From a7b94415a382c8bd32aa9e8a680bccd9be40c62c Mon Sep 17 00:00:00 2001
From: "l.bourdin" <l.bourdin@charente-maritime.cci.fr>
Date: Thu, 26 Mar 2026 13:52:43 +0100
Subject: [PATCH] Ajout de champs cards pour modification de fichier

---
 custom-teams.py | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/custom-teams.py b/custom-teams.py
index 292ea77..2a5b827 100755
--- a/custom-teams.py
+++ b/custom-teams.py
@@ -8,6 +8,7 @@ Wazuh → Microsoft Teams Integration (Workflows)
 
 import json
 import logging
+import ntpath
 import re
 import sys
 from datetime import datetime
@@ -120,6 +121,11 @@ class Integration:
             if ok and isinstance(cur, str) and cur.strip():
                 return cur.strip()
 
+        # 1b) For agent-originated Windows alerts, fall back to the agent IP
+        agent_ip = self._get_nested(alert, ("agent", "ip"))
+        if isinstance(agent_ip, str) and agent_ip.strip():
+            return agent_ip.strip()
+
         # 2) Extract from full_log string (if present)
         full_log = alert.get("full_log", "")
         if isinstance(full_log, str) and full_log:
@@ -129,6 +135,19 @@ class Integration:
 
         return None
 
+    def _extract_filename(self, object_name):
+        if not isinstance(object_name, str) or not object_name.strip():
+            return None
+
+        # NTFS alternate data streams appear after the first ":" following the drive letter.
+        normalized = object_name.strip()
+        stream_pos = normalized.find(":", 2)
+        if stream_pos != -1:
+            normalized = normalized[:stream_pos]
+
+        filename = ntpath.basename(normalized)
+        return filename or normalized
+
     def _get_nested(self, data, path, default=None):
         """Safely read a nested value in a dict."""
         cur = data
@@ -191,12 +210,13 @@ class Integration:
         """Windows-specific fields (eventdata)."""
         facts = []
         win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {}
+        object_name = win.get("objectName")
 
-        self._add_fact(facts, "Utilisateur", win.get("targetUserName"))
+        self._add_fact(facts, "Utilisateur", win.get("targetUserName") or win.get("subjectUserName"))
         self._add_fact(facts, "Ordinateur", win.get("workstationName"))
         self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID")))
         self._add_fact(facts, "Process", win.get("processName"))
-        self._add_fact(facts, "Source IP", win.get("ipAddress"))
+        self._add_fact(facts, "Nom du fichier", self._extract_filename(object_name))
         return facts
 
     def _specific_facts_suricata(self, alert):