dfir-iris
Integration with graylog
Can I integrate graylog alerts into Iris? Graylog has Custom HTTP Notification, but it asks for API Secret, I was unable to integrate it.
If you are able to send the alert data in this structure https://docs.dfir-iris.org/_static/iris_api_reference_v2.0.2.html#tag/Alerts/operation/post-case-add-alert
API Secret (User API Key) you find at the user configuration:
In the url I put https://<my_ip>/alerts/add/ API KEY I added the API KEY that is in my IRIS profile, but it asks for the API Secret. I don't know if there is another way to configure this notification alert integration. Or if someone has already done the configuration.
Have you tried to add 1111 for API Secret? You can check how the Web Request is build , if you send it to a dummy webserver, which logs every request and check if everything is in the right format headers and post payload.
API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.
API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.
This is what I did as well, worked like a charm.
API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.
This is what I did as well, worked like a charm.
Are you utilizing https? I am using https with a self-signed cert with DFIR-IRIS (provided by a Windows CA) and can't get Graylog to trust it (despite it being the same CA that signed Graylog's certs).
API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.
This is what I did as well, worked like a charm.
Are you utilizing https? I am using https with a self-signed cert with DFIR-IRIS (provided by a Windows CA) and can't get Graylog to trust it (despite it being the same CA that signed Graylog's certs).
Yes https, but not a self-signed certificate.
can anybody guide me through the integration of Graylog and DFIR-IRIS
I got you, my dude:
Gotto Alerts > Notifications > Create Notification
Title: <Whatever>
Notification Type: http-notification-v2
URL: https://<your Iris instance>/alerts/add*
Method: POST
TimeZone: <your timezone>**
Content Type: JSON
Headers Authorization: Bearer <Iris API Key>
Body Template:***
{
"alert_title": "${event_definition_title}",
"alert_source": "Graylog",
"alert_severity_id": "5",
"alert_customer_id": "2",
"alert_status_id": "2",
"alert_source_event_time": "${event.timestamp}",
"alert_source_ref": "${event.source_streams}",
"alert_description": "${event_definition_description}",
"alert_source_link": "https://graylog.foo.bar/alerts/${event.id}/replay-search",
"alert_tags": "Graylog",
"alert_context": {
${if backlog}
${foreach backlog message}
"User": "${message.fields.winlog_event_data_TargetUserName}",
"Event Code": "${message.fields.event_code}",
"Event Code Summary": "${message.fields.Event_code_summary}",
"Hostname": "${message.fields.agent_name}",
"Link": "https://graylog.foo.bar/messages/${message.index}/${message.id}"
${end}
${end}
}
}
'* if your Iris instance is secured via a self-signed certificate you MUST get the graylog java trust store to trust it first
** For whatever reason, Graylog and Iris don't like to play nice with timezones. I can't figure it out especially when it works some of thetime
*** this is the hardest part. It will take trial and error. You MUST provider an alert_severity_it, alert_customer_id, and alert_status_it (and they must correspond with a real entry in Iris). The rest is highly dependent on what you want to convey. The example above is for when AD Accounts are locked. Those same fields would not work on other alert types.