Wazuh‐DFIR IRIS Integration - socarium/makarasoc GitHub Wiki

This guide provides step-by-step instructions to integrate Wazuh, an open-source security monitoring platform, with DFIR-IRIS, a digital forensics and incident response (DFIR) platform. By integrating these tools, organizations can enhance their security posture by correlating threat intelligence, log analysis, and incident response workflows.

  1. Open integration script.
nano modules/wazuh/custom-iris.py
  1. Modify the script on "alert_source_link": with your Wazuh IP Address.
payload = json.dumps({
        "alert_title": alert_json.get("rule", {}).get("description", "No Description"),
        "alert_description": alert_details,
        "alert_source": "Wazuh",
        "alert_source_ref": alert_json.get("id", "Unknown ID"),
        "alert_source_link": "https://<IP ADDRESS>/app/wz-home",  # Replace with actual Wazuh dashboard IP address
        "alert_severity_id": severity,
        "alert_status_id": 2,  # 'New' status
        "alert_source_event_time": alert_json.get("timestamp", "Unknown Timestamp"),
        "alert_note": "",
        "alert_tags": f"wazuh,{alert_json.get('agent', {}).get('name', 'N/A')}",
        "alert_customer_id": 1,  # '1' for default 'IrisInitialClient'
        "alert_source_content": alert_json  # raw log
    })

Here is the example of the configuration:

payload = json.dumps({
        "alert_title": alert_json.get("rule", {}).get("description", "No Description"),
        "alert_description": alert_details,
        "alert_source": "Wazuh",
        "alert_source_ref": alert_json.get("id", "Unknown ID"),
        "alert_source_link": "https://192.168.1.100/app/wz-home",  # Replace with actual Wazuh dashboard IP address
        "alert_severity_id": severity,
        "alert_status_id": 2,  # 'New' status
        "alert_source_event_time": alert_json.get("timestamp", "Unknown Timestamp"),
        "alert_note": "",
        "alert_tags": f"wazuh,{alert_json.get('agent', {}).get('name', 'N/A')}",
        "alert_customer_id": 1,  # '1' for default 'IrisInitialClient'
        "alert_source_content": alert_json  # raw log
    })

  • Once finish, press ctrl + o to save it and Enter to confirmed.

  • Press ctrl + x to quit from editor app.

  1. Open the Wazuh configuration file:
sudo nano wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
  1. Copy this script into wazuh_manager.conf to forward alerts to DFIR-IRIS. Modify the script your DFIR-IRIS IP Address and API Key.
<!-- IRIS integration -->
<integration>
  <name>custom-iris.py</name>
  <hook_url>https://<IRIS_IP_ADDRESS>/alerts/add</hook_url>
  <level>7</level>
  <api_key><IRIS_API_KEY></api_key> <!-- Replace with your IRIS API key -->
  <alert_format>json</alert_format>
</integration>

Ensure the script copied between <ossec_config> and </ossec_config> tag

If you don't know how to collect API Key information from your DFIR IRIS. Please follow this steps:

  • Access your IRIS page from your browser App (https://<IP Address>:8443).

  • Next to the top left beside of Administrator logo, there is a drop down arrow.

  • Select "My Settings" to open Administrator profil page.

  • Copy API Key DFIR-IRIS and add your DFIR-IRIS IP Address into the script.

Please follow the example below:

  • Press ctrl + o and Enter for save the editing file.

  • Press ctrl + x to quit from editor app.

  1. Execute main.sh to finish the configuration.
./main.sh
  1. Select I'm New to This or I Know What I'm Doing.

The example picture using I'm New to This.

  1. Select Tools Configurations.

The example picture using I'm New to This.

  1. Select Integration Wazuh - DFIR IRIS.

  1. Once the process is finish. Verify Wazuh services.

  1. Verify Wazuh services to check the integration is works.
sudo docker-compose -f wazuh-docker/single-node/docker-compose.yml ps -a

⚠️ **GitHub.com Fallback** ⚠️