You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summery:
In my quest to identify an effective SOAR (Security Orchestration, Automation, and Response) solution for managing Wazuh level 12 alerts, I considered several options, including Shuffle, another open-source tool. Ultimately, I decided to utilize Windmill.dev for its robust capabilities. This repository documents my configurations and the steps I took to successfully route Wazuh alert logs to a Windmill.dev Flow.
Description:
The initial challenge was figuring out how to transmit Wazuh alerts to Windmill.dev before implementing any other configurations. I devised a solution that enables the seamless transfer of Wazuh level 12 alerts to Windmill.dev. This documentation provides a detailed walkthrough of the steps and configurations involved in achieving this integration.
Solution:
Create a API token
Create a test flow with input as “Input” which takes “String” as input parameter
Deploy it
Got to “Details & Triggers” and copy the URL
Add a integration in Wazuh for custom-windmill
custom-windmill
json
12
Add a python script in /var/ossec/integration with the name “custom-winmill” (Note: no .py extention)
To test create a alert.json in /home/wazuh-user directory and add this
{"timestamp":"2024-07-24T08:40:29.950+0000","rule":{"level":12,"description":"PAM: Login session closed.","id":"5502","firedtimes":4,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1721810429.30990","full_log":"Jul 24 08:40:29 wazuh-server sshd[27695]: pam_unix(sshd:session): session closed for user wazuh-user","predecoder":{"program_name":"sshd","timestamp":"Jul 24 08:40:29","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"wazuh-user"},"location":"/var/log/secure"}
To test if it works run the command
./custom-windmill /home/wazuh-user/alert.json <your API key from step 1>
Go to Winmill “Run” to check if it has triggered any new flow
Additional context
I will try to make a blog for this issue, but I would like to work on this further for better integration, visibility, and reduced workload for the SOC team. If you have any feedback, suggestions, or would like to collaborate on improving this integration, please feel free to reach out. Your contributions and insights are highly valued.
The text was updated successfully, but these errors were encountered:
Summery:
In my quest to identify an effective SOAR (Security Orchestration, Automation, and Response) solution for managing Wazuh level 12 alerts, I considered several options, including Shuffle, another open-source tool. Ultimately, I decided to utilize Windmill.dev for its robust capabilities. This repository documents my configurations and the steps I took to successfully route Wazuh alert logs to a Windmill.dev Flow.
Description:
The initial challenge was figuring out how to transmit Wazuh alerts to Windmill.dev before implementing any other configurations. I devised a solution that enables the seamless transfer of Wazuh level 12 alerts to Windmill.dev. This documentation provides a detailed walkthrough of the steps and configurations involved in achieving this integration.
Solution:
-
-
-
-
-
custom-windmill json 12Create a API token
Create a test flow with input as “Input” which takes “String” as input parameter
Deploy it
Got to “Details & Triggers” and copy the URL
Add a integration in Wazuh for custom-windmill
#!/var/ossec/framework/python/bin/python3
import sys
import json
import requests
Read configuration parameters
alert_file = open(sys.argv[1])
api_key = sys.argv[2]
hook_url = sys.argv[3]
Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()
#msg_data
alert_level = alert_json['rule']['level']
description = alert_json['rule']['description']
agent_name = alert_json['agent']['name']
full_log = alert_json['full_log']
#headers
headers = {'Content-Type': 'application/json', "Authorization": f"Bearer {api_key}"}
#data
data = {"Input": f"alert level: {alert_level}\n description: {description}\n Agent name: {agent_name}\n Full log: {full_log}"}
Send the request
response = requests.post(hook_url, data=json.dumps(data), headers=headers)
sys.exit(0)
To test create a alert.json in /home/wazuh-user directory and add this
{"timestamp":"2024-07-24T08:40:29.950+0000","rule":{"level":12,"description":"PAM: Login session closed.","id":"5502","firedtimes":4,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1721810429.30990","full_log":"Jul 24 08:40:29 wazuh-server sshd[27695]: pam_unix(sshd:session): session closed for user wazuh-user","predecoder":{"program_name":"sshd","timestamp":"Jul 24 08:40:29","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"wazuh-user"},"location":"/var/log/secure"}
To test if it works run the command
./custom-windmill /home/wazuh-user/alert.json <your API key from step 1>
Go to Winmill “Run” to check if it has triggered any new flow
Additional context
I will try to make a blog for this issue, but I would like to work on this further for better integration, visibility, and reduced workload for the SOC team. If you have any feedback, suggestions, or would like to collaborate on improving this integration, please feel free to reach out. Your contributions and insights are highly valued.
The text was updated successfully, but these errors were encountered: