| | @@ -0,0 +1,65 @@ |
| + | #!/usr/bin/env python3 |
| + | import json |
| + | import sys |
| + | from pathlib import Path |
| + | from urllib import request, error |
| + | |
| + | TIMEOUT = 10 |
| + | |
| + | |
| + | def load_alert(alert_path): |
| + | with open(alert_path, "r", encoding="utf-8") as handle: |
| + | return json.load(handle) |
| + | |
| + | |
| + | def build_payload(alert): |
| + | rule = alert.get("rule", {}) |
| + | agent = alert.get("agent", {}) |
| + | data = alert.get("data", {}) |
| + | return { |
| + | "source": "wazuh", |
| + | "rule_id": rule.get("id"), |
| + | "rule_level": rule.get("level"), |
| + | "rule_description": rule.get("description"), |
| + | "mitre": rule.get("mitre", {}), |
| + | "agent_id": agent.get("id"), |
| + | "agent_name": agent.get("name"), |
| + | "agent_ip": agent.get("ip"), |
| + | "src_ip": data.get("srcip"), |
| + | "dst_ip": data.get("dstip"), |
| + | "full_log": alert.get("full_log"), |
| + | "timestamp": alert.get("timestamp"), |
| + | "raw": alert, |
| + | } |
| + | |
| + | |
| + | def post(hook_url, payload): |
| + | body = json.dumps(payload).encode("utf-8") |
| + | req = request.Request( |
| + | hook_url, |
| + | data=body, |
| + | headers={"Content-Type": "application/json"}, |
| + | method="POST", |
| + | ) |
| + | with request.urlopen(req, timeout=TIMEOUT) as response: |
| + | return response.status |
| + | |
| + | |
| + | def main(argv): |
| + | if len(argv) < 4: |
| + | return 1 |
| + | alert_path = argv[1] |
| + | hook_url = argv[3] |
| + | if not Path(alert_path).exists(): |
| + | return 1 |
| + | alert = load_alert(alert_path) |
| + | payload = build_payload(alert) |
| + | try: |
| + | status = post(hook_url, payload) |
| + | except (error.URLError, error.HTTPError): |
| + | return 1 |
| + | return 0 if status < 400 else 1 |
| + | |
| + | |
| + | if __name__ == "__main__": |
| + | sys.exit(main(sys.argv)) |