diff --git a/custom-wazuh.py b/custom-wazuh.py index c9dbfb4..1be81bd 100644 --- a/custom-wazuh.py +++ b/custom-wazuh.py @@ -4,12 +4,9 @@ import logging import iris_api from datetime import datetime -logging.basicConfig(filename='/var/ossec/logs/integrations.log', level=logging.INFO, - format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S') - def main(): if len(sys.argv) < 4: - logging.error("Insufficient arguments provided. Exiting.") + print("Not enough arguments!") sys.exit(1) alert_file = sys.argv[1] @@ -20,32 +17,31 @@ def main(): with open(alert_file) as f: alert_json = json.load(f) except Exception as e: - logging.error(f"Failed to read alert file: {e}") sys.exit(1) - client = iris_api.IrisClient(hook_url, api_key) + client = iris_api.IrisClient(hook_url, api_key) + + processor = alert.AlertProcessor() - processor = alert.AlertProcessor() + formatted_alert = processor.process(alert_json) - formatted_alert = processor.process(alert_json) + alert_result = client.alert(a.to_IRIS()) - alert_result = client.alert(a.to_IRIS()) + match = None - match = None + for case in client.cases_list(): + if a.srcip in case["case_name"]: + match = case - for case in client.cases_list(): - if a.srcip in case["case_name"]: - match = case + if match == None: + client.case_new(a.srcip, a.title) + else: + iocs = [] - if match == None: - client.case_new(a.srcip, a.title) - else: - iocs = [] - - for ioc in alert_result.get("iocs", {}): - iocs.append(ioc.get("ioc_uuid", "N/A")) + for ioc in alert_result.get("iocs", {}): + iocs.append(ioc.get("ioc_uuid", "N/A")) - client.merge_alert_to_case(alert_result.get("alert_id", -1), match.get("case_id", -1), iocs) + client.merge_alert_to_case(alert_result.get("alert_id", -1), match.get("case_id", -1), iocs) if __name__ == "__main__": main()