l.bourdin
/
Wazuh-Teams-Workflow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ajout de champs cards pour modification de fichier

This commit is contained in:
l.bourdin 2026-03-26 13:52:43 +01:00
parent aa034adf58
commit a7b94415a3
1 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
custom-teams.py
View File

@ -8,6 +8,7 @@ Wazuh → Microsoft Teams Integration (Workflows)
import json import json
import logging import logging
import ntpath
import re import re
import sys import sys
from datetime import datetime from datetime import datetime
@ -120,6 +121,11 @@ class Integration:
if ok and isinstance(cur, str) and cur.strip(): if ok and isinstance(cur, str) and cur.strip():
return cur.strip() return cur.strip()
# 1b) For agent-originated Windows alerts, fall back to the agent IP
agent_ip = self._get_nested(alert, ("agent", "ip"))
if isinstance(agent_ip, str) and agent_ip.strip():
return agent_ip.strip()
# 2) Extract from full_log string (if present) # 2) Extract from full_log string (if present)
full_log = alert.get("full_log", "") full_log = alert.get("full_log", "")
if isinstance(full_log, str) and full_log: if isinstance(full_log, str) and full_log:
@ -129,6 +135,19 @@ class Integration:
return None return None
def _extract_filename(self, object_name):
if not isinstance(object_name, str) or not object_name.strip():
return None
# NTFS alternate data streams appear after the first ":" following the drive letter.
normalized = object_name.strip()
stream_pos = normalized.find(":", 2)
if stream_pos != -1:
normalized = normalized[:stream_pos]
filename = ntpath.basename(normalized)
return filename or normalized
def _get_nested(self, data, path, default=None): def _get_nested(self, data, path, default=None):
"""Safely read a nested value in a dict.""" """Safely read a nested value in a dict."""
cur = data cur = data
@ -191,12 +210,13 @@ class Integration:
"""Windows-specific fields (eventdata).""" """Windows-specific fields (eventdata)."""
facts = [] facts = []
win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {} win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {}
object_name = win.get("objectName")
self._add_fact(facts, "Utilisateur", win.get("targetUserName")) self._add_fact(facts, "Utilisateur", win.get("targetUserName") or win.get("subjectUserName"))
self._add_fact(facts, "Ordinateur", win.get("workstationName")) self._add_fact(facts, "Ordinateur", win.get("workstationName"))
self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID"))) self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID")))
self._add_fact(facts, "Process", win.get("processName")) self._add_fact(facts, "Process", win.get("processName"))
self._add_fact(facts, "Source IP", win.get("ipAddress")) self._add_fact(facts, "Nom du fichier", self._extract_filename(object_name))
return facts return facts
def _specific_facts_suricata(self, alert): def _specific_facts_suricata(self, alert):