In this guide we will be deploying Shuffle to a virtual machine running Ubuntu 23.04.
What: Shuffle is an open source Security Orchestration, Automation, and Response platform, also known as a SOAR, that allows you to collect, enrich, automate, and respond to security events with little to no human interaction required.
Shuffle offer’s both Cloud and Self-Hosted options. In this guide we will be exploring how to deploy the free open-source self-hosted option.
More info can be found at https://shuffler.io
Use Cases: SOAR platforms can be used for many things. Below is a short list of use cases that may benefit you.
- Security event and case enrichment
- Block IP’s, URL’s, Domains, hashes etc. in your EDR and Firewall solutions
- Automate cases from start to finish (obviously not all)
- Malware eradication from host
- Device quarantine/containment (utilizing EDR API’s that are capable of this)
- Email header analysis
- SIEM agent updates
- Automate reports
- and more!
Prerequisites: Note that this may change depending on your tech stack. Official requirements can be found here https://shuffler.io/docs/configuration. For this guide we will be using a virtual machine with the the following specifications:
- CPU: 4 Cores
- Memory: 8GB
- Disk: 50GB
- OS: Ubuntu 23.04
- Software: Docker and Docker Compose (To avoid potential issues please ensure Docker and Compose are installed using “apt” rather than “snap” as I have personally run into issues deploying Shuffle after installing said app’s with snap). This is likely due to apps that are installed using Snap having limited permissions as they are installed in a sandbox.
Deploying Shuffle
- In your Ubuntu virtual machine change directory to /opt
cd /opt
2. Clone the Shuffle Github repository then change directories into the newly created Shuffle directory.
git clone https://github.com/Shuffle/Shuffle
cd Shuffle
3. Create a new directory within the same folder for the OpenSearch Database, and then set the permissions of the folder.
mkdir shuffle-database
sudo chown -R 1000:1000 shuffle-databaseIf you receive an error add the user first using:
sudo useradd opensearch4. We are now ready to bring the application online. Note that you may wish to modify the environment variables though this IS NOT required. This can be done by editing the hidden .env file.
To bring Shuffle up run the following command. This will download the required container images and bring the application online:
docker-compose up -d
5. You are no ready to log into Shuffle. To do so open your preferred web browser and enter the following. Ensure you replace “your-shuffle-server-ip” with your Shuffle server’s IP address.
http://your-shuffle-server-ip:3001You will then be taken to the following page from which you can setup your administrator account.
Once you have setup your account you will be redirected to the regular login page. Login using the credentials you just set.
6. One finally recommendation is to update the built-in Shuffle apps. To do so select “Apps” from the top navigation bar.
Once you have reached the App’s page you will find the “Activated Apps” section on the right side of the screen.
To download additional apps directly from the Shuffle repository select the Download icon and then click “SUBMIT”.
You have now successfully deployed Shuffle! If you want to learn more about Shuffle and how to use it check out https://medium.com/shuffle-automation
I will also be providing guides on how to automate specific workloads using Shuffle in the near future. Stay tuned!
About the Author: STASIS is a Security professional with over 13 years in the Tech industry. He is passionate about security and finding ways to make teams more efficient. When not defending against threat actors he enjoys mentoring others, writing music and spending time with his loved ones.
