first sync

wazuh/.env

@@ -0,0 +1,85 @@
+################
+# Velociraptor #
+################
+VELOX_USER=admin
+VELOX_PASSWORD=admin
+VELOX_ROLE=administrator
+VELOX_SERVER_URL=https://Velociraptor:8000/
+VELOX_FRONTEND_HOSTNAME=Velociraptor
+
+
+###########
+# CoPilot #
+###########
+# Leave this as is if connecting from a remote machine
+SERVER_IP=0.0.0.0
+
+MYSQL_URL=copilot-mysql
+# ! Avoid using special characters in the password ! #
+MYSQL_ROOT_PASSWORD=REPLACE_WITH_PASSWORD
+MYSQL_USER=copilot
+# ! Avoid using special characters in the password ! #
+MYSQL_PASSWORD=REPLACE_WITH_PASSWORD
+
+MINIO_URL=copilot-minio
+MINIO_ROOT_USER=admin
+# ! Make the password at least 8 characters long ! #
+MINIO_ROOT_PASSWORD=REPLACE_ME
+MINIO_SECURE=False
+
+# ! ALERT FORWARDING IP
+# Set this to the IP of the host running CoPilot. This is used by Graylog to forward alerts to CoPilot
+# ! Not needed anymore since we are reading from the index now
+# ! Ensure Graylog is able to reach this IP and port 5000
+ALERT_FORWARDING_IP=0.0.0.0
+
+# Connector Credentials
+# ! SETTING UP YOUR CONNECTORS DEMOs https://www.youtube.com/@taylorwalton_socfortress/videos! #
+WAZUH_INDEXER_URL=https://wazuh.indexer:9200
+WAZUH_INDEXER_USERNAME=admin
+WAZUH_INDEXER_PASSWORD=SecretPassword
+
+WAZUH_MANAGER_URL=https://wazuh.manager:55000
+WAZUH_MANAGER_USERNAME=wazuh-wui
+WAZUH_MANAGER_PASSWORD=MyS3cr37P450r.*-
+
+GRAYLOG_URL=http://graylog:9000
+GRAYLOG_USERNAME=admin
+GRAYLOG_PASSWORD=yourpassword
+
+SHUFFLE_URL=https://127.1.1.1
+SHUFFLER_API_KEY=dummy
+SHUFFLE_WORKFLOW_ID=dummy
+
+VELOCIRAPTOR_URL=https://velociraptor:8889
+VELOCIRAPTOR_API_KEY_PATH=dummy
+
+SUBLIME_URL=http://127.1.1.1
+SUBLIME_API_KEY=dummy
+
+INFLUXDB_URL=http://127.1.1.1
+INFLUXDB_API_KEY=dummy
+INFLUXDB_ORG_AND_BUCKET=dummy,dummy
+
+GRAFANA_URL=http://grafana:3000
+GRAFANA_USERNAME=admin
+GRAFANA_PASSWORD=admin
+
+WAZUH_WORKER_PROVISIONING_URL=http://127.1.1.1
+
+EVENT_SHIPPER_URL=graylog_host
+GELF_INPUT_PORT=gelf_port
+
+ALERT_CREATION_PROVISIONING_URL=http://127.1.1.1
+
+HAPROXY_PROVISIONING_URL=http://127.1.1.1
+
+# VirusTotal
+VIRUSTOTAL_URL=https://www.virustotal.com/api/v3
+VIRUSTOTAL_API_KEY=REPLACE_ME
+
+# Portainer
+PORTAINER_URL=http://127.1.1.1:9000
+PORTAINER_USERNAME=admin
+PORTAINER_PASSWORD=admin
+PORTAINER_ENDPOINT_ID=2

wazuh/README.md

@@ -0,0 +1,24 @@
+# Deploy Wazuh Docker in single node configuration
+
+This deployment is defined in the `docker-compose.yml` file with one Wazuh manager containers, one Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps: 
+
+1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
+```
+$ sysctl -w vm.max_map_count=262144
+```
+2) Run the certificate creation script:
+```
+$ docker-compose -f generate-indexer-certs.yml run --rm generator
+```
+3) Start the environment with docker-compose:
+
+- In the foregroud:
+```
+$ docker-compose up
+```
+- In the background:
+```
+$ docker-compose up -d
+```
+
+The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

wazuh/config/certs.yml

@@ -0,0 +1,16 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh.indexer
+      ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.manager
+      ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard

wazuh/config/wazuh_cluster/wazuh_manager.conf

@@ -0,0 +1,389 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>wazuh@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detector>
+    <enabled>no</enabled>
+    <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
+    <run_on_start>yes</run_on_start>
+
+    <!-- Ubuntu OS vulnerabilities -->
+    <provider name="canonical">
+      <enabled>no</enabled>
+      <os>trusty</os>
+      <os>xenial</os>
+      <os>bionic</os>
+      <os>focal</os>
+      <os>jammy</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Debian OS vulnerabilities -->
+    <provider name="debian">
+      <enabled>no</enabled>
+      <os>buster</os>
+      <os>bullseye</os>
+      <os>bookworm</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- RedHat OS vulnerabilities -->
+    <provider name="redhat">
+      <enabled>no</enabled>
+      <os>5</os>
+      <os>6</os>
+      <os>7</os>
+      <os>8</os>
+      <os>9</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <os>amazon-linux-2023</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- SUSE Linux Enterprise OS vulnerabilities -->
+    <provider name="suse">
+      <enabled>no</enabled>
+      <os>11-server</os>
+      <os>11-desktop</os>
+      <os>12-server</os>
+      <os>12-desktop</os>
+      <os>15-server</os>
+      <os>15-desktop</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Alma Linux OS vulnerabilities -->
+    <provider name="almalinux">
+      <enabled>no</enabled>
+      <os>8</os>
+      <os>9</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Windows OS vulnerabilities -->
+    <provider name="msu">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Aggregate vulnerabilities -->
+    <provider name="nvd">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+  </vulnerability-detector>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
+  <!-- Configuration for wazuh-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>node01</node_name>
+    <node_type>master</node_type>
+    <key>aa093264ef885029653eea20dfcf51ae</key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>wazuh.manager</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>yes</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <integration>
+    <name>custom-misp.py</name>
+    <group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
+    <alert_format>json</alert_format>
+  </integration>
+
+  <integration>
+    <name>custom-iris.py</name>
+    <hook_url>https://iriswebapp_nginx:8443/alerts/add</hook_url>
+    <level>6</level>
+    <group>ossec,syslog,syscheck,authentication_failed,pam,pfsense,suricata,misp_alert</group>
+    <api_key>APIKEY</api_key>
+    <alert_format>json</alert_format>
+  </integration>
+
+</ossec_config>

wazuh/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -0,0 +1,12 @@
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wazuh

wazuh/config/wazuh_dashboard/wazuh.yml

@@ -0,0 +1,15 @@
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: wazuh-wui
+      password: "MyS3cr37P450r.*-"
+      run_as: false
+
+customization.enabled: true
+customization.logo.app: '/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/test.jpg'
+#customization.logo.sidebar: 'custom/images/customization.logo.sidebar.png'
+#customization.logo.healthcheck: 'custom/images/customization.logo.healthcheck.svg'
+#customization.logo.reports: 'custom/images/customization.logo.reports.jpg'
+customization.reports.footer: 'T-Guard'
+customization.reports.header: 'T-Guard'

wazuh/config/wazuh_indexer/internal_users.yml

@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"

wazuh/config/wazuh_indexer/wazuh.indexer.yml

@@ -0,0 +1,30 @@
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+http.port: 9200-9299
+transport.tcp.port: 9300-9399
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false

wazuh/config/wazuh_indexer_ssl_certs/admin-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMeuq9wQ/+G5Ei
+Uu+rMGfQ0ad5z0zqg6YRLFjNeRMJ5J2V+XlaVVJ2m0CIW3fjmvzgL2s/BCPdgiSJ
+esjT7jfbESBvGnvHZqTkW7ScyZs8ovrf4twuc8OahPl6eDTm9GkJ1yRIJmQrv0Pu
+JsSWz8evvpmC9k0+gKPUjZ2t3rnIg/J5P6GRjAhDhgnLBTiPmKFsbD5spiwuLPBL
+WbICJH+c2lb/sQoKNReF0GvQctb1LUwiFdONwDu4Hexn/GACECPmfIBASZDToDsn
+qSs9i61LrYzhDFSNKDNIlWyBAYjlB3hxd2PR4YHVpS1Wc9foFFwBsTgYCg5ds971
+fedNKnr1AgMBAAECggEBAMYmRtvi/rBr3lS4se/eVHwS7ownyo1nTcJOiy9yKHTp
+yZvPyT00eVjeUcbRfHhfdLV6vh6u0GKS/v0KsxpMOmxbSGbh7xjn6tov0/Irm/dC
+qIHUwTFylRZjza5UVk+IgVE73rjcGy4ZhqZ9gvvyFbvEo9Y4/9mVpy0OnsIilz4q
+gqg3Fry2gW+50tq2xx0SvezEXqhhCuOUgNtMxKZhCISCXOonwBFaU7Xghk3DRHLO
+HVJljEaPuVLPmAOFTyXjLK1LfCPgnrpwEB4RBMi3cYpuF0yNcqWA7SxLfvKLJY9i
+5juDfKFHvp8c0+gsOM9LxagZyiZ9TmznOxVAU9rXFQECgYEA9Ep6+4eSetiETBRB
+mOFJVB7XgsYEMK1H+cQgCM0X//7hUEskkYeLz7j18bx31FwGVuVQ3Zkp7HsIzDK4
+1PK85eeKNSHbpF7brGoZ6iptC7AwgC26J2UnwT5yVBIQtnwRh5Or7NHvpWCJvaYs
+TjcSAVQ9e4FRu8HrYe1pyBGG0JECgYEA1kfyXT14PurnrKLw9PoqXbP9t+g557/H
+vqCU6BgVWuFoWzmVs2ggsK+KBIJTlhNgpiGWxV+eMdF70vIWC/lfAJgPEaO5GWGZ
+7oIXAaLU3wg2ueCP0k1QdTYKOB/1B6QeHYD+l+O58ZWdgx0p+ouApjgB6Jsj4cOi
+iF1gbqWT9iUCgYA706m+w/r5nuD3iNZvzGya71q0Ki6IhUdlQcTeouvHw/IGKgDw
+qxNwccm5xABMv6TFzy84tfPweEk1SQ6/CBt+6m+Mh5g07w45cVqbYHyIKkQWgBxg
+3YMY7mQtdqclKclZPK8UNm3MQJI7IeEj3pTIQos0Hf2YT+uHdg878h7kIQKBgFnk
+QstUry4N03S7wkOy8rTufiB5flk3Pe89ZFpdSBAhAWtLo/5oT1ZvvYGYvsH1jRUE
+gEB6lV2m2MAsqI0LZwxTvfaTbWI1bKL+1fHswkpyIqslhpAduQQC0JSs61jyQ2Pz
+KlrDwMyVDEfloyelACo60qom8w2RyYxVR9ADDCg1AoGAJu1oxDp6uI6ds+EouKFc
+v/w7IJmXBdHsao0HWEiXxsJXTTfPMJ/0408ppqDYuYD9BibKCjtnsL61Y66rwvi5
+OSFXjv7CcrwNm8T4CjbOU/tsguOJROxLN9ScRqnVZRjHHp+aPLJ6MPEJiBl7Ue1p
+BIhDtdMxjblMhoKKyxYnRzc=
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/admin.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfYCFHU8JieJwYnPO9ZiXj+WPRNy5TkKMA0GCSqGSIb3DQEBCwUAMDUx
+DjAMBgNVBAsMBVdhenVoMQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZv
+cm5pYTAeFw0yMzExMTYwNTU5NTZaFw0zMzExMTMwNTU5NTZaMFIxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQHDApDYWxpZm9ybmlhMQ4wDAYDVQQKDAVXYXp1aDEOMAwGA1UE
+CwwFV2F6dWgxDjAMBgNVBAMMBWFkbWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAzHrqvcEP/huRIlLvqzBn0NGnec9M6oOmESxYzXkTCeSdlfl5WlVS
+dptAiFt345r84C9rPwQj3YIkiXrI0+432xEgbxp7x2ak5Fu0nMmbPKL63+LcLnPD
+moT5eng05vRpCdckSCZkK79D7ibEls/Hr76ZgvZNPoCj1I2drd65yIPyeT+hkYwI
+Q4YJywU4j5ihbGw+bKYsLizwS1myAiR/nNpW/7EKCjUXhdBr0HLW9S1MIhXTjcA7
+uB3sZ/xgAhAj5nyAQEmQ06A7J6krPYutS62M4QxUjSgzSJVsgQGI5Qd4cXdj0eGB
+1aUtVnPX6BRcAbE4GAoOXbPe9X3nTSp69QIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQA+monzlG3EIOvQXMFNXbkYtez4hHP3/+zSFAl+WDU7tVhXB2GRs8WdvKGkVUpG
+eyOqPxQXMoprgbVy28/qmr8HNerAuMVJWfQiRj9YHkXfcpqqSxItyG+cVuhfmXBy
+CDEzGHRSweQpLV+3LpLGEMLE5MVw+m0W9LwwTA5+YHaVkSXvjqbF5h5GDsduGWcc
+MIsUO1izqbEI7xDen72+Lxx0Bfyf2zEpS2ylYjWKSXOpUeklaXLhgLS92Vy6zftK
+O+RGc1LSHbEOXR9HUxbBLP7ONFYrqAbaLGstupEr9tQCN9W/NChlq0g3Wt06jA1D
+3bOfnEoZhpd6tYDlcbX+59o5
+-----END CERTIFICATE-----

