├── images
    ├── ossec_log.PNG
    ├── Email Banner.png
    ├── wazuh_hits.PNG
    ├── graylog_response.PNG
    ├── logo_purple_resize.png
    └── logo_orange.svg
├── LICENSE
├── README.md
└── custom-socfortress.py


/images/ossec_log.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/HEAD/images/ossec_log.PNG


--------------------------------------------------------------------------------
/images/Email Banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/HEAD/images/Email Banner.png


--------------------------------------------------------------------------------
/images/wazuh_hits.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/HEAD/images/wazuh_hits.PNG


--------------------------------------------------------------------------------
/images/graylog_response.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/HEAD/images/graylog_response.PNG


--------------------------------------------------------------------------------
/images/logo_purple_resize.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/HEAD/images/logo_purple_resize.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 SOCFortress
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/images/logo_orange.svg:
--------------------------------------------------------------------------------
1 | <svg id="svg" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="400" height="497.1875" viewBox="0, 0, 400,497.1875"><g id="svgg"><path id="path0" d="M163.187 283.504 C 163.117 320.247,163.007 318.404,165.423 320.832 C 165.964 321.375,166.881 322.392,167.461 323.091 C 168.041 323.791,168.642 324.285,168.797 324.190 C 168.952 324.094,169.045 324.132,169.004 324.274 C 168.877 324.716,169.816 325.938,170.284 325.938 C 170.529 325.938,170.635 326.032,170.520 326.147 C 170.405 326.261,170.544 326.613,170.829 326.928 C 171.324 327.474,172.623 327.500,199.952 327.500 L 228.557 327.500 229.669 326.299 C 237.848 317.465,236.850 323.401,236.796 283.906 C 236.771 265.688,236.702 251.801,236.643 253.047 L 236.535 255.313 200.000 255.313 L 163.465 255.313 163.357 253.047 C 163.298 251.801,163.221 265.506,163.187 283.504 M0.313 265.477 C 0.313 275.210,0.341 275.707,0.973 276.966 C 2.064 279.137,3.126 280.334,4.489 280.930 C 5.200 281.240,7.750 282.439,10.156 283.594 C 12.563 284.749,16.289 286.538,18.438 287.569 C 20.586 288.600,23.328 289.905,24.531 290.469 C 25.734 291.033,29.180 292.679,32.188 294.128 C 35.195 295.576,38.254 297.025,38.984 297.347 L 40.313 297.933 40.382 317.326 C 40.420 327.992,40.494 334.645,40.546 332.109 L 40.642 327.500 86.406 327.500 L 132.171 327.500 132.278 332.109 C 132.337 334.645,132.364 323.500,132.338 307.344 C 132.296 281.827,132.223 277.579,131.783 275.000 C 130.884 269.738,130.032 267.327,127.695 263.438 C 126.365 261.225,123.870 258.438,123.220 258.438 C 122.996 258.438,122.813 258.313,122.813 258.161 C 122.812 258.008,122.355 257.653,121.797 257.371 C 120.339 256.634,119.564 256.139,119.308 255.781 C 119.161 255.575,98.839 255.441,59.699 255.387 L 0.313 255.305 0.313 265.477 M280.703 255.737 C 280.316 255.929,280.000 256.193,280.000 256.324 C 280.000 256.455,279.812 256.563,279.582 256.563 C 278.920 256.563,275.625 259.049,275.625 259.548 C 275.625 259.797,275.438 260.000,275.209 260.000 C 274.444 260.000,272.173 263.141,270.916 265.938 C 270.568 266.711,270.166 267.562,270.021 267.829 C 269.668 268.483,268.526 273.110,268.097 275.625 C 267.864 276.992,267.728 287.319,267.682 307.188 C 267.644 323.430,267.661 334.645,267.721 332.109 L 267.829 327.500 313.594 327.500 L 359.358 327.500 359.454 332.109 C 359.506 334.645,359.582 328.000,359.622 317.344 L 359.695 297.969 360.863 297.423 C 363.848 296.030,370.955 292.650,375.739 290.348 C 378.638 288.954,381.044 287.813,381.087 287.813 C 381.131 287.813,384.103 286.390,387.692 284.652 C 391.282 282.914,394.922 281.178,395.781 280.794 C 399.749 279.022,399.869 278.559,399.757 265.445 L 399.671 255.313 340.539 255.351 C 297.771 255.379,281.212 255.486,280.703 255.737 M172.721 329.024 C 173.441 329.716,173.926 329.912,173.595 329.377 C 173.489 329.206,173.094 328.907,172.717 328.713 L 172.031 328.360 172.721 329.024 " stroke="none" fill="#fbab44" fill-rule="evenodd"></path><path id="path1" d="M0.207 176.484 C 0.094 180.223,0.034 204.094,0.074 229.531 C 0.115 254.969,0.186 271.175,0.234 265.545 L 0.321 255.309 59.223 255.389 C 91.619 255.433,118.125 255.435,118.125 255.395 C 118.125 255.251,115.844 