SOCFortress Knowledge Base Integration

Integrate your Wazuh-Manager or Graylog with the SOCFortress KnowlegeBase API to receive real-time recommend actions regarding SIGMA rule detection.

SOCFortress Knowledge Base API

Integrate your Wazuh-Manager or Graylog with the SOCFortress KnowlegeBase API to receive real-time recommend actions regarding SIGMA rule detection.
Register for API Key »

💰 Make a Donation »

Table of Contents

1. Knowledge Base API
2. Wazuh-Manager Integration
3. Graylog Integration

Knowledge Base API

The SOCFortress Knowledge Base API helps to provide some context and recommended actions to your security alerts. The integration supports both Wazuh-Manager and Graylog.

API-KEY

The API key is required to authenticate with the API. To obtain an API key, please fill out a request form at SOCFortress.co.

Criteria

The API is currently only built for the following criteria:

• Windows Chainsaw Events - Follow our Wazuh and Chainsaw integration for near real time SIGMA detection to integrate Chainsaw with your Windows endpoints.
• SOCFortress Wazuh Detection Rules - Follow our Wazuh Rules Install Guide to integrate SOCFortress's Wazuh detection rules with your Wazuh-Manager.
• Valid API Key - Request via our website.

⚠ NOTE: API quotas are currently restricted to 100 requests per day. The API is currently in beta and is subject to change. Please contact us at helpdesk.socfortress.co if you have any questions or concerns.

• SOCFortress API Wazuh Rules - 200980-socfortress.xml - NOT REQUIRED IF INTEGRATING WITH GRAYLOG

Wazuh-Manager Integration

Not Recommended - Use Graylog Instead If You Can - Graylog's built in Caching will save your API quota

Follow the steps below to integrate the SOCFortress Knowledge Base API with your Wazuh-Manager. NOT REQUIRED IF INTEGRATING WITH GRAYLOG

1. Download the custom-asksocfortress.py file from the GitHub repository and copy it to /var/ossec/integrations of your Wazuh-Manager.

# Download the custom-asksocfortress.py file from the GitHub repository
curl -o custom-asksocfortress.py https://raw.githubusercontent.com/socfortress/ASK-SOCFortress-Module/main/custom-asksocfortress.py

# Copy the custom-asksocfortress.py file to /var/ossec/integrations
sudo cp custom-asksocfortress.py /var/ossec/integrations

# Change ownership to root:wazuh
sudo chown root:wazuh /var/ossec/integrations/custom-asksocfortress.py

# Set permissions to -rwxr-x---
sudo chmod 750 /var/ossec/integrations/custom-asksocfortress.py

# Clean up the downloaded file
rm custom-asksocfortress.py

2. Edit the /var/ossec/etc/ossec.conf file and add the following lines to the ossec.conf file.

<integration>
    <name>custom-asksocfortress.py</name>
    <api_key>YOUR_API_KEY</api_key>
    <group>chainsaw</group>
    <alert_format>json</alert_format>
 </integration>

⚠ NOTE: The group parameter is the name of the Wazuh rule groups that you want to integrate with the SOCFortress Knowledge Base API. All of the below rule groups are supported:

• chainsaw

The alert_format parameter is the format of the alert that you want to receive from the SOCFortress Knowledge Base API. The api_key parameter is the API key that you received from SOCFortress.

3. Restart the Wazuh-Manager service.

sudo systemctl restart wazuh-manager

4. If you have any issues, set the integrator_debug to 2 in the /var/ossec/etc/local_internal_options.conf file and restart the Wazuh-Manager service.

   • Tail the ossec.log file and ensure you see valid responses from the SOCFortress Knowledge Base API. tail -f /var/ossec/logs/ossec.log | grep socfortress

Ossec.log File

If working correctly, rule id 200986 will trigger when a response is provided.

SOCFortress Knowledge Base Fields

Graylog Integration

Follow the steps below to integrate the SOCFortress Knowledge Base API with your Graylog instance.

1. Create ASK SOCFortress - Windows Data Adapter.

• Title - ASK SOCFortress - Windows
• Description - ASK SOCFortress for Windows SIGMA
• Name - ask-socfortress-windows
• Lookup URL - https://api.socfortress.co/v1/sigma?name=${key}
• Single value JSONPath - $.message
• HTTP Headers-
  • Content-Type - application/json
  • module-version - 1.0
  • product - windows
  • x-api-key - YOUR_API_KEY

⚠ NOTE: Verify connection to the SOCFortress Knowledge Base API. Use Value Suspicious%20Program%20Location%20with%20Network%20Connections to test.

Graylog Response

2. Create ASK SOCFortress - Windows Cache.

• Cache Type - Node-local, in-memory cache
• Title - ASK SOCFortress - Windows
• Description - ASK SOCFortress - Windows
• Name - ask-socfortress-windows
• Maximum Entries - 1000
• Expire after access - 5 minutes

3. Create ASK SOCFortress - Windows Lookup Table.

• Title - ASK SOCFortress - Windows
• Description - ASK SOCFortress - Windows
• Name - ask_socfortress_windows
• Data Adapter - ASK SOCFortress - Windows (ask-socfortress-windows)
• Cache - ASK SOCFortress - Windows (ask-socfortress-windows)

4. Create Pipeline Rules to first encode the data_name field and then lookup the encoded data_name field in the ASK SOCFortress - Windows Lookup Table.
   1. URL Encode data_name field for ASK SOCFortress API

   rule "URL Encode data_name field for ASK SOCFortress API"
   when
       has_field("data_name") AND $message.rule_group2 == "chainsaw" AND $message.data_logsource_product == "windows"
   then
       let replaced = replace(to_string($message.data_name), " ", "%20");
       set_field("sigma_name_encoded", replaced);
   end
   

   2. ASK SOCFORTRESS WINDOWS - CHAINSAW

   rule "ASK SOCFORTRESS WINDOWS - CHAINSAW"
   when
       has_field("sigma_name_encoded")
   then
       let ask_socfortress = to_string($message.sigma_name_encoded);
       let ldata = lookup_value("ask_socfortress_windows", ask_socfortress);
       set_field("ask_socfortress_message", ldata);
   end
   

Contact

SOCFortress - - [email protected]

Let SOCFortress Take Your Open Source SIEM to the Next Level