wazuh/config/wazuh_indexer_ssl_certs/root-ca-manager.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPQM1ErS3zxAWL
+hJQEysb/qs2HLgVZ6dP9nnfVkey8jjTdhgck7dsD4XkGrc+fJ468RnErnZO4D+NZ
+SINa8OzEulgFetwhOET5aS0NHakCKvAvWkvpBdFw9ylOQLhuEwqIRgvwYrFUQf3L
+mlIIWHtPXZUIR2yPgQ6ZzoppUcL81VBoBcuD0DrFEVZFeb1Vy/16/Jrn+YxM40ew
+3NNcafF+DZ9kcq552Nn2Fyih1Ql97KoqXtvLX0Y2kWEhdqukTxO2i6uXIoKi9ipS
+8XOE4VvaKvDKVI6GfR0O4C3bCNMnsPTy6VuormzOb/Z2URe9R+8InoiSNspxKTQR
+9nGZDUiTAgMBAAECggEBAJuhYMMKfLBJaZSMGQ7EKs0AONgi4dfT8+HGZtxUeP5a
+ly4mICVGC6oNXXF7gaZU8SVGjGMhMDUOkT2RazoWIuXTvJdY3AaCF6FmrnLj6+75
+yWT1nH0+Zjk7EKR3i0b1O3p7hymbIuhPqcKDfshPkUFW17vgzo+wbQNoip1tzUtH
+lZLpqIkKa0RKxdPyKtyR7pBFvcltWl4NiPhDQfQe2V0mlbQsTcSb7mDx7Bro/Svw
+8kAv2+ynb47LS/M5Po/G2QFY0p8j0BknKOvgCV3g2/t/AqzWTrFth/uD0TVyKqWN
+ow56OV1aGyBmWadQ9Yk4L9m2lKiSjAdrz3YDf3HFpnkCgYEA8Mk8LdtcjelmAAy2
+icrH7DyqLlMdj6sKro93LJHoFXnN5uuZxbfQ+M34rwpqfCGj1UKvIrqitGXTxRUR
+7rmb4k/Qg8udc5oOwwU4nkqTfNuSYhXhNNtAgXXslMjqwfTYHFv2WHyCEcxVAdY/
+D/nI6IYdj2lWIH0bCL+QZWE9CoUCgYEA3FkqF74Q3oGdOotDqacsutAtAw4pQwWb
+sx1pSAQdJ12kuJPNqxMT3V19Hh9d5pqw2O+Pvb6Q3MCgQbcQ69UZgoSzMl2La1zz
+Bi3drTMig58m4+w++u8FcJPkI68PtE4RJzh7UWk3AFI+MVvi4EZ4cywdLbP63NPv
+QUz70rBlzjcCgYEAqHVx1/df4p1HUoOSdgbcJmgu/CgER45387bFvvX5tIS6THPK
+6qx21ItuEDCuXVg/wiVcWGTRDnsrVPgvyqAq8oO6s2qSJt3CtCiD+yLb2v/Xgy4h
+mJRIpgp10YZb0ATX6cdhK3k4mvElDBrzld7A9AVYywv8SNCeSFmV0YfdZ+0CgYEA
+xqzyohOyvB0b+hRlfsuILizT2QRkudSNrbNgIRnse3kYs4A5Gf4KlDbeQFHB5dIm
+kIN4FHqFvTVFidsZO7qZ1K/3rvrfYX+edDzYunj3rrvKYgm6Q6FOQ1JlirMmsskM
++FMaBa6bdAOzpeeWqeeAZUAqUvILyB6jhDp4eGCqeoMCgYBeg/UVzGg89vPmPmmQ
+5msnvSRl10gNgbH0yQdTxtOpPf4Ijdw8AMYg/8j4yyCfEOXl3iM5FV01f6hi+cuo
+8M17tHjeKlNBaIUckdBhg8BDw0U9+NiBwKg0fmB/EMe6UIAwrZqeV10ki31C31zR
+FwrY8NpqhVNlylz2QBBEDiRhVA==
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/root-ca-manager.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUM81087nocIXDreRrfobHVf90I0owDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIzMTExNjA1NTk1NloXDTMzMTExMzA1NTk1NlowNTEOMAwG
+A1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApDYWxpZm9ybmlh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0DNRK0t88QFi4SUBMrG
+/6rNhy4FWenT/Z531ZHsvI403YYHJO3bA+F5Bq3PnyeOvEZxK52TuA/jWUiDWvDs
+xLpYBXrcIThE+WktDR2pAirwL1pL6QXRcPcpTkC4bhMKiEYL8GKxVEH9y5pSCFh7
+T12VCEdsj4EOmc6KaVHC/NVQaAXLg9A6xRFWRXm9Vcv9evya5/mMTONHsNzTXGnx
+fg2fZHKuedjZ9hcoodUJfeyqKl7by19GNpFhIXarpE8TtourlyKCovYqUvFzhOFb
+2irwylSOhn0dDuAt2wjTJ7D08ulbqK5szm/2dlEXvUfvCJ6IkjbKcSk0EfZxmQ1I
+kwIDAQABo1MwUTAdBgNVHQ4EFgQUfGEYJ8H9uEDl8/FJwlD00le56WQwHwYDVR0j
+BBgwFoAUfGEYJ8H9uEDl8/FJwlD00le56WQwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAc4knRZ6+VFLyEWDZeC7gg51YFoM/uSuskN3icQmrVm5x
+nGbYF//5KBVk71HalX8pNFPvigOgjU00zTASVFCZmfRxPLZ4MkVR5GeH+FnfG8XH
+uU4hFvYFT00h6vLDTELkdxuQArMe4AugXKORFRfXVtii7tYdz9Q0T188GaLQ8+uC
+LWcvBj7qrTR13DUE1tP797dgob61qMY/cXECxX5wpMazmS8ZASl7DoRsxSlE0hBf
+QosPUcBPiFmLDmTrfz0uZlCyjCqpL3l/lcCPdz18Rh6isMoDnNMC77R6v5lZWlZ0
+EeXFCcGkceD7fBHPfN9UtW292uE8zdy0I7Y9CaBSqA==
+-----END CERTIFICATE-----

