Wazuh Custom OpenCTI integration not sending log to dahsboard

1,170 views
Skip to first unread message

Khaedir Sul

unread,
Aug 20, 2023, 6:05:29 AM8/20/23
to Wazuh mailing list
Screenshot 2023-08-20 at 16.46.42.pngHi,
I am having some issues with custom integration using opencti. The integration runs properly but somehow therules do not trigger because the response does not seem to be sent back to the Wazuh Manager

please find below the script and rules
<group name="threat_intel,">
<rule id="100623" level="10">
<field name="integration">opencti</field>
<description>OpenCTI</description>
<group>opencti,</group>
<options>no_full_log</options>
</rule>
<rule id="100624" level="5">
<if_sid>100623</if_sid>
<field name="opencti.error">\.+</field>
<description>OpenCTI - Error connecting to API</description>
<options>no_full_log</options>
<group>opencti,opencti_error,</group>
</rule>
<rule id="100625" level="12">
<if_sid>100623</if_sid>
<field name="opencti.id">\.+</field>
<description>OpenCTI - IoC found in Threat Intel - $(opencti.observable_value)</description>
<options>no_full_log</options>
<group>opencti,opencti_alert,</group>
</rule>
</group>


<integration>
<name>custom-opencti</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
</integration>
opencti.py

Abdullah Al Rafi Fahim

unread,
Aug 21, 2023, 1:10:48 AM8/21/23
to Wazuh mailing list
Hello Khaedir,

Thank you for using Wazuh!

Unfortunately, there is no official documentation regarding Wazuh integration with OpenCTI, but I can share with you the official documentation of Integration with external API's and also an example of How to integrate external software with Wazuh Integration with external API's -
May I know how you configured api_key and hook_url option for the integration? You can review the steps and custom script shared here: https://github.com/misje/wazuh-opencti , which is developed by a community member and identify if you missed anything in your configuration or script which is not allowing the look up at OpenCTI end and not sending back the responses to Wazuh.

I hope it helps. Please let us know how it goes.

nadia ayari

unread,
May 3, 2024, 5:47:07 AM5/3/24
to Wazuh | Mailing List
hey 
i was wondering if you got this error solved because i am facing the same error.

Reply all
Reply to author
Forward
0 new messages