254.370,115.142 254.243 C 114.750 254.172,114.142 253.960,113.790 253.771 C 113.438 253.583,113.039 253.448,112.903 253.470 C 112.767 253.493,112.586 253.484,112.500 253.451 C 111.792 253.175,104.237 251.869,103.433 251.884 C 103.006 251.892,101.953 251.817,101.094 251.717 C 99.332 251.512,96.400 251.225,94.531 251.076 C 93.844 251.021,92.508 250.892,91.563 250.789 C 90.617 250.686,89.281 250.542,88.594 250.469 C 68.487 248.333,56.970 240.804,48.921 224.531 C 42.866 212.290,38.598 191.192,38.317 172.109 L 38.281 169.688 19.347 169.688 L 0.412 169.688 0.207 176.484 M39.844 170.000 C 39.950 170.172,40.240 170.313,40.487 170.313 C 40.735 170.313,40.938 170.418,40.939 170.547 C 40.942 170.889,42.824 171.905,43.117 171.724 C 43.254 171.639,43.540 171.779,43.753 172.035 C 43.965 172.291,44.262 172.500,44.413 172.500 C 44.564 172.500,44.969 172.781,45.313 173.125 C 45.656 173.469,46.212 173.750,46.547 173.750 C 46.882 173.750,47.269 173.940,47.406 174.173 C 47.544 174.405,48.310 174.957,49.110 175.399 C 49.909 175.841,51.136 176.565,51.838 177.008 C 52.539 177.450,53.189 177.813,53.282 177.813 C 53.375 177.813,53.975 178.147,54.616 178.556 C 55.257 178.964,58.172 180.669,61.094 182.345 C 64.016 184.020,68.023 186.338,70.000 187.495 C 74.085 189.886,97.436 203.374,124.375 218.902 C 147.524 232.246,148.698 232.924,151.719 234.704 C 153.094 235.514,154.790 236.464,155.489 236.815 C 160.132 239.149,162.895 244.302,163.298 251.380 L 163.522 255.313 199.996 255.313 L 236.471 255.313 236.688 251.641 C 237.236 242.355,238.811 240.161,249.253 234.146 C 264.241 225.511,277.317 217.958,288.906 211.239 C 290.994 210.029,296.178 207.048,303.281 202.973 C 307.406 200.607,312.398 197.720,314.375 196.559 C 316.352 195.398,318.461 194.168,319.063 193.826 C 319.664 193.484,322.898 191.618,326.250 189.679 C 329.602 187.741,332.766 185.916,333.281 185.625 C 334.295 185.052,341.339 180.967,343.125 179.916 C 343.727 179.563,345.977 178.235,348.125 176.967 C 350.273 175.698,352.313 174.495,352.656 174.292 C 353.000 174.090,353.809 173.602,354.453 173.208 C 355.098 172.814,355.625 172.590,355.625 172.710 C 355.625 172.831,356.030 172.542,356.525 172.068 C 357.311 171.314,357.854 171.055,358.847 170.961 C 358.986 170.948,359.013 170.798,358.908 170.629 C 358.799 170.451,358.924 170.399,359.203 170.506 C 359.469 170.608,359.688 170.547,359.688 170.369 C 359.688 170.191,359.934 169.982,360.234 169.903 C 360.535 169.824,288.527 169.744,200.216 169.724 C 93.243 169.700,39.715 169.792,39.844 170.000 M361.724 171.954 C 361.726 173.200,361.637 175.063,361.525 176.094 C 361.413 177.125,361.234 179.336,361.127 181.006 C 358.825 217.064,347.461 239.582,327.963 246.718 C 325.065 247.779,324.284 248.053,323.910 248.143 C 323.830 248.162,323.023 248.383,322.116 248.633 C 321.210 248.884,320.117 249.142,319.688 249.208 C 319.258 249.273,317.641 249.538,316.094 249.797 C 313.333 250.258,311.392 250.513,308.281 250.822 C 306.745 250.975,306.251 251.017,302.188 251.334 C 300.248 251.485,299.357 251.578,295.577 252.021 C 293.281 252.291,288.384 253.131,287.813 253.354 C 287.555 253.454,287.168 253.508,286.953 253.473 C 286.738 253.438,286.563 253.572,286.563 253.770 C 286.563 253.968,286.365 254.054,286.124 253.961 C 285.883 253.869,285.598 253.881,285.490 253.989 C 285.383 254.097,285.123 254.216,284.913 254.254 C 279.486 255.244,280.800 255.268,340.855 255.290 L 399.679 255.313 399.766 265.391 C 399.814 270.934,399.886 254.727,399.926 229.375 C 399.966 204.023,399.906 180.223,399.793 176.484 L 399.588 169.688 380.653 169.688 L 361.719 169.689 361.724 171.954 " stroke="none" fill="#fb9b3c" fill-rule="evenodd"></path><path id="path2" d="M43.051 418.013 C 42.581 418.263,41.808 418.977,41.333 419.600 L 40.469 420.732 40.387 456.698 L 40.305 492.664 41.012 494.048 C 41.401 494.809,42.116 495.722,42.601 496.075 L 43.483 496.719 199.724 496.798 C 338.186 496.868,356.068 496.823,356.873 496.408 C 357.372 496.149,358.174 495.422,358.656 494.790 L 359.531 493.642 359.531 457.212 L 359.531 420.781 358.631 419.605 C 356.922 417.371,358.257 417.478,333.366 417.572 C 308.066 417.667,309.971 417.467,308.594 420.176 C 307.992 421.360,307.965 422.117,307.881 440.391 L 307.794 459.375 289.060 459.375 L 270.326 459.375 270.241 439.914 L 270.156 420.453 269.428 419.523 C 267.785 417.426,269.037 417.528,244.756 417.513 C 220.973 417.499,221.546 417.460,220.063 419.198 C 218.773 420.710,218.750 