wazuh/config/wazuh_indexer_ssl_certs/root-ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPQM1ErS3zxAWL
+hJQEysb/qs2HLgVZ6dP9nnfVkey8jjTdhgck7dsD4XkGrc+fJ468RnErnZO4D+NZ
+SINa8OzEulgFetwhOET5aS0NHakCKvAvWkvpBdFw9ylOQLhuEwqIRgvwYrFUQf3L
+mlIIWHtPXZUIR2yPgQ6ZzoppUcL81VBoBcuD0DrFEVZFeb1Vy/16/Jrn+YxM40ew
+3NNcafF+DZ9kcq552Nn2Fyih1Ql97KoqXtvLX0Y2kWEhdqukTxO2i6uXIoKi9ipS
+8XOE4VvaKvDKVI6GfR0O4C3bCNMnsPTy6VuormzOb/Z2URe9R+8InoiSNspxKTQR
+9nGZDUiTAgMBAAECggEBAJuhYMMKfLBJaZSMGQ7EKs0AONgi4dfT8+HGZtxUeP5a
+ly4mICVGC6oNXXF7gaZU8SVGjGMhMDUOkT2RazoWIuXTvJdY3AaCF6FmrnLj6+75
+yWT1nH0+Zjk7EKR3i0b1O3p7hymbIuhPqcKDfshPkUFW17vgzo+wbQNoip1tzUtH
+lZLpqIkKa0RKxdPyKtyR7pBFvcltWl4NiPhDQfQe2V0mlbQsTcSb7mDx7Bro/Svw
+8kAv2+ynb47LS/M5Po/G2QFY0p8j0BknKOvgCV3g2/t/AqzWTrFth/uD0TVyKqWN
+ow56OV1aGyBmWadQ9Yk4L9m2lKiSjAdrz3YDf3HFpnkCgYEA8Mk8LdtcjelmAAy2
+icrH7DyqLlMdj6sKro93LJHoFXnN5uuZxbfQ+M34rwpqfCGj1UKvIrqitGXTxRUR
+7rmb4k/Qg8udc5oOwwU4nkqTfNuSYhXhNNtAgXXslMjqwfTYHFv2WHyCEcxVAdY/
+D/nI6IYdj2lWIH0bCL+QZWE9CoUCgYEA3FkqF74Q3oGdOotDqacsutAtAw4pQwWb
+sx1pSAQdJ12kuJPNqxMT3V19Hh9d5pqw2O+Pvb6Q3MCgQbcQ69UZgoSzMl2La1zz
+Bi3drTMig58m4+w++u8FcJPkI68PtE4RJzh7UWk3AFI+MVvi4EZ4cywdLbP63NPv
+QUz70rBlzjcCgYEAqHVx1/df4p1HUoOSdgbcJmgu/CgER45387bFvvX5tIS6THPK
+6qx21ItuEDCuXVg/wiVcWGTRDnsrVPgvyqAq8oO6s2qSJt3CtCiD+yLb2v/Xgy4h
+mJRIpgp10YZb0ATX6cdhK3k4mvElDBrzld7A9AVYywv8SNCeSFmV0YfdZ+0CgYEA
+xqzyohOyvB0b+hRlfsuILizT2QRkudSNrbNgIRnse3kYs4A5Gf4KlDbeQFHB5dIm
+kIN4FHqFvTVFidsZO7qZ1K/3rvrfYX+edDzYunj3rrvKYgm6Q6FOQ1JlirMmsskM
++FMaBa6bdAOzpeeWqeeAZUAqUvILyB6jhDp4eGCqeoMCgYBeg/UVzGg89vPmPmmQ
+5msnvSRl10gNgbH0yQdTxtOpPf4Ijdw8AMYg/8j4yyCfEOXl3iM5FV01f6hi+cuo
+8M17tHjeKlNBaIUckdBhg8BDw0U9+NiBwKg0fmB/EMe6UIAwrZqeV10ki31C31zR
+FwrY8NpqhVNlylz2QBBEDiRhVA==
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/root-ca.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUM81087nocIXDreRrfobHVf90I0owDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIzMTExNjA1NTk1NloXDTMzMTExMzA1NTk1NlowNTEOMAwG
+A1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApDYWxpZm9ybmlh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0DNRK0t88QFi4SUBMrG
+/6rNhy4FWenT/Z531ZHsvI403YYHJO3bA+F5Bq3PnyeOvEZxK52TuA/jWUiDWvDs
+xLpYBXrcIThE+WktDR2pAirwL1pL6QXRcPcpTkC4bhMKiEYL8GKxVEH9y5pSCFh7
+T12VCEdsj4EOmc6KaVHC/NVQaAXLg9A6xRFWRXm9Vcv9evya5/mMTONHsNzTXGnx
+fg2fZHKuedjZ9hcoodUJfeyqKl7by19GNpFhIXarpE8TtourlyKCovYqUvFzhOFb
+2irwylSOhn0dDuAt2wjTJ7D08ulbqK5szm/2dlEXvUfvCJ6IkjbKcSk0EfZxmQ1I
+kwIDAQABo1MwUTAdBgNVHQ4EFgQUfGEYJ8H9uEDl8/FJwlD00le56WQwHwYDVR0j
+BBgwFoAUfGEYJ8H9uEDl8/FJwlD00le56WQwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAc4knRZ6+VFLyEWDZeC7gg51YFoM/uSuskN3icQmrVm5x
+nGbYF//5KBVk71HalX8pNFPvigOgjU00zTASVFCZmfRxPLZ4MkVR5GeH+FnfG8XH
+uU4hFvYFT00h6vLDTELkdxuQArMe4AugXKORFRfXVtii7tYdz9Q0T188GaLQ8+uC
+LWcvBj7qrTR13DUE1tP797dgob61qMY/cXECxX5wpMazmS8ZASl7DoRsxSlE0hBf
+QosPUcBPiFmLDmTrfz0uZlCyjCqpL3l/lcCPdz18Rh6isMoDnNMC77R6v5lZWlZ0
+EeXFCcGkceD7fBHPfN9UtW292uE8zdy0I7Y9CaBSqA==
+-----END CERTIFICATE-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDv15K/sEN44ELb
+DTl+OTF/FXbGUQS8ZsCYq64tqUxrl6yGuuHRXZAWrEZSj/qhXeRzrW2q66OUffKi
+pGm/ALNoFP75unuV5OerMIE68KZN4yJv967F2M/A0bO3QgmxIl2DYbzNJl/+echn
+c+HeUKc/pRHt43HERLyHRId5B0gk8FrgM27rhUsWNISIgEZYOd1M3lQkLp7xCq7e
+1wDBTz18cZUpHqOYeUPDJ+k/FLb5/T2t1w/366KHK5d/Eu6kNmUFI3emv8XY3vTQ
+FPzDaVHa0KoGqAD0bhJx3Tl5YHqprddRy4tLbgRPabHM49XcPU4VFaeDH+RCLCyq
+oQROCJ/PAgMBAAECggEAQJIdJBZkU+qslSTeUak8NialL4coa0COoYu2/PwTYvQW
+sr8lhKRX4oLG+/tfUopgsvQCDn4aMCQoarkw7wdVRbRBYSJfm19hL6mDYUbgvx9j
+ahmYqBNS+2p5o+DXkyTZYEGz/tdSCMTou1Frgdrc7DmYth8BxgFrcE922ZKoTakS
+nGzFcAjb+CdUEVAFcBA1gJpJt9V8pSroEndGP7KAV/CVe+VC/IX8/O8Z6lO7Pg3E
+5cOo3jjcJFYArQWF+Dk3P6Vbcx+wpyRHzMm5ucuJ/zFhnFV9mXZOM6Nx4AVNxWBI
+Kg9aRFSY7jers1Bppm9l9drQC61WTSCJ73atbFhkQQKBgQD8UtK3altTiOgWuO/1
+ZXQu4cl3RiCLVUarVYHcpi736M7Z2lFJmm1l93KuSl8Iw6ImPfZCSLSAvbp4LUod
+x6RzsqQ07PcQlVVuFn3n+tx2BAFIzaWdWzIT1UveY0nhLZHH2Sy6/N+Kn7QadFGy
+jJuEzkcwGdmHiMDQC81zBs9bSQKBgQDzVjGfO8bXGD+oXE0vk3O184dkwjV6AThq
+4USIO/bGYgA1S0e1jGV0AqrbwUPn3/uFMPVPbWBreeaEFdvO+qUaOcPB0bUnJhlb
+TEjtYie0KQ6gzlnShZ6LuoyETNQt9j9EMUzccO5Gkr2Dr66tkj4wgXhtrtdATv8x
+58ULokHKVwKBgQCuO2qxqEljx1eryQw5QVMWxGZfbBcw3zOrP6IqgL5SBXpASFZ1
+IqOEE3gnDcfNv3kKOyL+5kFt3JUUQwG4ypCuK57jxPVdiCCzoehS9ZCiFWXlpctE
+eyJ7O3/mEl2DlfniK/6NJ+wcRucQlV2MkzcYX3AcsNzaj/3EK0I0uXEZsQKBgQC6
+MqZd1fvc8y0iwx483XOZMvPTYdhRt0VYY29xX5EBVFQcc7I3dWrcTn43EbfIYlew
+HzpWwLcbBnghcih0RM65NqJYWQNpJXoZplHXc1g2P4R1//AzaxNakDCdu7xQPzFC
+GQdbVv68+eQSNAhRwKndq/Re2X7UMp6LrXHV6R62mQKBgDT34cF2ujsUX2rDbTWJ
+LbWProv3Vo4WwdS+MftgIAlUpr231+Ii5wS2lX8ifAAhcK4dvB0VRSV7HTPgrytf
+F0ZH8XkaO4J1mNFMMvcYTdaMsw5cRyC/+235GkHuuWjKI6RMwOL/Ekpj8NaSyXrr
+mHIMBOCO8pr5CSb8nKvoGLl3
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgIUdTwmJ4nBic871mJeP5Y9E3LlOQ0wDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIzMTExNjA1NTk1NloXDTMzMTExMzA1NTk1NlowXDELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEYMBYGA1UEAwwPd2F6dWguZGFzaGJvYXJkMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA79eSv7BDeOBC2w05fjkxfxV2xlEEvGbA
+mKuuLalMa5eshrrh0V2QFqxGUo/6oV3kc61tquujlH3yoqRpvwCzaBT++bp7leTn
+qzCBOvCmTeMib/euxdjPwNGzt0IJsSJdg2G8zSZf/nnIZ3Ph3lCnP6UR7eNxxES8
+h0SHeQdIJPBa4DNu64VLFjSEiIBGWDndTN5UJC6e8Qqu3tcAwU89fHGVKR6jmHlD
