From e15c1c9c370df5d7cad374f0c9684399285c5c42 Mon Sep 17 00:00:00 2001 From: darius Date: Mon, 13 May 2024 14:44:32 +0200 Subject: [PATCH] mentions added priority map refactor --- wazuh-notify-go/notification/discord.go | 20 ++++++++++++++++++- wazuh-notify-go/services/init.go | 6 +++++- wazuh-notify-go/services/mapping.go | 10 +++++----- wazuh-notify-go/types/types.go | 11 ++++++----- wazuh-notify-go/wazuh-notify-config.yaml | 25 ++++++++++++++++++------ 5 files changed, 54 insertions(+), 18 deletions(-) diff --git a/wazuh-notify-go/notification/discord.go b/wazuh-notify-go/notification/discord.go index aa46484..1e20a85 100644 --- a/wazuh-notify-go/notification/discord.go +++ b/wazuh-notify-go/notification/discord.go @@ -35,7 +35,8 @@ func SendDiscord(params types.Params) { embedDescription = "\n\n" + "**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" + "**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" + - "**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" + + "**Rule:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" + + "**Description: **" + params.WazuhMessage.Parameters.Alert.FullLog + "\n" + "**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" + "**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) + "\n\n" + @@ -45,22 +46,39 @@ func SendDiscord(params types.Params) { } var color int + var mention string switch params.Priority { case 1: color = 0x339900 + if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[4].MentionThreshold { + mention = "@here" + } case 2: color = 0x99cc33 + if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[3].MentionThreshold { + mention = "@here" + } case 3: color = 0xffcc00 + if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[2].MentionThreshold { + mention = "@here" + } case 4: color = 0xff9966 + if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[1].MentionThreshold { + mention = "@here" + } case 5: color = 0xcc3300 + if params.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= params.PriorityMaps[0].MentionThreshold { + mention = "@here" + } } message := types.Message{ Username: params.Sender, + Content: mention, Embeds: []types.Embed{ { Title: params.Sender, diff --git a/wazuh-notify-go/services/init.go b/wazuh-notify-go/services/init.go index df7fd29..88aabb6 100644 --- a/wazuh-notify-go/services/init.go +++ b/wazuh-notify-go/services/init.go @@ -36,7 +36,10 @@ func InitNotify() types.Params { log.Log("yaml failed to load") yamlFile, err = os.ReadFile(path.Join(BaseDirPath, "wazuh-notify-config.yaml")) } - yaml.Unmarshal(yamlFile, &configParams) + err = yaml.Unmarshal(yamlFile, &configParams) + if err != nil { + print(err) + } log.Log("yaml loaded") configParamString, _ := json.Marshal(configParams) @@ -59,6 +62,7 @@ func InitNotify() types.Params { inputParams.FullMessage = configParams.FullMessage inputParams.ExcludedAgents = configParams.ExcludedAgents inputParams.ExcludedRules = configParams.ExcludedRules + inputParams.PriorityMaps = configParams.PriorityMaps wazuhInput() diff --git a/wazuh-notify-go/services/mapping.go b/wazuh-notify-go/services/mapping.go index 051ff0f..c289491 100644 --- a/wazuh-notify-go/services/mapping.go +++ b/wazuh-notify-go/services/mapping.go @@ -3,19 +3,19 @@ package services import "slices" func mapPriority() int { - if slices.Contains(configParams.Priority1, wazuhData.Parameters.Alert.Rule.Level) { + if slices.Contains(configParams.PriorityMaps[4].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { return 1 } - if slices.Contains(configParams.Priority2, wazuhData.Parameters.Alert.Rule.Level) { + if slices.Contains(configParams.PriorityMaps[3].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { return 2 } - if slices.Contains(configParams.Priority3, wazuhData.Parameters.Alert.Rule.Level) { + if slices.Contains(configParams.PriorityMaps[2].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { return 3 } - if slices.Contains(configParams.Priority4, wazuhData.Parameters.Alert.Rule.Level) { + if slices.Contains(configParams.PriorityMaps[1].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { return 4 } - if slices.Contains(configParams.Priority5, wazuhData.Parameters.Alert.Rule.Level) { + if slices.Contains(configParams.PriorityMaps[0].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { return 5 } return 0 diff --git a/wazuh-notify-go/types/types.go b/wazuh-notify-go/types/types.go index 6293259..d4971be 100644 --- a/wazuh-notify-go/types/types.go +++ b/wazuh-notify-go/types/types.go @@ -11,11 +11,12 @@ type Params struct { ExcludedRules string `yaml:"excluded_rules,omitempty"` ExcludedAgents string `yaml:"excluded_agents,omitempty"` WazuhMessage WazuhMessage - Priority1 []int `yaml:"priority_1"` - Priority2 []int `yaml:"priority_2"` - Priority3 []int `yaml:"priority_3"` - Priority4 []int `yaml:"priority_4"` - Priority5 []int `yaml:"priority_5"` + PriorityMaps []PriorityMap `yaml:"priority_map"` +} + +type PriorityMap struct { + ThreatMap []int `yaml:"threat_map"` + MentionThreshold int `yaml:"mention_threshold"` } type Message struct { diff --git a/wazuh-notify-go/wazuh-notify-config.yaml b/wazuh-notify-go/wazuh-notify-config.yaml index e3ea1f6..b79d5b1 100644 --- a/wazuh-notify-go/wazuh-notify-config.yaml +++ b/wazuh-notify-go/wazuh-notify-config.yaml @@ -5,7 +5,7 @@ # The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py targets: "discord,ntfy" -full_message: "discord,ntfy" +full_message: "ntfy" # Exclude rules that are listed in the ossec.conf active response definition. @@ -13,12 +13,25 @@ excluded_rules: "5401,5403" excluded_agents: "999" # Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification) +# Discord mention after x amount of event fired times + +priority_map: + - + threat_map: [15,14,13,12] + mention_threshold: 1 + - + threat_map: [11,10,9] + mention_threshold: 1 + - + threat_map: [8,7,6] + mention_threshold: 5 + - + threat_map: [5,4] + mention_threshold: 5 + - + threat_map: [3,2,1,0] + mention_threshold: 5 -priority_5: [15,14,13,12] -priority_4: [11,10,9] -priority_3: [8,7,6] -priority_2: [5,4] -priority_1: [3,2,1,0] sender: "Wazuh (IDS)" click: "https://google.com"