421.077,218.750 440.489 L 218.750 459.375 200.000 459.375 L 181.250 459.375 181.250 440.507 C 181.250 418.749,181.296 419.072,178.027 417.833 C 176.227 417.152,133.830 417.407,132.284 418.108 C 129.592 419.331,129.688 418.513,129.688 440.300 L 129.688 459.375 110.938 459.375 L 92.188 459.375 92.188 440.973 C 92.188 420.244,92.175 420.112,90.046 418.489 L 88.955 417.656 66.431 417.608 C 47.275 417.567,43.778 417.628,43.051 418.013 " stroke="none" fill="#fccf5b" fill-rule="evenodd"></path><path id="path3" d="M2.859 0.840 C 2.283 1.125,1.439 1.922,0.984 2.610 L 0.156 3.861 0.146 91.383 C 0.140 139.521,0.179 176.834,0.232 174.302 L 0.329 169.697 19.461 169.614 C 29.984 169.569,38.760 169.602,38.962 169.688 C 39.165 169.773,111.798 169.773,200.368 169.688 C 288.939 169.602,370.016 169.569,380.539 169.614 L 399.671 169.697 399.768 174.302 C 399.821 176.834,399.860 139.521,399.854 91.383 L 399.844 3.861 399.012 2.604 C 397.377 0.133,399.990 0.294,363.069 0.386 L 330.156 0.469 329.104 1.219 C 326.750 2.898,326.890 0.648,326.882 37.109 L 326.875 69.688 308.906 69.688 L 290.938 69.688 290.938 44.441 L 290.937 19.195 290.234 17.802 C 289.772 16.886,289.103 16.169,288.281 15.707 L 287.031 15.006 254.163 15.081 C 217.137 15.166,220.575 14.931,218.828 17.497 L 218.125 18.530 218.125 44.109 L 218.125 69.688 200.000 69.688 L 181.875 69.688 181.875 44.109 L 181.875 18.530 181.172 17.497 C 179.425 14.931,182.863 15.166,145.837 15.081 L 112.969 15.006 111.719 15.707 C 110.897 16.169,110.228 16.886,109.766 17.802 L 109.062 19.195 109.063 44.441 L 109.063 69.688 91.094 69.688 L 73.125 69.688 73.118 37.109 C 73.110 0.648,73.250 2.898,70.896 1.219 L 69.844 0.469 36.875 0.395 C 6.708 0.328,3.817 0.366,2.859 0.840 M361.648 171.250 C 361.648 172.023,361.709 172.340,361.783 171.953 C 361.858 171.566,361.858 170.934,361.783 170.547 C 361.709 170.160,361.648 170.477,361.648 171.250 M357.144 171.568 L 356.406 172.198 357.266 171.830 C 357.738 171.628,358.125 171.344,358.125 171.200 C 358.125 170.810,357.958 170.873,357.144 171.568 M43.125 171.759 C 43.125 171.921,43.547 172.302,44.063 172.607 C 44.580 172.912,45.000 173.012,45.000 172.830 C 45.000 172.649,44.835 172.500,44.634 172.500 C 44.433 172.500,44.011 172.267,43.696 171.983 C 43.382 171.698,43.125 171.598,43.125 171.759 " stroke="none" fill="#fc862e" fill-rule="evenodd"></path><path id="path4" d="M40.519 334.297 C 40.406 338.035,40.317 349.602,40.320 360.000 C 40.327 381.137,40.273 380.601,42.542 382.218 L 43.594 382.969 86.025 383.050 C 123.482 383.122,128.563 383.076,129.374 382.657 C 130.775 381.932,131.789 380.671,132.162 379.189 C 132.542 377.680,132.636 345.641,132.293 334.297 L 132.088 327.500 86.406 327.500 L 40.725 327.500 40.519 334.297 M172.522 328.457 C 173.111 328.983,173.594 329.525,173.594 329.661 C 173.594 329.965,174.624 331.148,183.281 340.783 C 185.000 342.696,187.250 345.224,188.281 346.401 C 189.313 347.577,190.302 348.692,190.481 348.879 C 190.660 349.066,191.920 350.484,193.281 352.031 C 196.329 355.495,196.773 355.907,198.037 356.446 C 200.772 357.613,202.678 356.646,206.742 352.031 C 208.407 350.141,210.278 348.028,210.900 347.335 C 211.522 346.643,212.664 345.373,213.438 344.512 C 214.211 343.651,215.941 341.731,217.282 340.245 C 218.623 338.758,220.029 337.148,220.407 336.665 C 221.032 335.867,223.081 333.572,224.453 332.135 C 224.754 331.820,224.941 331.563,224.868 331.563 C 224.751 331.563,225.925 330.264,227.905 328.203 L 228.581 327.500 200.015 327.500 L 171.450 327.500 172.522 328.457 M267.707 334.297 C 267.364 345.641,267.458 377.680,267.838 379.189 C 268.211 380.671,269.225 381.932,270.626 382.657 C 271.437 383.076,276.518 383.122,313.975 383.050 L 356.406 382.969 357.458 382.218 C 359.727 380.601,359.673 381.137,359.680 360.000 C 359.683 349.602,359.594 338.035,359.481 334.297 L 359.275 327.500 313.594 327.500 L 267.912 327.500 267.707 334.297 " stroke="none" fill="#fcbc4c" fill-rule="evenodd"></path></g></svg>
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [<img src="images/logo_orange.svg" align="right" width="100" height="100" />](https://www.socfortress.co/)
  2 | 
  3 | # SOCFortress Threat Intel Integration [![Awesome](https://img.shields.io/badge/SOCFortress-Worlds%20First%20Free%20Cloud%20SOC-orange)](https://www.socfortress.co/trial.html)
  4 | > Integrate your `Wazuh-Manager` or `Graylog` with the SOCFortress Threat Intel API to receive real-time threat intel.
