0x221E/siem-integrations
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Patch: Fix indentation and logging errors

Browse Source
This commit is contained in:
0x221E
2026-01-27 21:06:43 +01:00
parent 6e4ef51973
commit 57481a022c
1 changed files with 17 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
custom-wazuh.py
View File

@@ -4,12 +4,9 @@ import logging
import iris_api import iris_api
from datetime import datetime from datetime import datetime
logging.basicConfig(filename='/var/ossec/logs/integrations.log', level=logging.INFO,
format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S')
def main(): def main():
if len(sys.argv) < 4: if len(sys.argv) < 4:
logging.error("Insufficient arguments provided. Exiting.") print("Not enough arguments!")
sys.exit(1) sys.exit(1)
alert_file = sys.argv[1] alert_file = sys.argv[1]
@@ -20,32 +17,31 @@ def main():
with open(alert_file) as f: with open(alert_file) as f:
alert_json = json.load(f) alert_json = json.load(f)
except Exception as e: except Exception as e:
logging.error(f"Failed to read alert file: {e}")
sys.exit(1) sys.exit(1)
client = iris_api.IrisClient(hook_url, api_key) client = iris_api.IrisClient(hook_url, api_key)
processor = alert.AlertProcessor()
processor = alert.AlertProcessor() formatted_alert = processor.process(alert_json)
formatted_alert = processor.process(alert_json) alert_result = client.alert(a.to_IRIS())
alert_result = client.alert(a.to_IRIS()) match = None
match = None for case in client.cases_list():
if a.srcip in case["case_name"]:
match = case
for case in client.cases_list(): if match == None:
if a.srcip in case["case_name"]: client.case_new(a.srcip, a.title)
match = case else:
iocs = []
if match == None: for ioc in alert_result.get("iocs", {}):
client.case_new(a.srcip, a.title) iocs.append(ioc.get("ioc_uuid", "N/A"))
else:
iocs = []
for ioc in alert_result.get("iocs", {}):
iocs.append(ioc.get("ioc_uuid", "N/A"))
client.merge_alert_to_case(alert_result.get("alert_id", -1), match.get("case_id", -1), iocs) client.merge_alert_to_case(alert_result.get("alert_id", -1), match.get("case_id", -1), iocs)
if __name__ == "__main__": if __name__ == "__main__":
main() main()