bareeraahmed/soc-automation-playbooks

Automated SOC Playbooks — n8n · Wazuh · pfSense Automated incident response playbooks that connect Wazuh SIEM alerts to n8n workflow automation and pfSense firewall actions — eliminating manual triage for common threat scenarios and enabling real-time, event-driven response. What I Built Installed and configured a full Wazuh deployment from scratch — set up the Wazuh Manager, enrolled agents, and wrote custom detection rules targeting brute force attempts, privilege escalation patterns, and suspicious process execution. Tuned alert thresholds to reduce noise while maintaining detection fidelity. On the automation side, built n8n workflows triggered directly by Wazuh webhooks. When a rule fires above a defined severity threshold, n8n picks up the alert payload, parses the relevant fields, and executes the appropriate playbook — no human needed in the loop for covered scenarios. Integrated pfSense as the enforcement layer. Depending on the playbook, n8n pushes firewall rule changes to pfSense via its API — automatically blocking offending IPs, isolating segments, or triggering alerts to a notification channel. Playbooks implemented: Brute force detection → automatic source IP block via pfSense + alert notification Repeated authentication failure across multiple accounts → account lockout trigger + SOC notification Suspicious PowerShell execution on endpoint → process alert escalation with full context passed downstream High-severity Wazuh rule breach → automated ticket creation + evidence packaging for analyst handoff Architecture Wazuh Agent (endpoint) │ ▼ Wazuh Manager (detects, fires alert) │ ▼ webhook n8n Workflow Engine (parses alert, decides playbook) │ ┌────┴────┐ ▼ ▼ pfSense Notification (block IP) (Slack / Email) Prerequisites Ubuntu 20.04 / 22.04 server (Wazuh Manager) Wazuh 4.x (Manager + at least one Agent) n8n (self-hosted via Docker or Node.js) pfSense 2.6+ with API package installed Minimum 4GB RAM for Wazuh Manager node Installation & Setup 1. Wazuh Manager Install Wazuh using the official assistant script: bashcurl -sO https://packages.wazuh.com/4.7/wazuh-install.sh sudo bash wazuh-install.sh -a Once installed, verify the manager is running: bashsudo systemctl status wazuh-manager 2. Deploy Wazuh Agent (on endpoint to monitor) On the target machine: bashcurl -sO https://packages.wazuh.com/4.7/wazuh-agent_4.7.0-1_amd64.deb sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb Set your manager IP in /var/ossec/etc/ossec.conf: xml

YOUR_MANAGER_IP

Start the agent: bashsudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent 3. Load Custom Detection Rules Copy the custom rules from this repo into Wazuh's local rules file: bashsudo cp rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml sudo systemctl restart wazuh-manager Rules are documented inline — each rule includes a comment explaining what it detects and why the threshold is set where it is. 4. Configure Wazuh Webhook Integration Add the following to /var/ossec/etc/ossec.conf to push alerts to n8n: xml custom-webhook http://YOUR_N8N_IP:5678/webhook/wazuh-alerts 7 json Restart the manager after saving. 5. Self-Host n8n Using Docker: bashdocker run -it --rm \ --name n8n \ -p 5678:5678 \ -v ~/.n8n:/home/node/.n8n \ n8nio/n8n Access the n8n editor at http://localhost:5678. 6. Import Playbook Workflows In n8n, go to Settings → Import from File and import the workflow JSON files from the /workflows directory in this repo. Each file is a self-contained playbook. Update the following credential fields inside each workflow before activating: pfSense API URL and key Notification channel webhook (Slack/email SMTP) 7. Configure pfSense API Install the pfSense API package from the pfSense package manager, then generate an API key under System → API. Add these values to the n8n pfSense nodes in each workflow. Repo Structure / ├── rules/ │ └── local_rules.xml # Custom Wazuh detection rules ├── workflows/ │ ├── brute-force-block.json │ ├── auth-failure-escalation.json │ ├── powershell-alert.json │ └── high-severity-ticket.json ├── docs/ │ └── architecture.md # Detailed design decisions └── README.md Testing a Playbook To trigger the brute force playbook manually and verify the pipeline works end to end: bash# Simulate repeated failed SSH logins on a monitored agent for i in {1..10}; do ssh invaliduser@localhost; done Watch n8n's execution log — you should see the webhook fire, the workflow execute, and the pfSense block rule appear within seconds. Why This Matters Manual alert triage is one of the biggest bottlenecks in security operations. This project demonstrates how SOAR principles can be applied at low cost using open-source tooling — the same architectural pattern used in enterprise platforms like Splunk SOAR and Microsoft Sentinel, without the licensing cost. Role & Contribution Sole implementer. Responsible for the full stack: Wazuh installation and agent deployment, custom rule authoring, n8n workflow design and webhook configuration, pfSense API integration, and end-to-end testing of all four playbooks.