Ajout de champs cards pour modification de fichier

2026-03-26 13:52:43 +01:00 · 2026-03-26 13:52:43 +01:00 · a7b94415a3
parent aa034adf58
commit a7b94415a3
1 changed files with 22 additions and 2 deletions
--- a/custom-teams.py
+++ b/custom-teams.py
@ -8,6 +8,7 @@ Wazuh → Microsoft Teams Integration (Workflows)

 import json
 import logging
+import ntpath
 import re
 import sys
 from datetime import datetime
@ -120,6 +121,11 @@ class Integration:
            if ok and isinstance(cur, str) and cur.strip():
                return cur.strip()

+        # 1b) For agent-originated Windows alerts, fall back to the agent IP
+        agent_ip = self._get_nested(alert, ("agent", "ip"))
+        if isinstance(agent_ip, str) and agent_ip.strip():
+            return agent_ip.strip()
+
        # 2) Extract from full_log string (if present)
        full_log = alert.get("full_log", "")
        if isinstance(full_log, str) and full_log:
@ -129,6 +135,19 @@ class Integration:

        return None

+    def _extract_filename(self, object_name):
+        if not isinstance(object_name, str) or not object_name.strip():
+            return None
+
+        # NTFS alternate data streams appear after the first ":" following the drive letter.
+        normalized = object_name.strip()
+        stream_pos = normalized.find(":", 2)
+        if stream_pos != -1:
+            normalized = normalized[:stream_pos]
+
+        filename = ntpath.basename(normalized)
+        return filename or normalized
+
    def _get_nested(self, data, path, default=None):
        """Safely read a nested value in a dict."""
        cur = data
@ -191,12 +210,13 @@ class Integration:
        """Windows-specific fields (eventdata)."""
        facts = []
        win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {}
+        object_name = win.get("objectName")

-        self._add_fact(facts, "Utilisateur", win.get("targetUserName"))
+        self._add_fact(facts, "Utilisateur", win.get("targetUserName") or win.get("subjectUserName"))
        self._add_fact(facts, "Ordinateur", win.get("workstationName"))
        self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID")))
        self._add_fact(facts, "Process", win.get("processName"))
-        self._add_fact(facts, "Source IP", win.get("ipAddress"))
+        self._add_fact(facts, "Nom du fichier", self._extract_filename(object_name))
        return facts

    def _specific_facts_suricata(self, alert):