How to send Wazuh Alerts to JIRA

Before continuing, please create the custom python file for JIRA integration by doing the following (Please read the Wazuh blog post linked below):

sudo touch /var/ossec/integrations/custom-jira

# OR as root

touch /var/ossec/integrations/custom-jira

So Wazuh does have a blog post that instructs how to make this integration work. It doesn't show the more logical way that a business would actually want it to work. So I will be showing you how in this post.

So if you read the post that I hyperlinked above. You will noticed that the integration is setup to only send wazuh alerts that are part of the syscheck group:

Remove Group Path from Alert

And as I would like to get alerted everytime an alerted is generated, and that is at least a level 8, I will need to remove this from this python file. But I also want Wazuh to also send what agent is triggering the alert in the same JIRA ticket.

So after removing them and changing FIM alert on to Wazuh alert: , the file will look like the following.

Extracting Agent Field to Alert

So if you take a look at a json of an actual alert you will find the agent group

{
  "_index": "wazuh-alerts-4.x-2021.07.17",
  "_type": "_doc",
  "_id": "ehrwtHoBmPfK2AoFJf1b",
  "_version": 1,
  "_score": null,
  "_source": {
    "syscheck": {
      "uname_after": "root",
      "mtime_after": "2021-07-17T14:16:31",
      "size_after": "1376",
      "gid_after": "0",
      "mtime_before": "2021-07-17T02:15:14",
      "mode": "scheduled",
      "path": "/etc/lvm/cache/.cache",
      "sha1_after": "1b760aac170d607e0a3efa02596df82c3439090a",
      "changed_attributes": [
        "mtime"
      ],
      "gname_after": "root",
      "uid_after": "0",
      "perm_after": "rw-------",
      "event": "modified",
      "md5_after": "91b6ded5c5907d922fda04dd1c0d8cf8",
      "sha256_after": "4f3e2532049f7f86ce702f6a903286ae948d532d2b99a74cd07638ad0ec604ce",
      "inode_after": 33558814
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "10.10.10.108",
      "name": "<DOMAIN>",
      "id": "004"
    },
    "manager": {
      "name": "<DOMAIN>"
    },
    "rule": {
      "mail": false,
      "level": 7,
      "pci_dss": [
        "11.5"
      ],
      "hipaa": [
        "164.312.c.1",
        "164.312.c.2"
      ],
      "tsc": [
        "PI1.4",
        "PI1.5",
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Integrity checksum changed.",
      "groups": [
        "ossec",
        "syscheck",
        "syscheck_entry_modified",
        "syscheck_file"
      ],
      "nist_800_53": [
        "SI.7"
      ],
      "gdpr": [
        "II_5.1.f"
      ],
      "firedtimes": 1,
      "mitre": {
        "technique": [
          "Stored Data Manipulation"
        ],
        "id": [
          "T1492"
        ],
        "tactic": [
          "Impact"
        ]
      },
      "id": "550",
      "gpg13": [
        "4.11"
      ]
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1626533265.6764",
    "full_log": "File '/etc/lvm/cache/.cache' modified\nMode: scheduled\nChanged attributes: mtime\nOld modification time was: '1626488114', now it is '1626531391'\n",
    "timestamp": "2021-07-17T14:47:45.998+0000"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2021-07-17T14:16:31.000Z"
    ],
    "syscheck.mtime_before": [
      "2021-07-17T02:15:14.000Z"
    ],
    "timestamp": [
      "2021-07-17T14:47:45.998Z"
    ]
  },
  "highlight": {
    "manager.name": [
      "@kibana-highlighted-field@<DOMAIN>@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1626533265998
  ]
}

Agent Group

"agent": {
      "ip": "10.10.10.108",
      "name": "<DOMAIN>",
      "id": "004"

The agent name is stored inside the agent object. You can extract the agent name as follows:

agent_name = alert_json['agent']['name']

It would look something like this:

# Extract issue fields
agent_name = alert_json['agent']['name']
alert_level = alert_json['rule']['level']
...

Generate request

# Generate request
msg_data = {}
....
msg_data['fields']['description'] = '- State: ' + description + '\n- Alert level: ' + str(alert_level) + '\n- Agent name: ' + agent_name
....

So I'm going to open ossec.conf and make this change

nano /var/ossec/integrations/custom-jira

Add JIRA integration to ossec.conf

nano /var/ossec/etc/ossec.conf

Proceed by restarting wazuh manager:

systemctl restart wazuh-manager

New Issue in JIRA

Click on the new issue that was generated:

You can see the additional context: