Situatie

1. Locate Customer ID Access the DFIR-IRIS dashboard using an administrator account, then go to Advanced > Customers and choose the customer you wish to integrate. Record the Customer ID.

2. Retrieve API Key Get the API key for the current DFIR-IRIS user by clicking on the username and choosing My settings. Copy this API key and keep it safe for integrating the Wazuh server.

3. Create and Configure the Integration Script

   • Create a script file named /var/ossec/integrations/custom-wazuh_iris.py and add the script to forward alerts to DFIR-IRIS.

   • Modify the script by setting the alert_source_link to the Wazuh dashboard IP address and the alert_customer_id to the ID of the customer as it appears on the DFIR-IRIS dashboard.

   • Set the ownership and permissions of the /var/ossec/integrations/custom-wazuh_iris.py file:

     bash

     chmod 750 /var/ossec/integrations/custom-wazuh_iris.py
chown root:wazuh /var/ossec/integrations/custom-wazuh_iris.py


4. Configure Wazuh Add the following configuration to the /var/ossec/etc/ossec.conf file to send alerts to DFIR-IRIS:

   xml

   <ossec_config>
<integration>
<name>custom-wazuh_iris.py</name>
<hook_url>https://<IRIS_IP_ADDRESS>/alerts/add</hook_url>
<level>7</level>
<api_key><IRIS_API_KEY></api_key>
<alert_format>json</alert_format>
</integration>
</ossec_config>


   Make sure to replace <IRIS_IP_ADDRESS> with the actual IP address of your IRIS instance and <IRIS_API_KEY> with your IRIS API key. You can adjust the <level> to the desired threshold for alerts.

5. Restart Wazuh Manager Restart the Wazuh manager to apply the changes.

   bash

   service wazuh-manager restart

Solutie

Tip solutie

Permanent