search

misje / opencti-wazuh-connector

OpenCTI–Wazuh connector looking for indicators in Wazuh and creating sightings
https://misje.github.io/opencti-wazuh-connector/
Apache License 2.0
10 stars 1 forks source link

Complete "full demo" example with Wazuh sample events #10

Open misje opened 1 month ago

misje commented 1 month ago

The full demo docker-compose example lacks logic to populate Wazuh with demo events. Create a docker image that runs once, calling

  1. docker run --rm -w "/home/node/app" -v "$(pwd):/home/node/app" node:lts-alpine node cli.js --all-modules --format bulk-api --index wazuh-alerts-4.x-sample > output.ndjson
  2. curl -k -u 'admin:SecretPassword' https://localhost:9200/_bulk -H "Content-Type: application/x-ndjson" --data-binary "@output.ndjson"
  3. Add missing "@timestamp" column: 
    curl -k -u 'admin:SecretPassword' -X POST https://localhost:9200/wazuh-alerts-*/_update_by_query -H "Content-Type: application/json" -d "$(cat <<EOF
{
"script": {
"source": "String timestamp = ctx._source['timestamp']; if (timestamp != null) { DateTimeFormatter inputFormatter = DateTimeFormatter.ofPattern(\"yyyy-MM-dd'T'HH:mm:ss.SSSZ\"); ZonedDateTime parsedTime = ZonedDateTime.parse(timestamp, inputFormatter); String formattedTime = DateTimeFormatter.ISO_INSTANT.format(parsedTime); ctx._source['@timestamp'] = formattedTime; }",
"lang": "painless"
}
}
EOF
)"

Use patched misje/wazuh-dashboard-plugins as a referene, since the Wazuh maintainers have not provided any feedback on my pull request to fix invalid IP addresses and invalid SHA-256 hashes in the example data. The entrypoint needs to patientely wait for OpenSearch to become available.