stasis.dev Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




INTEGRATING WAZUH WITH DFIR IRIS

STASIS

·

Follow

4 min read
·
Oct 15, 2023

94

4

Listen

Share



[Update March 2024] At the time of writing this article DFIR IRIS v2.3.7 was the
latest version. As of DFIR-IRIS v2.4.5 this integration has broken. I will
however try to spend some time updating the script to coincide with any new
changes to the API that were made.

This article will guide you on integrating Wazuh and DFIR Iris.

Special Shout Outs

Before we start it wouldn't be fair not to recognize some great people that are
contributing to the Open Source cybersecurity community.

Nate Uribe — https://github.com/nateuribe Nate created the original integration
that I modified and built upon. He deserves the real credit for making this
happen.



SOCFortress
— These awesome people are driving security forward in the open source world.
They provide many guides around Security Engineering including how to deploy and
integrate various solutions. They also have some great DFIR Iris modules they
have created. Check them out here.




WHAT

Wazuh: Enterprise ready open-source Security Information Event Management and
XDR solution that is rapidly gaining traction with organizations across the
world.

DFIR IRIS: Open source Incident Response/Case Management platform built for
collaboration. Support for third party modules to assist in investigations
including Virustotal and MISP. Ability to build and add your own modules. Easy
to use and customize.


DEPLOYMENT

Prerequisites

Wazuh: https://stasis.dev/siem-deploying-wazuh-5e7f1126eaf

DFIR Iris: https://docs.dfir-iris.org/getting_started/

Integration Files: https://github.com/chadhardcastle/Wazuh-IRIS-integration

Installation

 1. Deploy the integration script to your Wazuh server. This is the script that
    Wazuh calls upon to send events/alerts to DFIR Iris. In my modified version
    the Wazuh alert titles map to the Iris alert title field. Another change I
    made was creating a function to pull the “message” field from the JSON and
    send it to the Iris Alert description field. I have also included the Agent
    information as seen in the examples at the bottom of this article.

git clone https://github.com/chadhardcastle/Wazuh-IRIS-integration.git
cd Wazuh-IRIS-integration/
cp custom-iris.py /var/ossec/integrations/custom-iris.py
chmod 750 /var/ossec/integrations/custom-iris.py
chown root:wazuh /var/ossec/integrations/custom-iris.py

2. Grab your DFIR IRIS API key

You can find your DFIR IRIS API key in the webconsole by selecting your
profile->My settings



3. Add the integration block to your Wazuh config file found at
/var/ossec/etc/ossec.conf

<!--
... Rest of config
-->

<!-- IRIS integration -->
<integration>
    <name>custom-iris.py</name>
    <hook_url>http://IRIS-BASE-URL:8000/alerts/add</hook_url>
    <level>7</level>
    <api_key>APIKEY</api_key>
    <alert_format>json</alert_format>
</integration>

</ossec_config>

If you put your integrations at the end of your ossec.conf file like I do, it
should look something like this:



4. Once you have completed the above, restart the wazuh-manager service

systemctl restart wazuh-manager

You should now start seeing alerts flowing into DFIR IRIS

Example Alerts


Windows Defender Mimikatz detection as seen in DFIR IRIS

Docker Error Message alert as seen in DFIR IRIS

Troubleshooting

Depending on how you deployed your infrastructure you may run into issues
connecting Wazuh to Iris.

If you are not seeing alerts in Iris you may be experiencing any of the
following issues:

 * Alert level in ossec.config integration settings set high and no new events
   of that level have been triggered. Its likely you have not received a new
   event meeting the requirements you set, or there is a connection issue with
   your integration. Check the ossec.log log file for any signs of integration
   errors.
 * “Connection Refused” errors found in your integration.log and/or ossec.log
   files. This can signify either a firewall issue on the servers hosting Wazuh
   and/or Iris, or a configuration issue with the docker-compose.yaml file for
   Iris. I had the latter issue. My Iris WebApp container had the port section
   set to -” 0.0.0.0:8000:8000". While I could still access the server via the
   web from my internal infrastructure, I was unable to send API calls. I fixed
   this by modifying the IP to the local IP of the server I was running the
   containers on.

Conclusion

I hope you enjoyed this guide as much as I did writing it. One thing that wasn’t
detailed in the guide was to ensure you have backups setup. There are plenty of
great open source security tools and many more people championing them.





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for 5 $/month
Siem
Cybersecurity
Security Engineering
Technology
Wazuh


94

94

4


Follow



WRITTEN BY STASIS

44 Followers

Follow




MORE FROM STASIS

STASIS


SOAR: DEPLOYING SHUFFLE


IN THIS GUIDE WE WILL BE DEPLOYING SHUFFLE TO A VIRTUAL MACHINE RUNNING UBUNTU
23.04.

4 min read·Sep 2, 2023

6





STASIS


SIEM: DEPLOYING WAZUH


IN THIS ARTICLE WE WILL DEPLOY THE WAZUH (V4.5) SIEM TO A SINGLE NODE IN OUR LAB
ENVIRONMENT.

6 min read·Sep 12, 2023

12

1



See all from STASIS



RECOMMENDED FROM MEDIUM

Aditya Yadav


WAZUH


ENDPOINT DETECTION AND RESPONSE (EDR) ARE A SERIES OF TOOLS AND APPLICATIONS
THAT MONITOR DEVICES FOR AN ACTIVITY THAT COULD INDICATE A…

6 min read·Mar 9, 2024

8





Hasitha Upekshitha


SIMPLIFYING SECURITY OPERATIONS: INSTALLING WAZUH, THE HIVE, CORTEX, AND MISP
USING DOCKER


IN THE EVER-EVOLVING LANDSCAPE OF CYBERSECURITY, DEPLOYING AN INTEGRATED SET OF
TOOLS IS CRUCIAL FOR EFFECTIVE THREAT DETECTION, ANALYSIS…

3 min read·Feb 26, 2024

19

2





LISTS


AI REGULATION

6 stories·476 saves


CHATGPT PROMPTS

48 stories·1652 saves


TECH & TOOLS

16 stories·245 saves


GENERATIVE AI RECOMMENDED READING

52 stories·1117 saves


DavidtheGoliath


USING SHUFFLE SOAR TO CREATE CASES IN DFIR IRIS


THIS WRITE UP SHOWS YOU HOW TO CREATE A TICKET FROM AN ALERT AND PERFORM
REMEDIATING ACTIONS ON YOUR FIREWALL USING SHUFFLE.

7 min read·Jan 24, 2024

29

2




Adonay T.


INTRODUCTION


THIS BLOG ENTRY DETAILS HOW WE CAN AUTOMATE WAZUH TO TAKE ADVANTAGE OF THE MISP
API. THIS AUTOMATION SERVES AS A GREAT BENEFIT BECAUSE OUR…

7 min read·Jan 23, 2024

18

3




Khalid Chbail


BUILDING A HOME SOC LAB (PART 1)- ELK STACK SIEM SOLUTION

7 min read·May 6, 2024

139

2




SOCFortress


MASTERING WAZUH’S ACTIVE RESPONSE: BLOCK MALICIOUS IPS WITH COPILOT & WAZUH!


🤖 DOWNLOAD COPILOT: HTTPS://GITHUB.COM/SOCFORTRESS/COPILOT

3 min read·May 24, 2024

13

1



See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.