Skip to content

nateuribe/Wazuh-IRIS-integration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
custom-iris.py
custom-iris.py
 
 

Repository files navigation

Wazuh-IRIS-integration

Simple Wazuh integration to send alerts to IRIS, as described in https://nateuribe.tech/blog/foss-soc/.

Requirements

Installation

⚠️ IMPORTANT: By default, the IRIS Docker container utilizes self-signed certificates (https://docs.dfir-iris.org/operations/configuration/#certificates). If your setup is utilizing self-signed certificates, you will need to disable certificate verification with verify=False:

response = requests.post(hook_url, verify=False, data=payload, headers={"Authorization": "Bearer " + api_key, "content-type": "application/json"})
git clone https://github.com/nateuribe/Wazuh-IRIS-integration.git
cd Wazuh-IRIS-integration/
cp custom-iris.py /var/ossec/integrations/custom-iris.py
chmod 750 /var/ossec/integrations/custom-iris.py
chown root:wazuh /var/ossec/integrations/custom-iris.py

Add the following snippet into the /var/ossec/etc/ossec.conf config file:

<!-- ... Rest of config ... -->

<!-- IRIS integration -->
<integration>
  <name>custom-iris.py</name>
  <hook_url>http://IRIS-BASE-URL/alerts/add</hook_url>
  <level>7</level>
  <api_key>APIKEY</api_key>
  <alert_format>json</alert_format>
</integration>

<!-- ... Rest of config ... -->

Adjust <hook_url> and <api_key> to your environment, and change <level> to the desired threshold for alerts.

Restart the wazuh-manager service after making the above settings.

The IRIS API can be found in the Dashboard under My Settings.

IRIS versions 2.4.x<

Since IRIS 2.4.6, you will need to add your IRIS user to the customer for which you are ingesting alerts for to see new entries in the alerts tab.

This can be configured by navigating to Advanced -> Access Control under Manage on the left panel, clicking on your user under Users, clicking on the Customers tab, and then Manage to add the customer (should be IrisInitialClient by default on a base install).

Configuration

The script comes preconfigured with a basic payload to create new IRIS alerts. Use the Alerts API reference to modify this at will (https://docs.dfir-iris.org/latest/_static/iris_api_reference_v2.0.4.html#tag/Alerts/operation/post-case-add-alert).

Here are some notable values you may change:

alert_source_link - URL from where the alert came from (Wazuh in this instance).

alert_note - Note or comment to add to each alert.

alert_customer_id - Alerts in IRIS get assigned to "customers"; this is the ID of the customer for which the alerts pertains to.

About

Wazuh integration to send alerts to IRIS.

Topics

security-tools wazuh infosectools dfir-iris wazuh-integration

Resources

Readme

License

GPL-3.0 license
Activity

Stars

11 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages