In the world of cybersecurity, integration between different tools and platforms is crucial for effective threat detection and response. In this blog post, we will guide you on integrating Wazuh, an open-source Security Information Event Management (SIEM) and XDR solution, with DFIR Iris, an open-source Incident Response/Case Management platform.
Prerequisites
Before we start, ensure that you have the following deployed:
- Wazuh: You can follow this guide for deploying Wazuh.
- DFIR Iris: Follow the official documentation for getting started with DFIR Iris.
- Integration Files: You can find the necessary files for integration on this GitHub repository. Original script provider is located here in his GitHub
Integration Steps
- Deploy the Integration Script: The integration script is what Wazuh calls upon to send events/alerts to DFIR Iris. Deploy the script to your Wazuh server using the commands provided in the GitHub repository.
- Get Your DFIR Iris API Key: You can find your DFIR Iris API key in the web console by selecting your profile -> My settings.
- Add the Integration Block to Your Wazuh Config File: Add the integration block to your Wazuh config file found at
/var/ossec/etc/ossec.conf
. Adjust<hook_url>
and<api_key>
to your environment, and change<level>
to the desired threshold for alerts. - Restart the Wazuh-Manager Service: Once you have completed the above steps, restart the wazuh-manager service.
Conclusion
Integrating Wazuh with DFIR Iris allows you to leverage the strengths of both platforms, enhancing your organization’s ability to detect and respond to cybersecurity threats. However, please note that as of DFIR-IRIS v2.4.5, this integration has broken. Efforts are being made to update the script to coincide with any new changes to the API.
Please note that this is a simplified overview and actual implementation may require more detailed planning and resources. It’s recommended to seek professional advice or training for a comprehensive understanding of Wazuh and DFIR Iris integration.