l.bourdin
/
Wazuh-Teams-Workflow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: l.bourdin:main
Branches Tags
l.bourdin:main
l.bourdin:master
..
compare: l.bourdin:master
Branches Tags
l.bourdin:main
l.bourdin:master

2 Commits
main ... master

Author SHA1 Message Date
root aca6289ffa Merge branch 'main' of https://git.cci17.fr/l.bourdin/Wazuh-Teams-Workflow 2026-03-26 10:48:05 +01:00
root 89efd821f4 modif génération card teams 2026-03-26 10:12:35 +01:00
1 changed files with 2 additions and 24 deletions
Show Stats Expand all files Collapse all files

26
custom-teams.py
View File

@ -8,7 +8,6 @@ Wazuh → Microsoft Teams Integration (Workflows)
import json
import logging
import ntpath
import re
import sys
from datetime import datetime
@ -121,11 +120,6 @@ class Integration:
if ok and isinstance(cur, str) and cur.strip():
return cur.strip()
# 1b) For agent-originated Windows alerts, fall back to the agent IP
agent_ip = self._get_nested(alert, ("agent", "ip"))
if isinstance(agent_ip, str) and agent_ip.strip():
return agent_ip.strip()
# 2) Extract from full_log string (if present)
full_log = alert.get("full_log", "")
if isinstance(full_log, str) and full_log:
@ -135,19 +129,6 @@ class Integration:
return None
def _extract_filename(self, object_name):
if not isinstance(object_name, str) or not object_name.strip():
return None
# NTFS alternate data streams appear after the first ":" following the drive letter.
normalized = object_name.strip()
stream_pos = normalized.find(":", 2)
if stream_pos != -1:
normalized = normalized[:stream_pos]
filename = ntpath.basename(normalized)
return filename or normalized
def _get_nested(self, data, path, default=None):
"""Safely read a nested value in a dict."""
cur = data
@ -210,15 +191,12 @@ class Integration:
"""Windows-specific fields (eventdata)."""
facts = []
win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {}
object_name = win.get("objectName")
self._add_fact(facts, "Utilisateur", win.get("subjectUserName"))
self._add_fact(facts, "Utilisateur cible", win.get("targetUserName"))
self._add_fact(facts, "Utilisateur ajoute", win.get("memberName"))
self._add_fact(facts, "Utilisateur", win.get("targetUserName"))
self._add_fact(facts, "Ordinateur", win.get("workstationName"))
self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID")))
self._add_fact(facts, "Process", win.get("processName"))
self._add_fact(facts, "Nom du fichier", self._extract_filename(object_name))
self._add_fact(facts, "Source IP", win.get("ipAddress"))
return facts
def _specific_facts_suricata(self, alert):