help for integration dfir iris for wazuh

[Alfian Syahputra]

Hi Wazuh community, does anyone have a script for this path “/var/ossec/integrations/custom-wazuh_iris.py” to display complete data starting from IP, severity level settings and others that match the dashboard, etc.?

[Md. Nazmur Sakib]

Hi Alfian,

For this, you can check this blog.

https://wazuh.com/blog/enhancing-incident-response-with-wazuh-and-dfir-iris-integration/

In the script, go to this section.

  details = [

       f"Rule ID: {rule.get('id', 'N/A')}",

       f"Rule Level: {rule.get('level', 'N/A')}",

       f"Rule Description: {rule.get('description', 'N/A')}",

       f"Agent ID: {agent.get('id', 'N/A')}",

       f"Agent Name: {agent.get('name', 'N/A')}",

       f"MITRE IDs: {mitre_ids}",

       f"MITRE Tactics: {mitre_tactics}",

       f"MITRE Techniques: {mitre_techniques}",

       f"Location: {alert_json.get('location', 'N/A')}",

       f"Full Log: {alert_json.get('full_log', 'N/A')}"

   ]

   return '\n'.join(details)

And add the field name you want to send to iris from the alerts.

If you want me to customise the script for you, share an alert.json log from your Wazuh manager and let me from the alerts.json log which field you want to forward to Iris.


You will find the alerts.json file in this path /var/ossec/logs/alerts/alerts.json.

SSH into your Wazuh manager server and run this command.

sudo cat /var/ossec/logs/alerts/alerts.json

You can use a grep perimeter to find any specific Alert.

Ex:
sudo cat /var/ossec/logs/alerts/alerts.json | grep rule_id


Looking forward to your update on this.