mentions added

priority map refactor
2024-05-13 14:44:32 +02:00 · 2024-05-13 14:44:32 +02:00 · e15c1c9c37
commit e15c1c9c37
parent cc7f93ba64
5 changed files with 54 additions and 18 deletions
--- a/wazuh-notify-go/notification/discord.go
+++ b/wazuh-notify-go/notification/discord.go
@ -35,7 +35,8 @@ func SendDiscord(params types.Params) {
 		embedDescription = "\n\n" +
 			"**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" +
 			"**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" +
-			"**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" +
+			"**Rule:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" +
+			"**Description: **" + params.WazuhMessage.Parameters.Alert.FullLog + "\n" +
 			"**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" +
 			"**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) +
 			"\n\n" +
@ -45,22 +46,39 @@ func SendDiscord(params types.Params) {
 	}

 	var color int
+	var mention string

 	switch params.Priority {
 	case 1:
 		color = 0x339900
+		if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[4].MentionThreshold {
+			mention = "@here"
+		}
 	case 2:
 		color = 0x99cc33
+		if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[3].MentionThreshold {
+			mention = "@here"
+		}
 	case 3:
 		color = 0xffcc00
+		if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[2].MentionThreshold {
+			mention = "@here"
+		}
 	case 4:
 		color = 0xff9966
+		if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[1].MentionThreshold {
+			mention = "@here"
+		}
 	case 5:
 		color = 0xcc3300
+		if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[0].MentionThreshold {
+			mention = "@here"
+		}
 	}

 	message := types.Message{
 		Username: params.Sender,
+		Content:  mention,
 		Embeds: []types.Embed{
 			{
 				Title:       params.Sender,
--- a/wazuh-notify-go/services/init.go
+++ b/wazuh-notify-go/services/init.go
@ -36,7 +36,10 @@ func InitNotify() types.Params {
 		log.Log("yaml failed to load")
 		yamlFile, err = os.ReadFile(path.Join(BaseDirPath, "wazuh-notify-config.yaml"))
 	}
-	yaml.Unmarshal(yamlFile, &configParams)
+	err = yaml.Unmarshal(yamlFile, &configParams)
+	if err != nil {
+		print(err)
+	}

 	log.Log("yaml loaded")
 	configParamString, _ := json.Marshal(configParams)
@ -59,6 +62,7 @@ func InitNotify() types.Params {
 	inputParams.FullMessage = configParams.FullMessage
 	inputParams.ExcludedAgents = configParams.ExcludedAgents
 	inputParams.ExcludedRules = configParams.ExcludedRules
+	inputParams.PriorityMaps = configParams.PriorityMaps

 	wazuhInput()

--- a/wazuh-notify-go/services/mapping.go
+++ b/wazuh-notify-go/services/mapping.go
@ -3,19 +3,19 @@ package services
 import "slices"

 func mapPriority() int {
-	if slices.Contains(configParams.Priority1, wazuhData.Parameters.Alert.Rule.Level) {
+	if slices.Contains(configParams.PriorityMaps[4].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) {
 		return 1
 	}
-	if slices.Contains(configParams.Priority2, wazuhData.Parameters.Alert.Rule.Level) {
+	if slices.Contains(configParams.PriorityMaps[3].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) {
 		return 2
 	}
-	if slices.Contains(configParams.Priority3, wazuhData.Parameters.Alert.Rule.Level) {
+	if slices.Contains(configParams.PriorityMaps[2].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) {
 		return 3
 	}
-	if slices.Contains(configParams.Priority4, wazuhData.Parameters.Alert.Rule.Level) {
+	if slices.Contains(configParams.PriorityMaps[1].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) {
 		return 4
 	}
-	if slices.Contains(configParams.Priority5, wazuhData.Parameters.Alert.Rule.Level) {
+	if slices.Contains(configParams.PriorityMaps[0].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) {
 		return 5
 	}
 	return 0
--- a/wazuh-notify-go/types/types.go
+++ b/wazuh-notify-go/types/types.go
@ -11,11 +11,12 @@ type Params struct {
 	ExcludedRules  string `yaml:"excluded_rules,omitempty"`
 	ExcludedAgents string `yaml:"excluded_agents,omitempty"`
 	WazuhMessage   WazuhMessage
-	Priority1      []int `yaml:"priority_1"`
-	Priority2      []int `yaml:"priority_2"`
-	Priority3      []int `yaml:"priority_3"`
-	Priority4      []int `yaml:"priority_4"`
-	Priority5      []int `yaml:"priority_5"`
+	PriorityMaps   []PriorityMap `yaml:"priority_map"`
+}
+
+type PriorityMap struct {
+	ThreatMap        []int `yaml:"threat_map"`
+	MentionThreshold int   `yaml:"mention_threshold"`
 }

 type Message struct {
--- a/wazuh-notify-go/wazuh-notify-config.yaml
+++ b/wazuh-notify-go/wazuh-notify-config.yaml
@ -5,7 +5,7 @@
 # The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py

 targets: "discord,ntfy"
-full_message: "discord,ntfy"
+full_message: "ntfy"

 # Exclude rules that are listed in the ossec.conf active response definition.

@ -13,12 +13,25 @@ excluded_rules: "5401,5403"
 excluded_agents: "999"

 # Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification)
+# Discord mention after x amount of event fired times
+
+priority_map:
+  -
+    threat_map: [15,14,13,12]
+    mention_threshold: 1
+  -
+    threat_map: [11,10,9]
+    mention_threshold: 1
+  -
+    threat_map: [8,7,6]
+    mention_threshold: 5
+  -
+    threat_map: [5,4]
+    mention_threshold: 5
+  -
+    threat_map: [3,2,1,0]
+    mention_threshold: 5

-priority_5: [15,14,13,12]
-priority_4: [11,10,9]
-priority_3: [8,7,6]
-priority_2: [5,4]
-priority_1: [3,2,1,0]

 sender: "Wazuh (IDS)"
 click: "https://google.com"