Wazuh Integrations

This document gives an overview on setting up Wazuh integrations with other apps. The Wazuh integration mechanism enables the transfer of security alerts to external systems, facilitating incident response and threat detection processes.

Combine the following directions with the Python integration files in this repository. More specific instructions for each integration might be avalibale in their respective folders.

Workflow

Bellow is a high-level abstraction of which steps take place between data collection and integration activation.

1. An event triggers a rule, creating an alert.
2. The wazuh-integratord service listens to all triggered alerts and compares them against existing integration blocks in the ossec.conf file.
   1. If the alert meets the requirements of any integration, the processing continues.
   2. If not, the system skips this alert and proceeds to analyze the next one.
3. The wazuh-integratord then creates a temporary file with the data of this alert (e.g., /tmp/custom-iris-1692926900-1677658861.alert) and passes this file as a parameter to the script of integration located in /var/ossec/integrations/ and having the same name specified in the integration block.
4. The script reads the information present in the alert, extracts the necessary data, formats a payload following the documented standards of the destination API, and makes an HTTP POST request.

Configuration

1. Insert an integration block in the file /var/ossec/etc/ossec.conf. This block is responsible for the parameters consumed by the wazuh-integratord service. Below is an example of integration with DFIR-IRIS.

<integration>
  <name>custom-iris</name>
  <level>3</level>
  <alert_format>json</alert_format>
</integration>

Where:

• name is the name of the integration, which must necessarily begin with the prefix custom-.
• level filters alerts that have this value equal to or greater than the specified value.
• alert_format indicates the format that the alert to be sent to the integration script will have.

Other fields can be added, a complete list is available in this documentation.

2. Create a file with the same name configured in the name attribute from the previous step in the path /var/ossec/integrations/. This will be the script responsible for receiving alerts generated by the wazuh-integratord service and making the POST request to the DFIR-IRIS API.

To ensure that it can receive Wazuh alerts as arguments, it is necessary that the same belongs to the root user of the wazuh group.

touch /var/ossec/integrations/custom-iris
chmod +x /var/ossec/integrations/custom-iris
chown root:wazuh /var/ossec/integrations/custom-iris

Contribution

Contributions and enhancements to this project are welcome. Please fork the repository, make your improvements, and submit a pull request. Be sure to adhere to the project's coding standards and guidelines.

License

This project is licensed under the GNU General Public License, Version 3 (GPL-3.0). See the LICENSE file for details.