  5 | 
  6 | 
  7 | [![MIT License][license-shield]][license-url]
  8 | [![LinkedIn][linkedin-shield]][linkedin-url]
  9 | [![your-own-soc-free-for-life-tier](https://img.shields.io/badge/Get%20Started-Demo%20Walkthrough-orange)](https://youtu.be/2EMb6zYx7_E)
 10 | 
 11 | <!-- PROJECT LOGO -->
 12 | <br />
 13 | <div align="center" width="50" height="50">
 14 |   <a href="https://www.socfortress.co/">
 15 |     <img src="images/logo_purple_resize.png" alt="Logo">
 16 |   </a>
 17 | 
 18 |   <h3 align="center">SOCFortress Threat Intel API</h3>
 19 | 
 20 |   <p align="center">
 21 |     <a href="https://paypal.me/socfortress?country.x=US&locale.x=en_US"><strong>💰 Make a Donation »</strong></a>
 22 |     <br />
 23 |     <br />
 24 |   </p>
 25 | </div>
 26 | 
 27 | <!-- TABLE OF CONTENTS -->
 28 | <details>
 29 |   <summary>Table of Contents</summary>
 30 |   <ol>
 31 |     <li>
 32 |       <a href="#threat-intel=api">Threat Intel API</a>
 33 |     </li>
 34 |     <li>
 35 |       <a href="#wazuh-manager-integration">Wazuh-Manager Integration</a>
 36 |     </li>
 37 |     <li>
 38 |     <a href="#graylog-integration">Graylog Integration</a>
 39 |     </li>
 40 |   </ol>
 41 | </details>
 42 | 
 43 | 
 44 | 
 45 | <!-- Threat Intel API-->
 46 | # Threat Intel API
 47 | > The SOCFortress Threat Intel API allows end users to consume SOCFortress's public threat intel. The integration supports both `Wazuh-Manager` and `Graylog`. 
 48 | 
 49 | ## API-KEY
 50 | > The API key is required to authenticate with the API. To obtain an API key, please use SOCFortress Copilot.
 51 | 
 52 | ## Criteria
 53 | > The API is currently **only** built for the following criteria:
 54 | * `Windows Sysmon` - Follow our [Wazuh Agent Install Guide](https://medium.com/@socfortress/part-4-wazuh-agent-install-endpoint-monitoring-f24f6a0464ac) to integrate Sysmon with your Windows endpoints.
 55 | * `SOCFortress Wazuh Detection Rules` - Follow our [Wazuh Rules Install Guide](https://github.com/socfortress/Wazuh-Rules) to integrate SOCFortress's Wazuh detection rules with your Wazuh-Manager.
 56 | * `IoC Type` - The API currently supports IoC types of `IP`, `Domain`, and `SHA256 Hash`.
 57 | * `Valid API Key` - Request via [our website](https://www.socfortress.co/request_threat_intel_api.html).
 58 | 
 59 | > ⚠ **NOTE:** API quotas are currently restricted to `500` requests per day. The API is currently in beta and is subject to change. Please contact us at [helpdesk.socfortress.co](https://servicedesk.socfortress.co/help/2979687893) if you have any questions or concerns.
 60 | 
 61 | * `SOCFortress API Wazuh Rules` - [200980-socfortress.xml](https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/SOCFortress%20API/200980-socfortress.xml) - **NOT REQUIRED IF INTEGRATING WITH GRAYLOG**
 62 | 
 63 | <!-- Wazuh-Manager Integration -->
 64 | # Wazuh-Manager Integration
 65 | **Not Recommended - Use Graylog Instead If You Can - Graylog's built in Caching will save your API quota**
 66 | > Follow the steps below to integrate the SOCFortress Threat Intel API with your Wazuh-Manager. **NOT REQUIRED IF INTEGRATING WITH GRAYLOG**
 67 | 1. Download the `custom-socfortress.py` file from the GitHub repository and copy it to `/var/ossec/integrations` of your `Wazuh-Manager`.
