Initial commit: Wazuh-IRIS integration scripts

2026-01-27 20:48:02 +01:00
commit 6e4ef51973
3 changed files with 214 additions and 0 deletions
--- a/alert.py
+++ b/alert.py
@@ -0,0 +1,80 @@
+from enum import Enum
+
+class IOC:
+    def __init__(self, value: str, desc: str, c_type: int, cat: int):
+        self.ioc_value = value
+        self.ioc_description = desc
+        self.ioc_type_id = c_type
+        self.ioc_tlp_id = cat
+
+    def to_dict(self):
+        return {
+            "ioc_value": self.ioc_value,
+            "ioc_description": self.ioc_description,
+            "ioc_type_id": self.ioc_type_id,
+            "ioc_tlp_id": self.ioc_tlp_id
+        }
+        
+class Alert:
+    def __init__(self, data):
+        self.data = data
+        self.iocs = []
+
+    def _level_convert(self, alert_level: int):
+        if alert_level < 5:
+            severity = 2
+        elif alert_level >= 5 and alert_level < 7:
+            severity = 3
+        elif alert_level >= 7 and alert_level < 10:
+            severity = 4
+        elif alert_level >= 10 and alert_level < 13:
+            severity = 5
+        elif alert_level >= 13:
+            severity = 6
+        else:
+            severity = 1
+        return severity
+        
+class WebAlert(Alert):
+    def __init__(self, data):
+        super().__init__(data)
+        self.id: str = data.get("_id", "NONE")
+        self.srcip: str = data.get("data", {}).get("srcip", "unknown")
+        self.url: str = data.get("data", {}).get("url", "invalid")
+        self.title: str = data.get("rule", {}).get("description", "No description provided")
+        self.technique: str = ' '.join(data.get("rule", {}).get("technique", {}))
+        self.timestamp: str = data.get("timestamp", "")
+        self.protocol: str = data.get("data", {}).get("protocol", "invalid")
+        self.full_log: str = data.get("full_log", "Full log unknown")
+        self.severity: int = int(data.get("rule", {}).get("level", -1))
+        self.iocs = []
+        self._generateIOCs()
+        
+    def _generateIOCs(self):
+        if self.srcip != "unknown":
+            self.iocs.append(IOC(self.srcip, "Source IP", 79, 5))
+        if self.url != "invalid":
+            self.iocs.append(IOC(self.url, "url", 141, 5))
+        
+    def to_IRIS(self) -> dict:
+        return {
+            "alert_title": self.title,
+            "alert_note": "Suspicious web activity was detected.",
+            "alert_iocs": [i.to_dict() for i in self.iocs],
+            "alert_source": "NGINX web activity",
+            "alert_severity_id": self._level_convert(self.severity),
+            "alert_status_id": 3,
+            "alert_customer_id": 1,
+            "alert_description": self.full_log,
+            "alert_source_content": self.data,
+        }
+             
+class AlertProcessor:
+    ALERT_TYPES = {
+        "web-accesslog": WebAlert,
+    }
+    
+    def process(self, body: dict) -> Alert:
+        decoder_name = body.get("decoder", {}).get("name", "N/A")
+        alert_class = self.ALERT_TYPES.get(decoder_name, Alert)
+        return alert_class(body)