Integration with The-Hive/Cortex, forward of alerts or ElastAlert?
888 views
Skip to first unread message
Andreas Falk
Apr 7, 2019, 8:44:52 AM4/7/19
to Wazuh mailing list
Hi,
I'm doing some research about IR/SIRP with Wazuh as the primary collector of information.
This guide is really easy to follow, and it works great. https://arnaudloos.com/2019/open-source-sirp-overview/
This guide is really easy to follow, and it works great. https://arnaudloos.com/2019/open-source-sirp-overview/
And the author has really done a great job to explain the parts, imho..
Are there any other way to forward events to an api, without elastalert with separate rules for every wuzah ruel?
How do you guys manage your alerts from Wazuh?
--
Regards Falk
Kevin Branch
Apr 8, 2019, 9:14:03 PM4/8/19
to Wazuh mailing list
Hi Andreas,
Yes, it is very possible to have Wazuh manager forward one or more select classes of alerts to the API of your choice. For this purpose Wazuh developed the integrator facility. Read more about it here:
Three different API integrators are already built in and the scripts you find in /var/ossec/integrations/ can readily be copied and customized to work with your own target APIs. This facility allows for handing off the entire alert as a single-line JSON file to an integrator script of your choice, which is exemplified nicely in /var/ossec/integrations/slack and /var/ossec/integrations/virustotal. You might also look at /var/ossec/integrations/pagerduty which uses a legacy method of handing off alert field values in a multi-line name=value format text file. Really the possibilities are endless with the integrator facility if you are up to coding for your specific target API(s), plus there are already great examples included to get you started. Have fun!
If you come up with a new integrator for something of use to the wider group, please consider contributing it back to the community. I'd love to see a richer set of built-in integrators included with Wazuh. We've only barely tapped the Wazuh integrator system's potential so far.
Regards,
Kevin Branch
Andreas Falk
Apr 9, 2019, 10:28:54 AM4/9/19
to Wazuh mailing list
Hi,
Thanks for the pointers to the integrations.
I'll look into that "tonight", and see what I can understand of them :)
If I may ask, there is now "big changes" to those API intergrators in 3.9 that is function braking as you see it?
--
Kind Regards
Falk
Thanks for the pointers to the integrations.
I'll look into that "tonight", and see what I can understand of them :)
If I may ask, there is now "big changes" to those API intergrators in 3.9 that is function braking as you see it?
--
Kind Regards
Falk
Kevin Branch
Apr 9, 2019, 3:21:51 PM4/9/19
to Andreas Falk, Wazuh mailing list
You're welcome, Andreas. As to any breaking changes in Wazuh 3.9.0 involving the Wazuh manager's integrator system, I have not heard of anything like that. In fact, when I look at the Wazuh 3.9.0 Github project board, I see no references to that subsystem being touched at all:
Kevin Branch
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fa48703b-de60-4694-9c9c-d542d666b69c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages