Wazuh‐DFIR IRIS Integration - wahyusutejo1986/socarium GitHub Wiki

This guide provides step-by-step instructions to integrate Wazuh, an open-source security monitoring platform, with DFIR-IRIS, a digital forensics and incident response (DFIR) platform. By integrating these tools, organizations can enhance their security posture by correlating threat intelligence, log analysis, and incident response workflows.

  • Open the Wazuh configuration file:
sudo nano wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
  • Configure Wazuh to forward alerts to DFIR-IRIS by copy this script:
  <!-- IRIS integration -->
  <integration>
    <name>integration-iris.py</name>
    <hook_url>https://<IRIS_IP_ADDRESS>/alerts/add</hook_url>
    <level>7</level>
    <api_key><IRIS_API_KEY></api_key> <!-- Replace with your IRIS API key -->
    <alert_format>json</alert_format>
  </integration>

  • Ensure the script paste between <ossec_config> and </ossec_config> tag

  • Please refer to this example:

  • At this stage you need to copy the API DFIR-IRIS into the script.

  • Access DFIR-IRIS page and login to get API key.

  • Click My settings to get the API key.

  • Copy the API key to the script for integration between Wazuh and DFIR-IRIS

  • Here is the example of the script after filled with your server ip and api key.

  • Press Ctrl + o and Enter in your keyboard for confirm the edited file.

  • Press Ctrl + x to exit the text editor.

  • Execute the main.sh to access the socarium main menu page.

./main.sh
  • Select Socarium Configurations.

  • Select Integration Wazuh - DFIR IRIS.

  • Integration process is finish

  • Verify the Wazuh docker service.
sudo docker-compose -f wazuh-docker/single-node/docker-compose.yml ps -a

This Wiki is part of the Socarium project. Created and maintained by Socarium.

⚠️ **GitHub.com Fallback** ⚠️