+wyfpPxS2+f09rdcP9+uihyuXfxLupDZlBSN3pr/F2N700BT8w2lR2tCqBqgA9G4S
+cd05eWB6qa3XUcuLS24ET2mxzOPV3D1OFRWngx/kQiwsqqEETgifzwIDAQABo1cw
+VTAfBgNVHSMEGDAWgBR8YRgnwf24QOXz8UnCUPTSV7npZDAJBgNVHRMEAjAAMAsG
+A1UdDwQEAwIE8DAaBgNVHREEEzARgg93YXp1aC5kYXNoYm9hcmQwDQYJKoZIhvcN
+AQELBQADggEBAI5jP9EaC505j0RR7lGA1KSMsyDfIpWciaFjowq9ggn8xjNzleWK
+Imeni+DTa5ffwM24mIzfnzhjsbnxZ3nBDWYR1Oq/h8Pf277v/yoGch8CXUEiIViv
+CMa+8k9pqrIZkZXoMLdhZI8wBmjK8aG4aLlPXCid/yFTzO+kkY2R2sDHvqDzQotz
+RugQdL7tKHP/8MPLf/AdXyH3oCgR+9hpwc8PaBwkLZLQTD19vMRaWYMpM5OamO17
+URcFQgQ1k9cNbE0VLAkNYw3NPC83UzbovXwPebItWT56Txgm5y3ZN75S5GtVsZyr
+MvfAKrJSZO5aRKDQ8J2dSGcBve3+Hyo9whI=
+-----END CERTIFICATE-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkV+xhCK3/ReE0
+kUAlraTlG3zvR5jglgnlYlf6yrULnTy/putwJ50aUIA8PkTRc2Sor69NwSYr2jZ/
+eX2YbRxbgJW73zKZysLn7cuxUc1vJGAmwk6XUtIOxq4ToVSOppHND0GMEUn+W5af
+06X6YVEOw/R5eyBTZTmLzOZSVT+tMHQDSSp5NsX/pyV4fm/1Rlhs6xth9teRYRZY
+4S8FFE9NjkdBAUaUwkq5CCjxw8KCrOG7XgauAN+idYZRWhIq0Hx7irp0W8SOgZLT
+DKjx3uwCnPUmJfaoXmYR/oAmDoLq0RN1b2AJOQz6Qt3325jESYtx2cFTY6Z3Ap5J
+VQLfChFlAgMBAAECggEASKjJqN7QLyiXTtjhZpvompaynJlVxjE4GOvAPyd9kKKK
+EBoXVOrmDNeM1p6h21wyrZKp374UXWPkb4/DLVua6Gr0OoH9Yf6pIpACfvweuL0E
+c5Dk3TYXbWg/QDPX6kSKpIu0OdPOjcerGFSKvi91UZN9GaLaWG8fbqLWr2A9EOh+
+EPoDS0kNMCaTJy/tjIFJnme3KcMDLcQzekGARCF4earJtr2871uz+Z4J3lZ/Fzd9
+Ubgg964DWMqmZUcjL+hYJn/9zMSuxnnkFdW3ocaoOZmmPdXrsJBsA8od+u0vojIb
+EniwQac7/SPo+Tf6DoNy8AKkx5/cAdiLDUaWgbNWQQKBgQD+UFtzve6zVctyuJAT
+dKGhoiCNRWsRULscr+qD6AAD2LdbF6XoPtH/Mt19Urx9QqoZD0hlt3A15JByasL2
+Keou+1G6ZQY0kpJ6bzpAMJ2zV2jqZQTchz6iPfhhvgO5QyCKnbIrs9sQdwvMvlWy
+4puXnnDa5JjWAHlzK3m7XtNLnQKBgQDl23ymcBmj0pegBQ4ljPVENqFWlQTNb8VD
+aFTkJs4R0dmnxDX69jQ2inBBjbDB7UPD9878OVVh/fM6vglkPwViaJPjAYfAaQiG
+HVYo7UW23G5OFNLpMSep2ZhzDDRlWDgX2VZ+9115pc9C89V0RmvEmFf5brXzLsO8
+1TZxNeXmaQKBgGOFsPRPfM1jotWHUqK6ftJRLyn545eIH2Fvmnf6X58hvUeBrqR/
+iRC0qCb2LNtcLlLWPz/HFLuScdDE5P0OlB3ErkwiYtZKEdamFoauP9jCOUWZONjQ
+eHtngv9FLBHhKif05Jfjr7P20oBScBksQzWHhKS01vbQgrbGacIgrtGlAoGADNcW
+/oEynXktKS4/HQ/jv5zBpIGMlCFTRrG0VE5qoooze3C1h0BrqERRgwf0QNENQQw9
+zs8xGtlB1h05jxUKKvYmlL7II5J6fGt1HbIre8ySiOAW7Bnn2lAieQLMhoDIGWT1
+tQACg8IkctwGJ4mriX7tIyzxExWgr5LFiMt2/UkCgYEAnLff9ICMUEYPhnzz/O19
+ycJG3jW2GPVorRABFd7h8rxIldZCegC9iIoWWJBIm139EPy8s4h7P/xCJQIOgizf
+CScKRwQnDkLejrKIqiQI+iGrqDirpv/fsNaWL84ZrGjYErKylS19bOBtGob912hh
+XB5LQlB4uftAuqPmlv47/eI=
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlqgAwIBAgIUdTwmJ4nBic871mJeP5Y9E3LlOQswDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIzMTExNjA1NTk1NloXDTMzMTExMzA1NTk1NlowWjELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEWMBQGA1UEAwwNd2F6dWguaW5kZXhlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAORX7GEIrf9F4TSRQCWtpOUbfO9HmOCWCeVi
+V/rKtQudPL+m63AnnRpQgDw+RNFzZKivr03BJivaNn95fZhtHFuAlbvfMpnKwuft
+y7FRzW8kYCbCTpdS0g7GrhOhVI6mkc0PQYwRSf5blp/TpfphUQ7D9Hl7IFNlOYvM
+5lJVP60wdANJKnk2xf+nJXh+b/VGWGzrG2H215FhFljhLwUUT02OR0EBRpTCSrkI
+KPHDwoKs4bteBq4A36J1hlFaEirQfHuKunRbxI6BktMMqPHe7AKc9SYl9qheZhH+
+gCYOgurRE3VvYAk5DPpC3ffbmMRJi3HZwVNjpncCnklVAt8KEWUCAwEAAaNVMFMw
+HwYDVR0jBBgwFoAUfGEYJ8H9uEDl8/FJwlD00le56WQwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwGAYDVR0RBBEwD4INd2F6dWguaW5kZXhlcjANBgkqhkiG9w0BAQsF
+AAOCAQEAeO2+Vphnncs9IB9ETWyU0FnH95ZedrNsjtqf3MbUBDNXxZ6MwNCD+NmB
+niQyHB+uwxdy70A9w9Q0q0bsCS2fAYzKbuS63gCfg2Jm7sU92xcmaceyWNjuXfk9
+W7Tt9HBGpxOf+ymqDHcjx3lX7Ldy94LCEmlc3jNh8AswpBKnYUekBGKtTyb0KzA3
+nhB2hbgvHYXCA17vO+bOrCeqNvs4MWHoN1oC+hmTymqPjOXZKmU7W12GJjsFYHzy
+EYTa3XWCJSK+76m6oxQqyvMOTKGi1buwgE0MEX+mkSWUybwV5iKznZ4fSbKEihu3
+nQQ3kar9Z6/JHovWXJX3iy/XJPG6ZQ==
+-----END CERTIFICATE-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/NW9DVME+Ilgo
+FOr8VduOr2vCm1QKb/Jknp+9vE+S9MV88/7pZKZtNwe7D4DabdPcnzIGEdaDC3ON
+VPyPtIbSOx5Eu2blMhGL0iWUM0uThzBG0Y67DsOgyQu6TnINtRljH96BFjPLbN0C
+bYoGwkxfnS5t5m/j/v0chj2L79Ri5dX++3yWCn5M5l2OEvvRiCc0iXsayzqoWVUy
+KVq/NuHcrHw+BLc1B0UGQeUK8dsn9V7/In+NadaZuhU5PVLiqtcaXSsOGwtf45I4
+xTzOvBvzn1verFa/tned1EOEYf701ZhuklEuUQyKDxKWc6k6S3msLZXf6r/Ctkwf
+chfThHN/AgMBAAECggEAb0Ow0wVmzbk+g1RoyR1M/eKmWj/4z3oFGvgTDF2gEGvO
+3787/qRLFBKJtRh4aqKuPhuFCHMo2Gi5fOyPazApo/wyyNwkLArOmwZWR77xo49v
+UEZxP/h/bfiPkoJDbCaN91h8KbG5wg4/LUKApx45Qwo8EkedpJakwwx6lAujE0iY
+ws55svCU13IpgJ57nsd7JnABbIsK++aDPd/uIroyRz/XII4plIBUEV0FX5fHhpkO
+PMSeABRsUko04tTZ9pA3txcNEqEbcVhaAluW/PtX1LzzxpphcDjTwsp5dff2gTPR
+XvyW+pli6lZ2qdRfNgc6rxX43zp3x64BOSh6XfmeQQKBgQDvzyZH7xacX6ctA4lR
+8J0Mbesg+3IEudGPEWZW+fNizbCfHiNGwuNBJVUqdG9ugc3h5g7c/FQkl4ToZ2H8
+lc2yJ4Gqs6FWdcZ27d0LKCIjvZjowQmVYr8JsCkWyZvap5yocK7ThjkvYHugmWXl
+ac5yfEBcENWOKDC0LZu02XL7zQKBgQDMHkb4mmy29uuDwuzuXiHCxXg5YxdSIfek
+X5KMUXqPwBShrFS5aOQa9ZfHqQ5TT/UwzR9FF8EjVGHqMd2BuQGQ8vkeA0ZTiQw4
+tBKcI5r1JkIcGAJmNmSUdmg7mirAFbtq2CZBuuL7zTLGI25C6YY02H6ZT5IPDva9
+HMm+LJNYewKBgH6bNvKzX5SfS3uQamdASSnOvlxjZAbqs6B85zL0M3LudVkMaENr
+kN9L/nKzlkEZdsDU3PP+o83N0PWB31GjJT3xbZvZykwDUgxn+FNzlNKZvqjjgVPF
+FmbfAlJtjkMaSrMDCsnSC07f+WUIl6tO+ReoUbJJkPXEcjIuAg6w3uvhAoGAAxyH
+Cm0YMSXMa0LCZ9PJgfWOoplPFrJr2vaV/kuTqbNM3TYKSJU/vOV3fdSm4kA6xZaq
+3lvBVu+HWpGOBdczHemGQJ3eKZHSPN8J1ZV5XDlMEq+PAc3cdKLlbdsowarTI4rN
+8nyNzzbOilSp7p0urYmLTHz5Bf+9ZR6WOK7nRBcCgYEA4sFmxDW5s3/vEqz95X8a
+v19wfjTiHJMYfToTW5V2LRWwVZgZ8Z7xWZh1vS41OyHvGhvODfBfkWuOX51odD8B
+WeQ83mcPfcuew8NaP1AGIPgpH02TDoVviBGIogkjaz/1bFKVaF+8T26JFEl9e6aM
+c9Qn1jgWeK6XiWCMxIYu1f8=
+-----END PRIVATE KEY-----

