Why We Designed a SOC Integrator Instead of Direct Tool-to-Tool Connections
Modern SOC stacks are powerful.
You can connect:
- Wazuh (Detection & Correlation)
- Shuffle (SOAR Automation)
- IRIS (Case Management)
- PagerDuty (Escalation & On-call)
But here’s the problem most organizations discover too late:
Direct integrations between tools become operational chaos.
Instead of connecting everything directly, we introduced a new architecture component:
SOC Integrator — an API Orchestration Layer
This article explains why this design decision matters.
The Problem with Direct Integrations
In many deployments, teams configure:
- Wazuh → Shuffle webhook
- Shuffle → IRIS case creation
- Wazuh → PagerDuty trigger
- Shuffle → PagerDuty escalation
- IRIS → Custom scripts
At first, it works.
Six months later:
- Duplicate alerts
- Conflicting severity levels
- Inconsistent case titles
- Broken workflows after rule tuning
- Hard-to-debug API errors
- No centralized audit trail of automation decisions
This becomes what we call SOC spaghetti architecture.
Our Design Decision: Introduce a SOC Integrator
Instead of tool-to-tool wiring, we implemented a single integration layer that:
- Receives alerts from Wazuh
- Normalizes and enriches them
- Applies customer-specific logic
- Calls the appropriate APIs
- Tracks every action
This component becomes the control plane of the SOC.
Architecture Overview
Logical Flow
Log Sources
↓
Wazuh (Detection & Correlation)
↓
SOC Integrator (API Orchestration Layer)
↓
├─ Shuffle (Automation / Enrichment)
├─ IRIS (Case Management)
└─ PagerDuty (Escalation)System Diagram (Mermaid)
flowchart LR
A["Log Sources
Firewall / DNS / IDS / VPN / Windows / AD"] --> B["Wazuh
Detection & Correlation"]
B --> S["SOC Integrator
API Orchestration Layer"]
S --> C["Shuffle
SOAR Automation"]
S --> D["IRIS (iris-web)
Case Management"]
S --> E["PagerDuty
On-call Escalation"]
C -->|"Enrichment / IOC Match Results"| S
S -->|"Create/Update Case + Evidence"| D
S -->|"SEV-1/SEV-2 Escalation"| E
S --> F["SOC Dashboard / Reporting
(Optional)"]Key principle:
All outbound actions go through one controlled integration module.
What the SOC Integrator Actually Does
1. Alert Normalization
Different rules generate different formats.
The SOC Integrator:
- Standardizes fields (src_ip, dst_ip, user, hostname, rule_id)
- Aligns severity levels (Low / Medium / High → SEV-3 / SEV-2 / SEV-1)
- Applies allowlists and suppression logic
- Deduplicates recurring events
This avoids:
- Duplicate PagerDuty incidents
- Multiple IRIS cases for the same root cause
- Alert storms during scanning events
2. Workflow Orchestration
Instead of configuring routing logic across multiple platforms, decisions are centralized:
- IOC hit → Trigger Shuffle enrichment workflow
- VPN login outside Thailand → Create IRIS case
- AD brute force + IOC match → Escalate to PagerDuty
All logic lives in one place.
This makes tuning and auditing dramatically easier.
3. Controlled Escalation
The SOC Integrator decides:
- Which events trigger PagerDuty
- Which severity maps to which escalation policy
- SLA tracking logic
- Re-open logic if an event repeats
This ensures executive-level incidents are not triggered accidentally due to poor rule tuning.
4. API Governance & Reliability
Enterprise SOC environments require:
- Retry logic
- Rate limiting
- Idempotency protection
- API credential rotation
- Full audit logging
Most SOAR playbooks do not enforce these standards strictly.
The SOC Integrator enforces production-grade API discipline.
Why This Matters for Customers
Easier Rule Tuning
When detection rules change, routing logic does not break.
Cleaner Incident Lifecycle
Cases are structured consistently with proper tagging and evidence mapping.
Reduced False Positives
Deduplication and contextual suppression are centralized.
Scalability
Adding new use cases (DNS IOC, VPN geo anomaly, Impossible Travel) requires minimal workflow rework.
Vendor Flexibility
If you change case management or SOAR platform later, you only rewrite one integration layer.
Strategic Perspective
Many integrators focus on:
"How do we connect tools?"
We focus on:
"How do we control detection flow as a system?"
That shift separates a proof-of-concept deployment from a production-ready SOC design.
Conclusion
Security tools are powerful individually.
But without orchestration control, they create noise.
By introducing a SOC Integrator API layer, we transformed a collection of tools into a structured, scalable security platform.
If you are designing a Wazuh-based SOC and want it production-ready — not just working — this architectural decision is critical.
Get in Touch with us
Chat with Us on LINE
iiitum1984
Related Posts
- Agentic AI in SOC Workflows: Beyond Playbooks, Into Autonomous Defense (2026 Guide)
- 从零构建SOC:Wazuh + IRIS-web 真实项目实战报告
- Building a SOC from Scratch: A Real-World Wazuh + IRIS-web Field Report
- 中国品牌出海东南亚:支付、物流与ERP全链路集成技术方案
- 再生资源工厂管理系统:中国回收企业如何在不知不觉中蒙受损失
- 如何将电商平台与ERP系统打通:实战指南(2026年版)
- AI 编程助手到底在用哪些工具?(Claude Code、Codex CLI、Aider 深度解析)
- 使用 Wazuh + 开源工具构建轻量级 SOC:实战指南(2026年版)
- 能源管理软件的ROI:企业电费真的能降低15–40%吗?
- The ROI of Smart Energy: How Software Is Cutting Costs for Forward-Thinking Businesses
- How to Build a Lightweight SOC Using Wazuh + Open Source
- How to Connect Your Ecommerce Store to Your ERP: A Practical Guide (2026)
- What Tools Do AI Coding Assistants Actually Use? (Claude Code, Codex CLI, Aider)
- How to Improve Fuel Economy: The Physics of High Load, Low RPM Driving
- 泰国榴莲仓储管理系统 — 批次追溯、冷链监控、GMP合规、ERP对接一体化
- Durian & Fruit Depot Management Software — WMS, ERP Integration & Export Automation
- 现代榴莲集散中心:告别手写账本,用系统掌控你的生意
- The Modern Durian Depot: Stop Counting Stock on Paper. Start Running a Real Business.
- AI System Reverse Engineering:用 AI 理解企业遗留软件系统(架构、代码与数据)
- AI System Reverse Engineering: How AI Can Understand Legacy Software Systems (Architecture, Code, and Data)
