Wazuh Integration
Integration of AIR with Wazuh is possible via the feature called "Integrations".
When Wazuh's configuration file has the integration setting with specified RuleID, It runs a defined script. The defined python script sends the relevant information with a POST request to the AIR.
Steps to Integrate
Step 1: Create a Trigger for Wazuh
Visit the Webhooks page in Binalyze AIR,
Click the "+ New Webhook" button on the upper right corner,
Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
Select "Wazuh: Wazuh AIR Integration" as the parser for this webhook,
Select an Acquisition Profile when Wazuh activates this webhook,
Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
Click the "Save" button,
Hover your mouse over the link below the Webhook name and double-click to copy (see below),
Step 2: Add the Integration Settings in Wazuh
Open the ossec.conf file with a preferred text editor and add the following line to the end of the file before closing the ossec_config. The name must be precisely custom-air. For detailed information, please see the Wazuh Documentation.
Step 3: Creating the scripts in Wazuh
Every time the relevant rule_id is triggered, a bash script named custom-air is executed. Create a file named custom-air in /var/ossec/integrations/ paste the following script. For detailed information, please refer to the Wazuh Documentation.
Create a python script named custom-air.py /var/ossec/integrations/ and paste the following script. The script runs another python script and makes a request to the air server.
The scripts must be placed in /var/ossec/integrations, have the same name as indicated in the configuration block, contain execution permissions, and belong to the root user of the ossec group. Execute the following two commands:
Last updated