wazuh/config/wazuh_indexer_ssl_certs/wazuh.manager.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlqgAwIBAgIUdTwmJ4nBic871mJeP5Y9E3LlOQwwDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIzMTExNjA1NTk1NloXDTMzMTExMzA1NTk1NlowWjELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEWMBQGA1UEAwwNd2F6dWgubWFuYWdlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAL81b0NUwT4iWCgU6vxV246va8KbVApv8mSe
+n728T5L0xXzz/ulkpm03B7sPgNpt09yfMgYR1oMLc41U/I+0htI7HkS7ZuUyEYvS
+JZQzS5OHMEbRjrsOw6DJC7pOcg21GWMf3oEWM8ts3QJtigbCTF+dLm3mb+P+/RyG
+PYvv1GLl1f77fJYKfkzmXY4S+9GIJzSJexrLOqhZVTIpWr824dysfD4EtzUHRQZB
+5Qrx2yf1Xv8if41p1pm6FTk9UuKq1xpdKw4bC1/jkjjFPM68G/OfW96sVr+2d53U
+Q4Rh/vTVmG6SUS5RDIoPEpZzqTpLeawtld/qv8K2TB9yF9OEc38CAwEAAaNVMFMw
+HwYDVR0jBBgwFoAUfGEYJ8H9uEDl8/FJwlD00le56WQwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwGAYDVR0RBBEwD4INd2F6dWgubWFuYWdlcjANBgkqhkiG9w0BAQsF
+AAOCAQEAMV7N1d+U0GpFmwm+qi8uFFR8+bb19ygFNkYr86h5N74qKsGpLzJo7y5x
+kYSN8X86Lk9xtukges2nCKFM9l3/C37kVaUFlVELwh7cwCGLm9GMx7YA9GVxPpxZ
+6B1g5BAGVeGYnaCX8FzLppuSdrOLp5tXnCz09M6UvtSvgF9wCepgyfnMmrxQBvL7
+vgCdBjScd8u1c4eS2imiavKIcy6STtt4fBG878N20JTyx2GB0lP9CiNxrVTnzb+R
+239Lz0erOvchlFqvT5EB2jUeoYCwm4ZAjGqHaSX0wd/BAVzkEnubKwTDDjapRlio
+pE3eF2G57G+8DZxajrZd71gEiWOE4w==
+-----END CERTIFICATE-----