 68 | 
 69 | ```
 70 | # Download the custom-socfortress.py file from the GitHub repository
 71 | curl -o custom-socfortress.py https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/main/custom-socfortress.py
 72 | 
 73 | # Copy the custom-socfortress.py file to /var/ossec/integrations
 74 | sudo cp custom-socfortress.py /var/ossec/integrations
 75 | 
 76 | # Change ownership to root:wazuh
 77 | sudo chown root:wazuh /var/ossec/integrations/custom-socfortress.py
 78 | 
 79 | # Set permissions to -rwxr-x---
 80 | sudo chmod 750 /var/ossec/integrations/custom-socfortress.py
 81 | 
 82 | # Clean up the downloaded file
 83 | rm custom-socfortress.py
 84 | ```
 85 | 
 86 | 2. Edit the `/var/ossec/etc/ossec.conf` file and add the following lines to the `ossec.conf` file.
 87 | 
 88 | ```
 89 | <integration>
 90 |     <name>custom-socfortress.py</name>
 91 |     <api_key>YOUR_API_KEY</api_key>
 92 |     <group>sysmon_event3,sysmon_event_22</group>
 93 |     <alert_format>json</alert_format>
 94 |  </integration>
 95 | ```
 96 | > ⚠ **NOTE:** The `group` parameter is the name of the Wazuh rule groups that you want to integrate with the SOCFortress Threat Intel API. All of the below rule groups are supported: 
 97 | * `sysmon_event3` - Network Connections
 98 | * `sysmon_event_22` - DNS Query
 99 | * `sysmon_evnt1` - Process Creation
100 | * `sysmon_event6` - Remote Thread Creation
101 | * `sysmon_event7` - Raw Access Read
102 | * `sysmon_event_15` - File Creation Time
103 | 
104 | **I only include the `sysmon_event3` and `sysmon_event_22` groups in the example above because the others will likely result in you hitting your API Limit quickly**
105 | 
106 | 
107 | > The `alert_format` parameter is the format of the alert that you want to receive from the SOCFortress Threat Intel API. The `api_key` parameter is the API key that you received from SOCFortress.
108 | 
109 | 3. Restart the Wazuh-Manager service.
110 | 
111 | ```
112 | sudo systemctl restart wazuh-manager
113 | ```
114 | 
115 | 4. If you have any issues, set the `integrator_debug` to `2` in the `/var/ossec/etc/local_internal_options.conf` file and restart the Wazuh-Manager service.
116 | 
117 |     * Tail the `ossec.log` file and ensure you see valid responses from the SOCFortress Threat Intel API. `tail -f /var/ossec/logs/ossec.log | grep socfortress`
118 | 
119 | <div align="center" width="50" height="50">
120 |   <a href="https://raw.githubusercontent.com/socfortress/SOCFortress-Threat-Intel/main/images/ossec_log.PNG">
121 |     <img src="images/ossec_log.PNG" alt="Logo">
122 |   </a>
123 | 
124 |   <h3 align="center">Ossec.log File</h3>
125 |   </p>
126 | </div>
127 | 
128 | If working correctly, rule id `200983` will trigger when a positive IoC is found.
129 | 
130 | <div align="center" width="50" height="50">
131 |   <a href="https://github.com/socfortress/SOCFortress-Threat-Intel/images/ossec_log.png">
132 |     <img src="images/wazuh_hits.PNG" alt="Logo">
133 |   </a>
134 | 
135 |   <h3 align="center">SOCFortress Threat Intel Fields</h3>
136 |   </p>
137 | </div>
138 | 
139 | 
140 | 
141 | <!-- Graylog Integration -->
142 | # Graylog Integration
143 | > Follow the steps below to integrate the SOCFortress Threat Intel API with your Graylog instance.
144 | 1. Create `SOCFortress Threat Intel` Data Adapter.
145 | * `Title` - SOCFortress Threat Intel
146 | * `Description` - SOCFortress Threat Intel
147 | * `Name` - socfortress-threat-intel
148 | * `Lookup URL` - https://intel.socfortress.co/search?value=${key}
149 | * `Single value JSONPath` - $.success
150 | * `Multi value JSONPath` - $.data
151 | * `HTTP Headers`-
152 |     * `Content-Type` - application/json
153 |     * `module-version` - 1.0
154 |     * `x-api-key` - YOUR_API_KEY
155 | 
156 | > ⚠ **NOTE:** Verify connection to the SOCFortress Threat Intel API.
157 | 
158 | <div align="center" width="50" height="50">
159 |   <a href="https://github.com/socfortress/SOCFortress-Threat-Intel/images/graylog_response.png">
160 |     <img src="images/graylog_response.PNG" alt="Logo">
161 |   </a>
162 | 
163 |   <h3 align="center">Graylog Response</h3>
164 |   </p>
165 | </div>
166 | 
167 | 2. Create `SOCFortress Threat Intel` Cache.
168 | * `Cache Type` - Node-local, in-memory cache
169 | * `Title` - SOCFortress Threat Intel Cache
170 | * `Description` - SOCFortress Threat Intel Cache
171 | * `Name` - socfortress-threat-intel-cache
172 | * `Maximum Entries` - 1000
173 | * `Expire after access` - 1 hour
174 | 3. Create `SOCFortress Threat Intel` Lookup Table.
175 | * `Title` - SOCFortress Threat Intel Lookup Table
176 | * `Description` - SOCFortress Threat Intel Lookup Table
177 | * `Name` - socfortress_threat_intel
178 | * `Data Adapter` - SOCFortress Threat Intel
179 | * `Cache` - SOCFortress Threat Intel Cache
180 | 4. Create Pipeline Rules to invoke the SOCFortress Threat Intel Lookup Table.
181 |     1. Sysmon Event 3 - Network Connections
182 |     ```
183 |     rule "WINDOWS SYSMON EVENT 3 - SOCFortress THREAT INTEL"
184 |     when
185 |         $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event3" AND $message.data_win_eventdata_destinationIp != "127.0.0.1" AND $message.data_win_eventdata_destinationIp != "255.255.255.255" AND $message.data_win_eventdata_destinationIp != "0.0.0.0" AND $message.data_win_eventdata_destinationIsIpv6 == "false" AND ! in_private_net(to_string($message.data_win_eventdata_destinationIp))
186 |     then
187 |         let ldata = lookup(
188 |             lookup_table: "socfortress_threat_intel",
189 |             key: to_string($message.data_win_eventdata_destinationIp)
190 |         );
191 |         set_fields(
192 |             fields: ldata,
193 |             prefix: "socfortress_"
194 |             );
195 |     end
196 |     ```
197 |     2. Sysmon Event 22 - DNS Query
198 |     ```
199 |     rule "WINDOWS SYSMON EVENT 22 - SOCFortress THREAT INTEL"
200 |     when
201 |         $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event_22"
202 |     then
203 |         let ldata = lookup(
204 |             lookup_table: "socfortress_threat_intel",
205 |             key: to_string($message.data_win_eventdata_queryName)
206 |         );
207 |         set_fields(
208 |             fields: ldata,
209 |             prefix: "socfortress_"
210 |             );
211 |     end
212 |     ```
213 | > **NOTE:** I'll leave the other rule groups for you to create 😉
214 | 
215 | <br />
216 | 
217 | <!-- CONTACT -->
218 | # Contact
219 | 
220 | SOCFortress - [![LinkedIn][linkedin-shield]][linkedin-url] - info@socfortress.co
221 | 
222 | <div align="center">
223 |   <h2 align="center">Let SOCFortress Take Your Open Source SIEM to the Next Level</h3>
224 |   <a href="https://www.socfortress.co/contact_form.html">
225 |     <img src="images/Email%20Banner.png" alt="Banner">
226 |   </a>
227 | 
228 | 
229 | </div>
230 | 
231 | 
232 | 
233 | 
234 | <!-- MARKDOWN LINKS & IMAGES -->
235 | <!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
236 | [contributors-shield]: https://img.shields.io/github/contributors/socfortress/Wazuh-Rules
237 | [contributors-url]: https://github.com/socfortress/Wazuh-Rules/graphs/contributors
238 | [forks-shield]: https://img.shields.io/github/forks/socfortress/Wazuh-Rules
239 | [forks-url]: https://github.com/socfortress/Wazuh-Rules/network/members
240 | [stars-shield]: https://img.shields.io/github/stars/socfortress/Wazuh-Rules
241 | [stars-url]: https://github.com/socfortress/Wazuh-Rules/stargazers
242 | [issues-shield]: https://img.shields.io/github/issues/othneildrew/Best-README-Template.svg?style=for-the-badge
243 | [issues-url]: https://github.com/othneildrew/Best-README-Template/issues
244 | [license-shield]: https://img.shields.io/badge/Help%20Desk-Help%20Desk-blue
245 | [license-url]: https://servicedesk.socfortress.co/help/2979687893
246 | [linkedin-shield]: https://img.shields.io/badge/Visit%20Us-www.socfortress.co-orange
247 | [linkedin-url]: https://www.socfortress.co/
248 | 


--------------------------------------------------------------------------------
/custom-socfortress.py:
--------------------------------------------------------------------------------
  1 | #!/var/ossec/framework/python/bin/python3
  2 | # Copyright (C) 2023, SOCFortress, LLP.
  3 | import json
  4 | import sys
  5 | import time
  6 | import os
  7 | import ipaddress
  8 | import re
  9 | from socket import socket, AF_UNIX, SOCK_DGRAM
 10 | try:
 11 |     import requests
 12 |     from requests.auth import HTTPBasicAuth
 13 | except Exception as e:
 14 |     print("No module 'requests' found. Install: pip install requests")
 15 |     sys.exit(1)
 16 | # Global vars
 17 | debug_enabled = False
 18 | pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
 19 | json_alert = {}
 20 | now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
 21 | # Set paths
 22 | log_file = '{0}/logs/integrations.log'.format(pwd)
 23 | socket_addr = '{0}/queue/sockets/queue'.format(pwd)
 24 | def main(args):
 25 |     debug("# Starting")
 26 |     # Read args
 27 |     alert_file_location = args[1]
 28 |     apikey = args[2]
 29 |     debug("# API Key")
 30 |     debug(apikey)
 31 |     debug("# File location")
 32 |     debug(alert_file_location)
 33 |     # Load alert. Parse JSON object.
 34 |     with open(alert_file_location) as alert_file:
 35 |         json_alert = json.load(alert_file)
 36 |     debug("# Processing alert")
 37 |     debug(json_alert)
 38 |     # Request SOCFortress info
 39 |     msg = request_socfortress_api(json_alert,apikey)
 40 |     # If positive match, send event to Wazuh Manager
 41 |     if msg:
 42 |         send_event(msg, json_alert["agent"])
 43 | 
 44 | def debug(msg):
 45 |     if debug_enabled:
 46 |         msg = "{0}: {1}\n".format(now, msg)
 47 |         print(msg)
 48 |         f = open(log_file,"a")
 49 |         f.write(msg)
 50 |         f.close()
 51 | 
 52 | def collect_source_1(data):
 53 |     comment = data['comment']
 54 |     value = data['value']
 55 |     timestamp = data['timestamp']
 56 |     if timestamp is None:
 57 |         timestamp = '1679526769'
 58 |     category = data['category']
 59 |     type = data['type']
 60 |     virustotal_url = data['virustotal_url']
 61 |     return comment, value, timestamp, category, type, virustotal_url
 62 | 
 63 | def collect_source_2(data):
 64 |   comment = data['comment']
 65 |   value = data['value']
 66 |   type = data['type']
 67 |   last_seen = data['last_seen']
 68 |   report_id = data['report_id']
 69 |   report_url = data['report_url']
 70 |   virustotal_url = data['virustotal_url']
 71 |   return comment, value, type, last_seen, report_id, report_url, virustotal_url
 72 | 
 73 | def collect_source_3(data):
 74 |   comment = data['comment']
 75 |   value = data['value']
 76 |   type = data['type']
 77 |   last_seen = data['last_seen']
 78 |   virustotal_url = data['virustotal_url']
 79 |   return comment, value, type, last_seen, virustotal_url
 80 | 
 81 | def is_ipv4(value):
 82 |     try:
 83 |         ipaddress.IPv4Address(value)
 84 |         debug(f"{value} is a valid IPv4 address.")
 85 |         return True
 86 |     except ipaddress.AddressValueError:
 87 |         debug(f"{value} is not a valid IPv4 address.")
 88 |         return False
 89 | 
 90 | def is_domain(value):
 91 |     try:
 92 |         domain_regex = re.compile(r"^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$", re.IGNORECASE)
 93 |         if domain_regex.match(value):
 94 |            debug(f"{value} is a valid domain name.")
 95 |            return True
 96 |         else:
 97 |             debug(f"{value} is not a valid domain name.")
 98 |             return False
 99 |     except Exception as e:
100 |         debug(f"Error: {e}")
101 |         return False
102 | 
103 | def ioc_source(data, ioc_value):
104 |     result = data['ioc_source']
105 |     if result == '1':
106 |         return True
107 |     return False
108 | 
109 | def has_report(data, ioc_value):
110 |     if 'report_found' in data:
111 |         return True
112 |     return False
113 | 
114 | def query_api(ioc_value, apikey):
115 |   params = {'value': ioc_value,}
116 |   headers = {
117 |   'Accept': 'application/json',
118 |   'Content-Type': 'application/json',
119 |   "x-api-key": apikey,
120 |   "module-version": "1.0",
121 |   }
122 |   response = requests.get('https://intel.socfortress.co/search', params=params, headers=headers)
123 |   if response.status_code == 200:
124 |       json_response = response.json()
125 |       data = json_response.get('data')
126 |       return data
127 |   elif response.status_code == 403 or response.status_code == 429:
128 |       json_response = response.json()
129 |       data = json_response
130 |       alert_output = {}
131 |       alert_output["socfortress"] = {}
132 |       alert_output["integration"] = "custom-socfortress"
133 |       alert_output["socfortress"]["status_code"] = response.status_code
134 |       alert_output["socfortress"]["message"] = json_response['message']
135 |       send_event(alert_output)
136 |       exit(0)
137 |   else:
138 |       alert_output = {}
139 |       alert_output["socfortress"] = {}
140 |       alert_output["integration"] = "custom-socfortress"
141 |       json_response = response.json()
142 |       debug("# Error: The SOCFortress integration encountered an error")
143 |       alert_output["socfortress"]["status_code"] = response.status_code
144 |       alert_output["socfortress"]["message"] = json_response['error']
145 |       send_event(alert_output)
146 |       exit(0)
147 | 
148 | def request_socfortress_api(alert, apikey):
149 |     alert_output = {}
150 |     # Collect the IoC Type - Currently only Supports SYSMON For Windows
151 |     event_source = alert["rule"]["groups"][0]
152 |     if 'windows' in event_source.lower():
153 |         if 'hashes' in alert["data"]["win"]["eventdata"]:
154 |             ## Regex Pattern used based on SHA256 lenght (64 characters)
155 |             regex_file_hash = re.compile('\w{64}')
156 |             ioc_value = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
157 |             data = query_api(ioc_value, apikey)
158 |         elif 'destinationIp' in alert["data"]["win"]["eventdata"]:
159 |             ioc_value = alert["data"]["win"]["eventdata"]["destinationIp"]
160 |             ipv4 = is_ipv4(ioc_value)
161 |             if ipv4 and ipaddress.ip_address(ioc_value).is_global:
162 |                 data = query_api(ioc_value, apikey)
163 |             else:
164 |                 return(0)
165 |         elif 'queryName' in alert["data"]["win"]["eventdata"]:
166 |             ioc_value = alert["data"]["win"]["eventdata"]["queryName"]
