Integrating Wazuh with Ivanti Neurons API - Issues with Dashboard Output

58 views
Skip to first unread message

Giampearo Peter

unread,
Aug 30, 2024, 4:02:14 AM8/30/24
to Wazuh | Mailing List

Hi,

I’m reaching out for assistance with an integration I’m currently working on between Wazuh and the Ivanti Neurons API. While I’ve made progress in setting up the integration, I’m encountering an issue with viewing the output on the Wazuh dashboard.

Integration Setup:

1. Configuration in `ossec.conf`:

<integration>

<name>custom-ivanti_neurons</name>
<hook_url>https://neurons-for-patch-management.p.rapidapi.com/v1/endpoint-vulnerability</hook_url>
<api_key>Bearer eyJhbGciOiJSUzI etc.></api_key>
<alert_format>json</alert_format>
<group>syscheck</group>
</integration>

2. Python Script (`ivanti_neurons.py`):

#!/usr/bin/env python

import sys
import json
import requests

# Read configuration parameters
alert_file = open(sys.argv[1])
bearer_token = sys.argv[2]
neurons_url = sys.argv[3]

# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()

# Extract necessary fields from the alert
agent_id = alert_json['agent']['id']
agent_name = alert_json['agent']['name']
alert_description = alert_json['rule']['description']
rule_id = alert_json['rule']['id']
alert_level = alert_json['rule']['level']

# Define the query parameters for the Ivanti Neurons API
querystring = {"PageSize": "10", "Filter": "LastScannedDate ge '2024-05-23'", "OrderBy": "LastScannedDate desc", "PageNumber": "1"}

# Set the request headers
headers = {
"Authorization": f"Bearer {bearer_token}",
"X-RapidAPI-Key": "22782fef8dmsh9791fdc24384aacp197616jsn9209917d441d",
"X-RapidAPI-Host": "neurons-for-patch-management.ivanti.rapidapi.com",
"Content-Type": "application/json"
}

# Send the request to Ivanti Neurons API
response = requests.get(neurons_url, headers=headers, params=querystring)

# Print or process the response
if response.status_code == 200:
neurons_data = response.json()
print(json.dumps(neurons_data, indent=4))
else:
print(f"Error {response.status_code}: {response.text}")
sys.exit(0)

Current Status: 

  1. The Wazuh manager restarts without any errors, and the configuration appears to be correct.
  2. The Python script successfully retrieves data when run separately, and the API returns the expected results in JSON format.
  3. However, I am unable to locate the output of this integration on the Wazuh dashboard. There are no logs related to this in the `integrations.log`, and I’m unsure if the alerts are being processed correctly.

What I’ve Tried:

  1. I’ve verified that the `ossec.conf` configuration aligns with the expected alert group (`syscheck`).
  2. I checked the Wazuh dashboard for related alerts but didn’t find any output.
  3. I confirmed that the API works by testing it separately and receiving valid responses.

Request for Assistance:


I would greatly appreciate any guidance on the following:

  1. Where should I be looking for the output of this integration on the Wazuh dashboard?
  2. Is there anything I might be missing in the configuration that could prevent the alerts from appearing?
  3. Any tips on debugging or logging within Wazuh to ensure the integration is working as expected?

 Thank you in advance for your help. I’m eager to resolve this issue and would be grateful for any insights or suggestions from the community.

 

hasitha.u...@wazuh.com

unread,
Aug 30, 2024, 6:53:30 AM8/30/24
to Wazuh | Mailing List
Hello Giampearo,

I’m not familiar with the software you used for the integration, but I can suggest a few steps to resolve this issue on the Wazuh side.

You can enable debug logs for the integrator by executing the following command:
echo "integrator.debug=2" >> /var/ossec/etc/local_internal_options.conf
Reference: Wazuh Documentation - Internal Options

Then, restart the Wazuh manager and trigger the integration script. Afterward, please send us the output of the ossec.log.
/var/ossec/log/ossec.log

Ensure that the script has execution permissions and belongs to the root user of the wazuh group. You can assign the necessary permissions and ownership with these commands:

chmod 750 /var/ossec/integrations/custom-ivanti_neurons
chown root:wazuh /var/ossec/integrations/custom-ivanti_neurons


For more details, you can refer to this article, which outlines the basic guidelines for developing an external software integration with Wazuh:
Reference: Wazuh Documentation - Integration with External APIs

I hope this helps. Let me know how it goes.

Regards,
Hasitha Upekshitha

Giampearo Peter

unread,
Sep 2, 2024, 5:27:09 AM9/2/24
to Wazuh | Mailing List

Hi Hasitha,

Currently, I don't have enough time to troubleshoot this issue, so I'll be exploring the microservice scripting approach instead.
I've observed that my integration uses a dynamic token, which needs periodic refreshing.

If I were to implement this using the Integrator Tool, could you let me know which parameter field would control the POST REQUEST to obtain the token and then proceed with running the query parameters?

Thank you.

hasitha.u...@wazuh.com

unread,
Sep 3, 2024, 9:13:06 AM9/3/24
to Wazuh | Mailing List
Hello Giampearo,

In the code, you can write in this way. So that the script requests a token from inside the code while running and uses it as a parameter.
Ex:
curl -k -X GET "https://<manager_address>:55000/agents" -H "Authorization: Bearer $(curl -u wazuh-wui:<PASSWORD> -k -X GET 'https://<manager_address>:55000/security/user/authenticate?raw=true')"

Let me know if this helps.

Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages