monitoring with Suricata
SIEM integration (ELK or Splunk) set up for Suricata logs

What is SOAR?

SOAR platforms automate security operations by integrating detection, analysis, and response workflows. They:

Ingest alerts from IDS/IPS, SIEM, and other sources
Trigger playbooks for investigation and containment
Integrate with ticketing, notification, and remediation tools

Popular open-source SOAR tools include TheHive, Shuffle, and Cortex.

Lab Architecture

[Suricata] → [SIEM/Log Server] → [SOAR Platform] → [Response Actions]

Step 1: Deploying an Open-Source SOAR Platform

Option A: TheHive

Installation (Docker)

git clone https://github.com/TheHive-Project/TheHive-Docker.git
cd TheHive-Docker
docker compose up -d

Access TheHive UI at http://localhost:9000

Option B: Shuffle

Installation (Docker)

git clone https://github.com/frikky/shuffle.git
cd shuffle/docker
docker compose up -d

Access Shuffle UI at http://localhost:3001

Step 2: Integrating Suricata Alerts

ELK Integration Example

Configure Filebeat to forward Suricata alerts to Elasticsearch
Use Logstash to parse and forward critical alerts to SOAR via webhook or API

Logstash Output Example

output {
  http {
    url => "http://SOAR_SERVER:9000/api/alert"
    http_method => "post"
    format => "json"
  }
}

Splunk Integration Example

Use Splunk alert actions to trigger SOAR playbooks via webhook

Step 3: Building Automated Playbooks

Example Playbook: SSH Brute Force Response

Trigger: Suricata alert for multiple failed SSH logins
Enrichment: Query SIEM for related events
Containment: Block offending IP on pfSense firewall
Notification: Send alert to Slack/Email
Documentation: Create case in TheHive

Shuffle Workflow Example

Use built-in blocks for HTTP requests, Slack notifications, and firewall API calls

Step 4: Response Actions

Automated Firewall Blocking

# pfSense API example (using pfSense-py)
pfsense_api block_ip --host 192.168.1.1 --user admin --password secret --block-ip 203.0.113.45

Ticketing and Notification

Integrate with Jira, ServiceNow, or email for incident tracking

Step 5: Testing and Validation

Simulate an Attack

# Generate SSH brute force traffic
hydra -l root -P passwords.txt ssh://192.168.1.100

Verify Suricata generates alert
Confirm SOAR playbook triggers and blocks IP
Check notifications and case creation

Security Best Practices

Implement these best practices to keep your automated response environment secure:

Limit SOAR platform access to trusted users
Use API keys and HTTPS for integrations
Regularly review and update playbooks
Secure log file access and rotate logs
Test automation in a safe lab environment

Maintenance Tasks

Keep your setup reliable and up-to-date with regular maintenance:

Weekly rule and playbook updates
Monthly performance and integration reviews
Quarterly incident response drills
Annual SOAR platform upgrades and documentation refresh

Conclusion

Continue your home lab journey with Part 5: Network Forensics and Full Packet Capture