Multithreading integrator wazuh-server
195 views
Skip to first unread message
Ivan Myskiv
May 6, 2024, 3:50:09 AM5/6/24
to Wazuh | Mailing List
Hi!
There was a question regarding the multithreading of the integrator.
I have created two integrations for DFIR-IRIS and OpenCTI, an example configuration:
<integration>
<name>custom-irisalert</name>
<level>10</level>
<alert_format>json</alert_format>
<api_key>APIKEY</api_key>
<hook_url>DFIR-IRIS/alerts/add</hook_url>
</integration>
<integration>
<name>custom-opencti</name> <group>suricata,sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
<api_key>API</api_key>
<hook_url>OPENCTI/graphql</hook_url>
</integration>
However, if an event immediately fits two integrations at once, for example event 'alert=10' and the same event coincides with group 'suricata', then there should be two integrations, but only one of them is triggered
Example of files in the tmp directory
There was a question regarding the multithreading of the integrator.
I have created two integrations for DFIR-IRIS and OpenCTI, an example configuration:
<integration>
<name>custom-irisalert</name>
<level>10</level>
<alert_format>json</alert_format>
<api_key>APIKEY</api_key>
<hook_url>DFIR-IRIS/alerts/add</hook_url>
</integration>
<integration>
<name>custom-opencti</name> <group>suricata,sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
<api_key>API</api_key>
<hook_url>OPENCTI/graphql</hook_url>
</integration>
However, if an event immediately fits two integrations at once, for example event 'alert=10' and the same event coincides with group 'suricata', then there should be two integrations, but only one of them is triggered
Example of files in the tmp directory
They are created if the integration does not meet both conditions level or groups
Do I understand correctly that this is the normal operation of the integrator or a problem in the settings of the wazuh server? and is there any way to solve this?
Thanks!
Do I understand correctly that this is the normal operation of the integrator or a problem in the settings of the wazuh server? and is there any way to solve this?
Thanks!
Abdullah Al Noman
May 6, 2024, 4:27:48 AM5/6/24
to Wazuh | Mailing List
Hello Ivan,
Hope you are doing well.
I am working on your query. Let me get back to you with the exact information.
Regards,
Hope you are doing well.
I am working on your query. Let me get back to you with the exact information.
Regards,
Abdullah Al Noman
May 6, 2024, 6:59:20 AM5/6/24
to Wazuh | Mailing List
Hello Ivan,
It is the expected behavior, not a settings issue. Based on my knowledge, Wazuh rule engine will trigger on the first complete match and ignore any other possible matches. So, in your case the DFIR-IRIS integration will trigger first since that is the first integration and its rule level 10, it won't go further to evaluate the OpenCTI integration for the same alert.
Hope this helps.
Regards,
It is the expected behavior, not a settings issue. Based on my knowledge, Wazuh rule engine will trigger on the first complete match and ignore any other possible matches. So, in your case the DFIR-IRIS integration will trigger first since that is the first integration and its rule level 10, it won't go further to evaluate the OpenCTI integration for the same alert.
Hope this helps.
Regards,
Ivan Myskiv
May 7, 2024, 3:41:12 AM5/7/24
to Wazuh | Mailing List
I see, thanks Abdullah Al Noman!
However, is it possible to implement a multithreaded process for the integrator, or are there plans for such a development?
However, is it possible to implement a multithreaded process for the integrator, or are there plans for such a development?
понедельник, 6 мая 2024 г. в 13:59:20 UTC+3, Abdullah Al Noman:
Abdullah Al Noman
May 9, 2024, 2:40:04 PM5/9/24
to Wazuh | Mailing List
I believe, we would surely implement such a feature in Wazuh in future but I am not certain about any timeline now. However, if you want to keep updates about this feature, I recommend you create a GitHub issue here with the details of the feature and our team will work on this based on their timeline.
Hope this helps.
Regards,
Ivan Myskiv
May 13, 2024, 4:16:15 AM5/13/24
to Wazuh | Mailing List
Okay, thanks!
четверг, 9 мая 2024 г. в 21:40:04 UTC+3, Abdullah Al Noman:
Reply all
Reply to author
Forward
0 new messages