wazuh/custom-integrations/custom-iris.py

@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+# custom-iris.py
+# Custom Wazuh integration script to send alerts to DFIR-IRIS
+
+import sys
+import json
+import requests
+from requests.auth import HTTPBasicAuth
+
+# Function to create a formatted string from alert details
+def format_alert_details(alert_json):
+    rule = alert_json.get("rule", {})
+    agent = alert_json.get("agent", {})
+    
+    # Extracting MITRE information from the nested 'rule' structure
+    mitre = rule.get("mitre", {})
+    mitre_ids = ', '.join(mitre.get("id", ["N/A"]))
+    mitre_tactics = ', '.join(mitre.get("tactic", ["N/A"]))
+    mitre_techniques = ', '.join(mitre.get("technique", ["N/A"]))
+
+    details = [
+        f"Rule ID: {rule.get('id', 'N/A')}",
+        f"Rule Level: {rule.get('level', 'N/A')}",
+        f"Rule Description: {rule.get('description', 'N/A')}",
+        f"Agent ID: {agent.get('id', 'N/A')}",
+        f"Agent Name: {agent.get('name', 'N/A')}",
+        f"MITRE IDs: {mitre_ids}",
+        f"MITRE Tactics: {mitre_tactics}",
+        f"MITRE Techniques: {mitre_techniques}",
+        f"Location: {alert_json.get('location', 'N/A')}",
+        f"Full Log: {alert_json.get('full_log', 'N/A')}"
+    ]
+    return '\n'.join(details)
+
+# Read parameters when integration is run
+alert_file = sys.argv[1]
+api_key = sys.argv[2]
+hook_url = sys.argv[3]
+
+# Read the alert file
+with open(alert_file) as f:
+    alert_json = json.load(f)
+
+# Prepare alert details
+alert_details = format_alert_details(alert_json)
+
+# Convert Wazuh rule levels(0-15) -> IRIS severity(1-6)
+alert_level = alert_json.get("rule", {}).get("level") 
+if(alert_level < 5):
+    severity = 2
+elif(alert_level >= 5 and alert_level < 7):
+    severity = 3
+elif(alert_level >= 7 and alert_level < 10):
+    severity = 4
+elif(alert_level >= 10 and alert_level < 13):
+    severity = 5
+elif(alert_level >= 13):
+    severity = 6
+else:
+    severity = 1
+
+# Generate request
+# Reference: https://docs.dfir-iris.org/_static/iris_api_reference_v2.0.1.html#tag/Alerts/operation/post-case-add-alert
+payload = json.dumps({
+    "alert_title": alert_json.get("rule", {}).get("description", "No Description"),
+    "alert_description": alert_details,
+    "alert_source": "Wazuh",
+    "alert_source_ref": alert_json.get("id", "Unknown ID"),
+    "alert_source_link": "https://WAZUH-IP-OR-FQDN/app/wazuh",  # Replace with actual Wazuh URL
+    "alert_severity_id": severity,
+    "alert_status_id": 2,  # 'New' status
+    "alert_source_event_time": alert_json.get("timestamp", "Unknown Timestamp"),
+    "alert_note": "",
+    "alert_tags": f"wazuh,{alert_json.get('agent', {}).get('name', 'N/A')}",
+    "alert_customer_id": 1,  # '1' for default 'IrisInitialClient'
+    "alert_source_content": alert_json  # raw log
+})
+
+# Send request to IRIS
+response = requests.post(hook_url, data=payload, headers={"Authorization": "Bearer " + api_key, "content-type": "application/json"}, verify=False)
+
+sys.exit(0)

