Jira Wazuh Integration API Issue

Liam Kapeel

unread,

May 8, 2024, 4:05:14 AM5/8/24

to Wazuh | Mailing List

Good afternoon,
I have worked to integrate Jira with Wazuh using the following configurations listed below. However, whenever I leverage the canned curl command to test (per jira documentation) I keep getting this API error " x-seraph-loginreason: AUTHENTICATED_FAILED". This means the api on Jira's side is for some reason throwing a Captcha. To fix, I am aware jira wants me to modify the header but i dont know if thats possible within wazuh. Please view the config files below.
------------------------------------
OSSEC.CONF
<integration>
<name>custom-jira-integration</name>
<hook_url>https://MYCOMPANY.atlassian.net/rest/api/3/issuetype</hook_url>
<api_key>EMAIL:KEY</api_key>
<group>github</group>
<level>5</level>
<alert_format>json</alert_format>
</integration>
------------------------------------
JIRA-INTEGRATION FILE
#!/var/ossec/framework/python/bin/python3

import sys
import json
import requests
from requests.auth import HTTPBasicAuth

if len(sys.argv) < 4:
print("Usage: {} <alert_file_path> <user:apikey> <hook_url>".format(sys.argv[0]))
sys.exit(1)

user = sys.argv[2].split(':')[0]
api_key = sys.argv[2].split(':')[1]
hook_url = sys.argv[3]

# Set the project attributes (manually configured before running)
project_key = 'MYPROJECT' # Replace 'WT' with your actual project key
issuetypeid = '10002' # Replace '10002' with your actual issue type ID

# Open the alert file
with open(sys.argv[1], 'r') as file:
for line in file:
try:
# Parse each line as a JSON object
alert_json = json.loads(line)

# Extract issue fields from the JSON object
alert_level = alert_json['rule']['level']
ruleid = alert_json['rule']['id']
description = alert_json['rule']['description']
agentid = alert_json['agent']['id']
agentname = alert_json['agent']['name']

# Assume additional fields are within the nested 'github' dictionary if available
actor = alert_json.get('data', {}).get('github', {}).get('actor', 'Unknown actor')
org = alert_json.get('data', {}).get('github', {}).get('org', 'Unknown organization')
repository = alert_json.get('data', {}).get('github', {}).get('repo', 'No repository specified')
actor_ip = alert_json.get('data', {}).get('github', {}).get('actor_ip', 'No IP available')

# Generate request for JIRA
issue_data = {
"fields": {
"summary": 'GitHub Alert: [' + description + ']',
"issuetype": {
"id": issuetypeid
},
"project": {
"key": project_key
},
"description": {
"text": f'- State: {description}\n- Rule ID: {ruleid}\n- Alert level: {alert_level}\n- Agent: {agentid} {agentname}\n- Actor: {actor}\n- Organization: {org}\n- Repository: {repository}\n- Actor IP: {actor_ip}'
}
}
}

# Send the request
response = requests.post(hook_url, json=issue_data, auth=HTTPBasicAuth(user, api_key))
print(response.json()) # Print response from JIRA

except json.JSONDecodeError as e:
print(f"Error decoding JSON: {e}")
continue

sys.exit(0)

Anthony Faruna

unread,

May 8, 2024, 9:08:19 PM5/8/24

to Wazuh | Mailing List

Hello,

I suggest you manually send HTTP requests to Jira's API and observe the response. This can help you understand whether the issue is with the Wazuh integration or the Jira API itself.

As you noted, this issue is on the Jira side; hence, I suggest you contact Jira for possible recommendations on how to circumvent the Captcha check.

I hope this helps.

Regards

Xavi Venteo

unread,

Jun 25, 2024, 3:41:31 AM6/25/24

to Wazuh | Mailing List

Hello,

I have the same problem. I tried to send HTTP request to Jira's API and it works.

After modify the python file, the integration works if I don't try to read the configuration parameters

# Read configuration parameters

alert_file = open(sys.argv[1])

If I hardcoded all these values, the integration works. But I need to get the args in order to get the information of the Wazuh alert.