Skip to content

Latest commit

 

History

History
235 lines (182 loc) · 9.71 KB

README.md

File metadata and controls

235 lines (182 loc) · 9.71 KB

SOCFortress Knowledge Base Integration Awesome

Integrate your Wazuh-Manager or Graylog with the SOCFortress KnowlegeBase API to receive real-time recommend actions regarding SIGMA rule detection.

MIT License LinkedIn your-own-soc-free-for-life-tier


Logo

SOCFortress Knowledge Base API

Integrate your Wazuh-Manager or Graylog with the SOCFortress KnowlegeBase API to receive real-time recommend actions regarding SIGMA rule detection.
Register for API Key »

💰 Make a Donation »

Table of Contents
  1. Knowledge Base API
  2. Wazuh-Manager Integration
  3. Graylog Integration

Knowledge Base API

The SOCFortress Knowledge Base API helps to provide some context and recommended actions to your security alerts. The integration supports both Wazuh-Manager and Graylog.

API-KEY

The API key is required to authenticate with the API. To obtain an API key, please fill out a request form at SOCFortress.co.

Criteria

The API is currently only built for the following criteria:

NOTE: API quotas are currently restricted to 100 requests per day. The API is currently in beta and is subject to change. Please contact us at helpdesk.socfortress.co if you have any questions or concerns.

Wazuh-Manager Integration

Not Recommended - Use Graylog Instead If You Can - Graylog's built in Caching will save your API quota

Follow the steps below to integrate the SOCFortress Knowledge Base API with your Wazuh-Manager. NOT REQUIRED IF INTEGRATING WITH GRAYLOG

  1. Download the custom-asksocfortress.py file from the GitHub repository and copy it to /var/ossec/integrations of your Wazuh-Manager.
# Download the custom-asksocfortress.py file from the GitHub repository
curl -o custom-asksocfortress.py https://raw.githubusercontent.com/socfortress/ASK-SOCFortress-Module/main/custom-asksocfortress.py

# Copy the custom-asksocfortress.py file to /var/ossec/integrations
sudo cp custom-asksocfortress.py /var/ossec/integrations

# Change ownership to root:wazuh
sudo chown root:wazuh /var/ossec/integrations/custom-asksocfortress.py

# Set permissions to -rwxr-x---
sudo chmod 750 /var/ossec/integrations/custom-asksocfortress.py

# Clean up the downloaded file
rm custom-asksocfortress.py
  1. Edit the /var/ossec/etc/ossec.conf file and add the following lines to the ossec.conf file.
<integration>
    <name>custom-asksocfortress.py</name>
    <api_key>YOUR_API_KEY</api_key>
    <group>chainsaw</group>
    <alert_format>json</alert_format>
 </integration>

NOTE: The group parameter is the name of the Wazuh rule groups that you want to integrate with the SOCFortress Knowledge Base API. All of the below rule groups are supported:

  • chainsaw

The alert_format parameter is the format of the alert that you want to receive from the SOCFortress Knowledge Base API. The api_key parameter is the API key that you received from SOCFortress.

  1. Restart the Wazuh-Manager service.
sudo systemctl restart wazuh-manager
  1. If you have any issues, set the integrator_debug to 2 in the /var/ossec/etc/local_internal_options.conf file and restart the Wazuh-Manager service.

    • Tail the ossec.log file and ensure you see valid responses from the SOCFortress Knowledge Base API. tail -f /var/ossec/logs/ossec.log | grep socfortress
Logo

Ossec.log File

If working correctly, rule id 200986 will trigger when a response is provided.

Logo

SOCFortress Knowledge Base Fields

Graylog Integration

Follow the steps below to integrate the SOCFortress Knowledge Base API with your Graylog instance.

  1. Create ASK SOCFortress - Windows Data Adapter.
  • Title - ASK SOCFortress - Windows
  • Description - ASK SOCFortress for Windows SIGMA
  • Name - ask-socfortress-windows
  • Lookup URL - https://api.socfortress.co/v1/sigma?name=${key}
  • Single value JSONPath - $.message
  • HTTP Headers-
    • Content-Type - application/json
    • module-version - 1.0
    • product - windows
    • x-api-key - YOUR_API_KEY

NOTE: Verify connection to the SOCFortress Knowledge Base API. Use Value Suspicious%20Program%20Location%20with%20Network%20Connections to test.

Logo

Graylog Response

  1. Create ASK SOCFortress - Windows Cache.
  • Cache Type - Node-local, in-memory cache
  • Title - ASK SOCFortress - Windows
  • Description - ASK SOCFortress - Windows
  • Name - ask-socfortress-windows
  • Maximum Entries - 1000
  • Expire after access - 5 minutes
  1. Create ASK SOCFortress - Windows Lookup Table.
  • Title - ASK SOCFortress - Windows
  • Description - ASK SOCFortress - Windows
  • Name - ask_socfortress_windows
  • Data Adapter - ASK SOCFortress - Windows (ask-socfortress-windows)
  • Cache - ASK SOCFortress - Windows (ask-socfortress-windows)
  1. Create Pipeline Rules to first encode the data_name field and then lookup the encoded data_name field in the ASK SOCFortress - Windows Lookup Table.
    1. URL Encode data_name field for ASK SOCFortress API
    rule "URL Encode data_name field for ASK SOCFortress API"
    when
        has_field("data_name") AND $message.rule_group2 == "chainsaw" AND $message.data_logsource_product == "windows"
    then
        let replaced = replace(to_string($message.data_name), " ", "%20");
        set_field("sigma_name_encoded", replaced);
    end
    
    1. ASK SOCFORTRESS WINDOWS - CHAINSAW
    rule "ASK SOCFORTRESS WINDOWS - CHAINSAW"
    when
        has_field("sigma_name_encoded")
    then
        let ask_socfortress = to_string($message.sigma_name_encoded);
        let ldata = lookup_value("ask_socfortress_windows", ask_socfortress);
        set_field("ask_socfortress_message", ldata);
    end
    

Contact

SOCFortress - LinkedIn - [email protected]

Let SOCFortress Take Your Open Source SIEM to the Next Level

Banner