Integrate your
Wazuh-ManagerorGraylogwith the SOCFortress Threat Intel API to receive real-time threat intel.
Table of Contents
The SOCFortress Threat Intel API allows end users to consume SOCFortress's public threat intel. The integration supports both
Wazuh-ManagerandGraylog.
The API key is required to authenticate with the API. To obtain an API key, please use SOCFortress Copilot.
The API is currently only built for the following criteria:
Windows Sysmon- Follow our Wazuh Agent Install Guide to integrate Sysmon with your Windows endpoints.SOCFortress Wazuh Detection Rules- Follow our Wazuh Rules Install Guide to integrate SOCFortress's Wazuh detection rules with your Wazuh-Manager.IoC Type- The API currently supports IoC types ofIP,Domain, andSHA256 Hash.Valid API Key- Request via our website.
⚠ NOTE: API quotas are currently restricted to
500requests per day. The API is currently in beta and is subject to change. Please contact us at helpdesk.socfortress.co if you have any questions or concerns.
SOCFortress API Wazuh Rules- 200980-socfortress.xml - NOT REQUIRED IF INTEGRATING WITH GRAYLOG
Not Recommended - Use Graylog Instead If You Can - Graylog's built in Caching will save your API quota
Follow the steps below to integrate the SOCFortress Threat Intel API with your Wazuh-Manager. NOT REQUIRED IF INTEGRATING WITH GRAYLOG
- Download the
custom-socfortress.pyfile from the GitHub repository and copy it to/var/ossec/integrationsof yourWazuh-Manager.
# Download the custom-socfortress.py file from the GitHub repository
curl -o custom-socfortress.py https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/main/custom-socfortress.py
# Copy the custom-socfortress.py file to /var/ossec/integrations
sudo cp custom-socfortress.py /var/ossec/integrations
# Change ownership to root:wazuh
sudo chown root:wazuh /var/ossec/integrations/custom-socfortress.py
# Set permissions to -rwxr-x---
sudo chmod 750 /var/ossec/integrations/custom-socfortress.py
# Clean up the downloaded file
rm custom-socfortress.py
- Edit the
/var/ossec/etc/ossec.conffile and add the following lines to theossec.conffile.
<integration>
<name>custom-socfortress.py</name>
<api_key>YOUR_API_KEY</api_key>
<group>sysmon_event3,sysmon_event_22</group>
<alert_format>json</alert_format>
</integration>
⚠ NOTE: The
groupparameter is the name of the Wazuh rule groups that you want to integrate with the SOCFortress Threat Intel API. All of the below rule groups are supported:
sysmon_event3- Network Connectionssysmon_event_22- DNS Querysysmon_evnt1- Process Creationsysmon_event6- Remote Thread Creationsysmon_event7- Raw Access Readsysmon_event_15- File Creation Time
I only include the sysmon_event3 and sysmon_event_22 groups in the example above because the others will likely result in you hitting your API Limit quickly
The
alert_formatparameter is the format of the alert that you want to receive from the SOCFortress Threat Intel API. Theapi_keyparameter is the API key that you received from SOCFortress.
- Restart the Wazuh-Manager service.
sudo systemctl restart wazuh-manager
-
If you have any issues, set the
integrator_debugto2in the/var/ossec/etc/local_internal_options.conffile and restart the Wazuh-Manager service.- Tail the
ossec.logfile and ensure you see valid responses from the SOCFortress Threat Intel API.tail -f /var/ossec/logs/ossec.log | grep socfortress
- Tail the
If working correctly, rule id 200983 will trigger when a positive IoC is found.
Follow the steps below to integrate the SOCFortress Threat Intel API with your Graylog instance.
- Create
SOCFortress Threat IntelData Adapter.
Title- SOCFortress Threat IntelDescription- SOCFortress Threat IntelName- socfortress-threat-intelLookup URL- https://intel.socfortress.co/search?value=${key}Single value JSONPath- $.successMulti value JSONPath- $.dataHTTP Headers-Content-Type- application/jsonmodule-version- 1.0x-api-key- YOUR_API_KEY
⚠ NOTE: Verify connection to the SOCFortress Threat Intel API.
- Create
SOCFortress Threat IntelCache.
Cache Type- Node-local, in-memory cacheTitle- SOCFortress Threat Intel CacheDescription- SOCFortress Threat Intel CacheName- socfortress-threat-intel-cacheMaximum Entries- 1000Expire after access- 1 hour
- Create
SOCFortress Threat IntelLookup Table.
Title- SOCFortress Threat Intel Lookup TableDescription- SOCFortress Threat Intel Lookup TableName- socfortress_threat_intelData Adapter- SOCFortress Threat IntelCache- SOCFortress Threat Intel Cache
- Create Pipeline Rules to invoke the SOCFortress Threat Intel Lookup Table.
- Sysmon Event 3 - Network Connections
rule "WINDOWS SYSMON EVENT 3 - SOCFortress THREAT INTEL" when $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event3" AND $message.data_win_eventdata_destinationIp != "127.0.0.1" AND $message.data_win_eventdata_destinationIp != "255.255.255.255" AND $message.data_win_eventdata_destinationIp != "0.0.0.0" AND $message.data_win_eventdata_destinationIsIpv6 == "false" AND ! in_private_net(to_string($message.data_win_eventdata_destinationIp)) then let ldata = lookup( lookup_table: "socfortress_threat_intel", key: to_string($message.data_win_eventdata_destinationIp) ); set_fields( fields: ldata, prefix: "socfortress_" ); end- Sysmon Event 22 - DNS Query
rule "WINDOWS SYSMON EVENT 22 - SOCFortress THREAT INTEL" when $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event_22" then let ldata = lookup( lookup_table: "socfortress_threat_intel", key: to_string($message.data_win_eventdata_queryName) ); set_fields( fields: ldata, prefix: "socfortress_" ); end
NOTE: I'll leave the other rule groups for you to create 😉
SOCFortress -