wazuh/custom-integrations/custom-misp.py

@@ -0,0 +1,179 @@
+#!/var/ossec/framework/python/bin/python3
+## MISP API Integration
+#
+import sys
+import os
+from socket import socket, AF_UNIX, SOCK_DGRAM
+from datetime import date, datetime, timedelta
+import time
+import requests
+from requests.exceptions import ConnectionError
+import json
+import ipaddress
+import hashlib
+import re
+pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+socket_addr = '{0}/queue/sockets/queue'.format(pwd)
+def send_event(msg, agent = None):
+    if not agent or agent["id"] == "000":
+        string = '1:misp:{0}'.format(json.dumps(msg))
+    else:
+        string = '1:[{0}] ({1}) {2}->misp:{3}'.format(agent["id"], agent["name"], agent["ip"] if "ip" in agent else "any", json.dumps(msg))
+    sock = socket(AF_UNIX, SOCK_DGRAM)
+    sock.connect(socket_addr)
+    sock.send(string.encode())
+    sock.close()
+false = False
+# Read configuration parameters
+alert_file = open(sys.argv[1])
+# Read the alert file
+alert = json.loads(alert_file.read())
+alert_file.close()
+# New Alert Output if MISP Alert or Error calling the API
+alert_output = {}
+# MISP Server Base URL
+misp_base_url = "https://**your misp instance**/attributes/restSearch/"
+# MISP Server API AUTH KEY
+misp_api_auth_key = "*Your API Key"
+# API - HTTP Headers
+misp_apicall_headers = {"Content-Type":"application/json", "Authorization":f"{misp_api_auth_key}", "Accept":"application/json"}
+## Extract Sysmon for Windows/Sysmon for Linux and Sysmon Event ID
+event_source = alert["rule"]["groups"][0]
+event_type = alert["rule"]["groups"][2]
+## Regex Pattern used based on SHA256 lenght (64 characters)
+regex_file_hash = re.compile('\w{64}')
+if event_source == 'windows':
+    if event_type == 'sysmon_event1':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event3' and alert["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'false':
+        try:
+            dst_ip = alert["data"]["win"]["eventdata"]["destinationIp"]
+            if ipaddress.ip_address(dst_ip).is_global:
+                wazuh_event_param = dst_ip
+            else:
+                sys.exit()
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event3' and alert_output["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'true':
+        sys.exit()
+    elif event_type == 'sysmon_event6':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event7':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event_15':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event_22':
+        try:
+            wazuh_event_param = alert["data"]["win"]["eventdata"]["queryName"]
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event_23':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event_24':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    elif event_type == 'sysmon_event_25':
+        try:
+            wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
+        except IndexError:
+            sys.exit()
+    else:
+        sys.exit()
+    misp_search_value = "value:"f"{wazuh_event_param}"
+    misp_search_url = ''.join([misp_base_url, misp_search_value])
+    try:
+        misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
+    except ConnectionError:
+        alert_output["misp"] = {}
+        alert_output["integration"] = "misp"
+        alert_output["misp"]["error"] = 'Connection Error to MISP API'
+        send_event(alert_output, alert["agent"])
+    else:
+        misp_api_response = misp_api_response.json()
+    # Check if response includes Attributes (IoCs)
+        if (misp_api_response["response"]["Attribute"]):
+    # Generate Alert Output from MISP Response
+            alert_output["misp"] = {}
+            alert_output["misp"]["source"] = {}
+            alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
+            alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
+            alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
+            alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
+            alert_output["misp"]["source"]["description"] = alert["rule"]["description"]
+            send_event(alert_output, alert["agent"])
+elif event_source == 'linux':
+    if event_type == 'sysmon_event3' and alert["data"]["eventdata"]["destinationIsIpv6"] == 'false':
+        try:
+            dst_ip = alert["data"]["eventdata"]["DestinationIp"]
+            if ipaddress.ip_address(dst_ip).is_global:
+                wazuh_event_param = dst_ip
+                misp_search_value = "value:"f"{wazuh_event_param}"
+                misp_search_url = ''.join([misp_base_url, misp_search_value])
+                try:
+                    misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
+                except ConnectionError:
+                    alert_output["misp"] = {}
+                    alert_output["integration"] = "misp"
+                    alert_output["misp"]["error"] = 'Connection Error to MISP API'
+                    send_event(alert_output, alert["agent"])
+                else:
+                    misp_api_response = misp_api_response.json()
+        # Check if response includes Attributes (IoCs)
+                    if (misp_api_response["response"]["Attribute"]):
+                # Generate Alert Output from MISP Response
+                        alert_output["misp"] = {}
+                        alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
+                        alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
+                        alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
+                        alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
+                        send_event(alert_output, alert["agent"])
+            else:
+                sys.exit()
+        except IndexError:
+            sys.exit()
+    else:
+        sys.exit()
+elif event_source == 'ossec' and event_type == "syscheck_entry_added":
+    try:
+        wazuh_event_param = alert["syscheck"]["sha256_after"]
+    except IndexError:
+        sys.exit()
+    misp_search_value = "value:"f"{wazuh_event_param}"
+    misp_search_url = ''.join([misp_base_url, misp_search_value])
+    try:
+        misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=false)
+    except ConnectionError:
+        alert_output["misp"] = {}
+        alert_output["integration"] = "misp"
+        alert_output["misp"]["error"] = 'Connection Error to MISP API'
+        send_event(alert_output, alert["agent"])
+    else:
+        misp_api_response = misp_api_response.json()
+    # Check if response includes Attributes (IoCs)
+        if (misp_api_response["response"]["Attribute"]):
+    # Generate Alert Output from MISP Response
+            alert_output["misp"] = {}
+            alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
+            alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
+            alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
+            alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
+            send_event(alert_output, alert["agent"])
+else:
+    sys.exit()

wazuh/custom-integrations/local_rules.xml

@@ -0,0 +1,42 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+</group>
+
+<group name="misp,">
+  <rule id="100620" level="10">
+    <field name="integration">misp</field>
+    <match>misp</match>
+    <description>MISP Events</description>
+    <options>no_full_log</options>
+  </rule>
+  <rule id="100621" level="5">
+    <if_sid>100620</if_sid>
+    <field name="misp.error">\.+</field>
+    <description>MISP - Error connecting to API</description>
+    <options>no_full_log</options>
+    <group>misp_error,</group>
+  </rule>
+  <rule id="100622" level="12">
+    <field name="misp.category">\.+</field>
+    <description>MISP - IoC found in Threat Intel - Category: $(misp.category), Attribute: $(misp.value)</description>
+    <options>no_full_log</options>
+    <group>misp_alert,</group>
+  </rule>
+</group>
+

wazuh/docker-compose.yml

@@ -0,0 +1,132 @@
+
+
+services:
+  wazuh.manager:
+    container_name: wazuh.manager
+    hostname: wazuh.manager
+    image: wazuh/wazuh-manager:latest
+    restart: always
+    networks:
+      - wazuh
+      - shared-network
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - wazuh_api_configuration:/var/ossec/api/configuration
+      - wazuh_etc:/var/ossec/etc
+      - wazuh_logs:/var/ossec/logs
+      - wazuh_queue:/var/ossec/queue
+      - wazuh_var_multigroups:/var/ossec/var/multigroups
+      - wazuh_integrations:/var/ossec/integrations
+      - wazuh_active_response:/var/ossec/active-response/bin
+      - wazuh_agentless:/var/ossec/agentless
+      - wazuh_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh.indexer:
+    container_name: wazuh.indexer
+    hostname: wazuh.indexer
+    image: wazuh/wazuh-indexer:latest
+    restart: always
+    networks:
+      - shared-network
+      - wazuh
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
+      - 'INDEXER_PASSWORD=SecretPassword'
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+
+  wazuh.dashboard:
+    container_name: wazuh.dashboard
+    hostname: wazuh.dashboard
+    image: wazuh/wazuh-dashboard:latest
+    restart: always
+    networks:
+      - wazuh
+    ports:
+      - 443:5601
+    environment:
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - WAZUH_API_URL=https://wazuh.manager
+      - DASHBOARD_USERNAME=kibanaserver
+      - DASHBOARD_PASSWORD=kibanaserver
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
+      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+    depends_on:
+      - wazuh.indexer
+    links:
+      - wazuh.indexer:wazuh.indexer
+      - wazuh.manager:wazuh.manager
+
+volumes:
+  wazuh_api_configuration:
+  wazuh_etc:
+  wazuh_logs:
+  wazuh_queue:
+  wazuh_var_multigroups:
+  wazuh_integrations:
+  wazuh_active_response:
+  wazuh_agentless:
+  wazuh_wodles:
+  filebeat_etc:
+  filebeat_var:
+  wazuh-indexer-data:
+  wazuh-dashboard-config:
+  wazuh-dashboard-custom:
+
+networks:
+  shared-network:
+    external: true
+  wazuh:
+    driver: bridge

wazuh/generate-indexer-certs.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/wazuh-certs-generator:0.0.2
+    hostname: wazuh-certs-generator
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml