iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard

Published 20 hours ago verified publisher icon dfir-iris

[BUG] Missing documentation about the alert_severity_id

Open CyberAbwehr opened this issue 1 year ago • 7 comments

Describe the bug I test all alert_severity_id in IRIS, because it is imported to know what alert severity i need to send from other applications like wazuh, suricata, opensearch, aso.

alert_severity_id = 1 (Unspecified) alert_severity_id = 2 (Informational) alert_severity_id = 3 (Low) alert_severity_id = 4 (Medium) alert_severity_id = 5 (High) alert_severity_id = 6 (Critical)

Please can you add this to the documentation.

Expected behavior Need to be in the documentation

CyberAbwehr avatar Aug 30 '23 08:08 CyberAbwehr

Wazhu -> Shuffle -> DFIR-IRIS (2.3.2) pls have did you get this to work and drop the shuffle link for iris

tboy-hacker avatar Aug 31 '23 00:08 tboy-hacker

I saw it somewhere and thought it was in the docs, just in case you need alert_status_id:

1 - Unspecified 2 - New 3 - Assigned 4 - In progress 5 - Pending 6 - Closed 7 - Merged

lnn2204 avatar Aug 31 '23 02:08 lnn2204

@tboy-hacker

Send Wazuh Alerts over Shuffle to DFIR-IRIS Alerts

Setup Wazuh Shuffle intergration

https://wazuh.com/blog/integrating-wazuh-with-shuffle/

Test the integration in Shuffle

Add a Token in DFIR-IRIS for your account

https://docs.dfir-iris.org/operations/api/

Download the IRIS v2 App from Shuffle.io

fix the Add Alert configuration

{ "alert_title": "${alert_title}", "alert_description": "${alert_description}", "alert_source": "${alert_source}", "alert_source ref": "${alert_source_ref}", "alert_source link": "${alert_source_link}", "alert_severity id": "${alert_severity_id}", "alert_status id": "${alert_status_id}", "alert_source event time": "${alert_source_event_time}", "alert _note": "${alert_note}", "alert_tags": "${alert_tags}", "alert_customer id": "2", "alert_classification id": "${alert_classification_id}", "alert_source content": "${alert_source_content}" }

Test the full workflow in shuffle

there is still a bug with wazuh alerts with special characters

https://github.com/dfir-iris/iris-web/issues/296

Example of not working wazuh alerts

"alert_source_content": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic)."

CyberAbwehr avatar Aug 31 '23 07:08 CyberAbwehr

Hi!

Indeed we're missing some endpoints in the documentation (which aims to be updated, we didn't find the time yet). You can use this endpoint to list the alerts_severity_id: https://xxxx/manage/severities/list.

You can also see the available endpoints with https://xxx/sitemap

We'll update the documentation!

Cheers

whikernel avatar Sep 04 '23 19:09 whikernel

@CyberAbwehr will love to connect

tboy-hacker avatar Sep 08 '23 02:09 tboy-hacker

@tboy-hacker post your email address, so we can connect.

best regard

CyberAbwehr avatar Sep 08 '23 07:09 CyberAbwehr

@CyberAbwehr [email protected]

tboy-hacker avatar Sep 08 '23 16:09 tboy-hacker