[Update March 2024] At the time of writing this article DFIR IRIS v2.3.7 was the latest version. As of DFIR-IRIS v2.4.5 this integration has broken. I will however try to spend some time updating the script to coincide with any new changes to the API that were made.
This article will guide you on integrating Wazuh and DFIR Iris.
Special Shout Outs
Before we start it wouldn't be fair not to recognize some great people that are contributing to the Open Source cybersecurity community.
Nate Uribe — https://github.com/nateuribe Nate created the original integration that I modified and built upon. He deserves the real credit for making this happen.
SOCFortress — These awesome people are driving security forward in the open source world. They provide many guides around Security Engineering including how to deploy and integrate various solutions. They also have some great DFIR Iris modules they have created. Check them out here.
What
Wazuh: Enterprise ready open-source Security Information Event Management and XDR solution that is rapidly gaining traction with organizations across the world.
DFIR IRIS: Open source Incident Response/Case Management platform built for collaboration. Support for third party modules to assist in investigations including Virustotal and MISP. Ability to build and add your own modules. Easy to use and customize.
Deployment
Prerequisites
Wazuh: https://stasis.dev/siem-deploying-wazuh-5e7f1126eaf
DFIR Iris: https://docs.dfir-iris.org/getting_started/
Integration Files: https://github.com/chadhardcastle/Wazuh-IRIS-integration
Installation
- Deploy the integration script to your Wazuh server. This is the script that Wazuh calls upon to send events/alerts to DFIR Iris. In my modified version the Wazuh alert titles map to the Iris alert title field. Another change I made was creating a function to pull the “message” field from the JSON and send it to the Iris Alert description field. I have also included the Agent information as seen in the examples at the bottom of this article.
git clone https://github.com/chadhardcastle/Wazuh-IRIS-integration.git
cd Wazuh-IRIS-integration/
cp custom-iris.py /var/ossec/integrations/custom-iris.py
chmod 750 /var/ossec/integrations/custom-iris.py
chown root:wazuh /var/ossec/integrations/custom-iris.py2. Grab your DFIR IRIS API key
You can find your DFIR IRIS API key in the webconsole by selecting your profile->My settings
3. Add the integration block to your Wazuh config file found at /var/ossec/etc/ossec.conf
<!--
... Rest of config
-->
<!-- IRIS integration -->
<integration>
<name>custom-iris.py</name>
<hook_url>http://IRIS-BASE-URL:8000/alerts/add</hook_url>
<level>7</level>
<api_key>APIKEY</api_key>
<alert_format>json</alert_format>
</integration>
</ossec_config>If you put your integrations at the end of your ossec.conf file like I do, it should look something like this:
4. Once you have completed the above, restart the wazuh-manager service
systemctl restart wazuh-managerYou should now start seeing alerts flowing into DFIR IRIS
Example Alerts
Troubleshooting
Depending on how you deployed your infrastructure you may run into issues connecting Wazuh to Iris.
If you are not seeing alerts in Iris you may be experiencing any of the following issues:
- Alert level in ossec.config integration settings set high and no new events of that level have been triggered. Its likely you have not received a new event meeting the requirements you set, or there is a connection issue with your integration. Check the ossec.log log file for any signs of integration errors.
- “Connection Refused” errors found in your integration.log and/or ossec.log files. This can signify either a firewall issue on the servers hosting Wazuh and/or Iris, or a configuration issue with the docker-compose.yaml file for Iris. I had the latter issue. My Iris WebApp container had the port section set to -” 0.0.0.0:8000:8000". While I could still access the server via the web from my internal infrastructure, I was unable to send API calls. I fixed this by modifying the IP to the local IP of the server I was running the containers on.
Conclusion
I hope you enjoyed this guide as much as I did writing it. One thing that wasn’t detailed in the guide was to ensure you have backups setup. There are plenty of great open source security tools and many more people championing them.