167 |             domain = is_domain(ioc_value)
168 |             if domain:
169 |                 data = query_api(ioc_value, apikey)
170 |             else:
171 |                 return(0)
172 |         else:
173 |             return(0)
174 |     else:
175 |         return(0)
176 |     # Create alert
177 |     alert_output["socfortress"] = {}
178 |     alert_output["integration"] = "custom-socfortress"
179 |     alert_output["socfortress"]["found"] = 0
180 |     alert_output["socfortress"]["source"] = {}
181 |     alert_output["socfortress"]["source"]["alert_id"] = alert["id"]
182 |     alert_output["socfortress"]["source"]["agent_name"] = alert["agent"]["name"]
183 |     alert_output["socfortress"]["source"]["rule"] = alert["rule"]["id"]
184 |     alert_output["socfortress"]["source"]["description"] = alert["rule"]["description"]
185 |     alert_output["socfortress"]["source"]["processGuid"] = alert["data"]["win"]["eventdata"]["processGuid"]
186 |     alert_output["socfortress"]["source"]["ioc_value"] = ioc_value
187 |     ioc_value = ioc_value
188 |     # Check if SOCFortress has any info about the IoC
189 |     if ioc_source(data, ioc_value):
190 |         alert_output["socfortress"]["ioc_source"] = 1
191 |     else:
192 |         alert_output["socfortress"]["ioc_source"] = 2
193 |         # Check if SOCFortress has any reports about the IoC
194 |         report_found = has_report(data, ioc_value)
195 |         if report_found:
196 |             alert_output["socfortress"]["report_found"] = 1
197 |         else:
198 |             alert_output["socfortress"]["report_found"] = 0
199 |         if alert_output["socfortress"]["ioc_source"] == 2 and alert_output["socfortress"]["report_found"] == 1:
200 |             comment, value, type, last_seen, report_id, report_url, virustotal_url = collect_source_2(data)
201 |             # Populate JSON Output with SOCFortress results
202 |             alert_output["socfortress"]["status_code"] = 200
203 |             alert_output["socfortress"]["comment"] = comment
204 |             alert_output["socfortress"]["value"] = value
205 |             alert_output["socfortress"]["last_seen"] = last_seen
206 |             alert_output["socfortress"]["type"] = type
207 |             alert_output["socfortress"]["report_id"] = report_id
208 |             alert_output["socfortress"]["report_url"] = report_url
209 |             alert_output["socfortress"]["virustotal_url"] = virustotal_url
210 |     
211 |         if alert_output["socfortress"]["ioc_source"] == 2 and alert_output["socfortress"]["report_found"] == 0:
212 |             comment, value, type, last_seen, virustotal_url = collect_source_3(data)
213 |             alert_output["socfortress"]["status_code"] = 200
214 |             alert_output["socfortress"]["comment"] = comment
215 |             alert_output["socfortress"]["value"] = value
216 |             alert_output["socfortress"]["last_seen"] = last_seen
217 |             alert_output["socfortress"]["type"] = type
218 |             alert_output["socfortress"]["virustotal_url"] = virustotal_url
219 | 
220 |     # Info about the IoC found in SOCFortress
221 |     if alert_output["socfortress"]["ioc_source"] == 1:
222 |         comment, value, timestamp, category, type, virustotal_url = collect_source_1(data)
223 |         # Populate JSON Output object with SOCFortress results
224 |         alert_output["socfortress"]["status_code"] = 200
225 |         alert_output["socfortress"]["comment"] = comment
226 |         alert_output["socfortress"]["value"] = value
227 |         alert_output["socfortress"]["timestamp"] = timestamp
228 |         alert_output["socfortress"]["category"] = category
229 |         alert_output["socfortress"]["type"] = type
230 |         alert_output["socfortress"]["virustotal_url"] = virustotal_url
231 | 
232 |     debug(alert_output)
233 |     return(alert_output)
234 | 
235 | def send_event(msg, agent = None):
236 |     if not agent or agent["id"] == "000":
237 |         string = '1:socfortress:{0}'.format(json.dumps(msg))
238 |     else:
239 |         string = '1:[{0}] ({1}) {2}->socfortress:{3}'.format(agent["id"], agent["name"], agent["ip"] if "ip" in agent else "any", json.dumps(msg))
240 |     debug(string)
241 |     sock = socket(AF_UNIX, SOCK_DGRAM)
242 |     sock.connect(socket_addr)
243 |     sock.send(string.encode())
244 |     sock.close()
245 | 
246 | if __name__ == "__main__":
247 |     try:
248 |         # Read arguments
249 |         bad_arguments = False
250 |         if len(sys.argv) >= 4:
251 |             msg = '{0} {1} {2} {3} {4}'.format(now, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4] if len(sys.argv) > 4 else '')
252 |             debug_enabled = (len(sys.argv) > 4 and sys.argv[4] == 'debug')
253 |         else:
254 |             msg = '{0} Wrong arguments'.format(now)
255 |             bad_arguments = True
256 |         # Logging the call
257 |         f = open(log_file, 'a')
258 |         f.write(msg +'\n')
259 |         f.close()
260 |         if bad_arguments:
261 |             debug("# Exiting: Bad arguments.")
262 |             sys.exit(1)
263 |         # Main function
264 |         main(sys.argv)
265 |     except Exception as e:
266 |         debug(str(e))
267 |         raise
268 | 


--------------------------------------------------------------------------------