How I went from zero to a full threat detection and response system using OpenCanary, Wazuh, Shuffle, and TheHive — and what happened when I turned it on.
The Problem I Was Trying to Solve
I've been studying cybersecurity for years, reading about SOC pipelines, SIEM platforms, and incident response workflows. But there's a massive gap between reading about something and actually building it.
I wanted to build a real Security Operations Centre pipeline — not a lab with simulated attacks, but something that would face the actual internet and catch real threats. Something I could point to and say: "I built this, it works, and here's the proof."
So I built one.
What I Built
A complete, end-to-end SOC pipeline consisting of four components working together:
Internet → OpenCanary Honeypot → Wazuh SIEM → Shuffle SOAR → TheHive IR
OpenCanary — A honeypot that pretends to be a vulnerable server, running fake SSH, FTP, HTTP, and Telnet services. Attackers think they've found a real target.
Wazuh — A SIEM that collects logs from the honeypot, applies custom detection rules, and fires high-priority alerts when attackers interact with the honeypot.
Shuffle — A SOAR platform that receives Wazuh alerts via webhook and automatically routes them to TheHive for case management.
TheHive — An incident response platform that creates structured cases from every alert, ready for analyst investigation.
The Architecture
Each component runs on its own server:
ComponentRoleOpenCanary 0.9.7HoneypotWazuh 4.9.2SIEM + DetectionShuffleSOAR AutomationTheHive 5.5.14Incident Response
The data flow is fully automated. When an attacker hits the honeypot, within seconds a structured incident case is created in TheHive — no human intervention required.
What Happened When I Turned It On
This is the part that surprised me.
Within 3 minutes of deploying the honeypot, a real attacker from IP 105.127.14.91 connected to the fake SSH service and attempted to log in with:
json{
"USERNAME": "root",
"PASSWORD": "ella1Mootie",
"src_host": "105.127.14.91",
"logtype": 4002
}
Within hours, dozens of attackers from across the world were hitting the honeypot. I captured credentials like 888888, 87654321, wsx33, and Abc123... — real passwords people use in brute force attacks.
The Wazuh rule I wrote fired at level 15 (the highest priority) for every SSH brute force attempt, and Shuffle automatically processed each alert.
This wasn't a simulation. These were real attackers, real credentials, real threat intelligence.
How I Built It
Step 1: The Honeypot (OpenCanary)
OpenCanary is lightweight, runs on Python, and supports over a dozen fake services. I installed it on Ubuntu 22.04 and configured it to listen on ports 22 (SSH), 21 (FTP), 80 (HTTP), and 23 (Telnet).
The key insight: move the real SSH service to port 2222, and put the honeypot on port 22. Any attacker scanning the internet will hit the honeypot first.
json{
"ssh.enabled": true,
"ssh.port": 22,
"ftp.enabled": true,
"http.enabled": true,
"telnet.enabled": true,
"logger": {
"class": "PyLogger",
"kwargs": {
"handlers": {
"file": {
"class": "logging.FileHandler",
"filename": "/var/log/opencanary/opencanary.log"
}
}
}
}
}
Step 2: Custom Wazuh Detection Rules
I wrote four custom rules to detect and classify honeypot interactions:
xml
json
opencanary
OpenCanary: Honeypot interaction detected
100200
^4002$
OpenCanary: SSH brute force login attempt on honeypot
Rule 100201 fires at level 15 — the maximum — because any login attempt on a honeypot is by definition malicious. There are no false positives.
Step 3: Automated Alert Routing with Shuffle
I configured Wazuh to send all level 7+ alerts to a Shuffle webhook. Shuffle then processes each alert and forwards it to TheHive's API as a structured alert.
The Wazuh integration block:
xml
shuffle
http://YOUR_SHUFFLE_IP:3001/api/v1/hooks/YOUR_WEBHOOK_ID
7
json
Step 4: TheHive for Incident Response
TheHive receives structured alerts with full context — attacker IP, username attempted, password used, timestamp, and the originating agent. Each alert becomes a case that analysts can investigate, assign, and close.
What I Learned
- The internet is hostile by default. Within minutes of exposing any service to the internet, automated scanners find it. The speed and scale of internet-wide scanning is remarkable.
- Honeypots generate high-fidelity intelligence. Unlike SIEM alerts that often have false positives, honeypot alerts are almost always genuine. Nobody has a legitimate reason to connect to a honeypot.
- Automation is not optional in a modern SOC. When you're receiving hundreds of alerts per day, manual triage is impossible. The Wazuh → Shuffle → TheHive pipeline processes every alert automatically, ensuring nothing is missed.
- Building is better than reading. I learned more about SOC architecture in the process of building this pipeline than I did in months of studying. There is no substitute for hands-on experience.
The Full Stack
All configuration files, custom rules, and integration scripts are available on GitHub:
github.com/agunna99/soc-honeypot-pipeline
The repository includes:
OpenCanary configuration
Custom Wazuh detection rules
TheHive integration script
Shuffle workflow setup guide
What's Next
Adding IP enrichment using threat intelligence feeds (VirusTotal, AbuseIPDB)
Implementing automated IP blocking when attackers are detected
Adding email/Slack notifications for critical alerts
Publishing threat intelligence reports from captured attack data
Final Thoughts
Building a production SOC pipeline from scratch taught me that security is not just about tools — it's about architecture, data flow, and automation. Every component in this pipeline serves a specific purpose, and together they create something more powerful than any individual tool.
If you're learning cybersecurity, build things. Deploy them. See what happens. The internet will teach you things no course or textbook can.
The code is open source. Use it, improve it, and share what you build.
Favour Nmosi is a cybersecurity engineer building open-source security tools.
GitHub: github.com/agunna99
Tags: #cybersecurity #soc #honeypot #wazuh #thehive #shuffle #siem #soar #opencanary #infosec #security
Top comments (0)