Compare commits
2 Commits
| Author | SHA1 | Date |
|---|---|---|
|
|
aca6289ffa | |
|
|
89efd821f4 |
|
|
@ -8,7 +8,6 @@ Wazuh → Microsoft Teams Integration (Workflows)
|
|||
|
||||
import json
|
||||
import logging
|
||||
import ntpath
|
||||
import re
|
||||
import sys
|
||||
from datetime import datetime
|
||||
|
|
@ -121,11 +120,6 @@ class Integration:
|
|||
if ok and isinstance(cur, str) and cur.strip():
|
||||
return cur.strip()
|
||||
|
||||
# 1b) For agent-originated Windows alerts, fall back to the agent IP
|
||||
agent_ip = self._get_nested(alert, ("agent", "ip"))
|
||||
if isinstance(agent_ip, str) and agent_ip.strip():
|
||||
return agent_ip.strip()
|
||||
|
||||
# 2) Extract from full_log string (if present)
|
||||
full_log = alert.get("full_log", "")
|
||||
if isinstance(full_log, str) and full_log:
|
||||
|
|
@ -135,19 +129,6 @@ class Integration:
|
|||
|
||||
return None
|
||||
|
||||
def _extract_filename(self, object_name):
|
||||
if not isinstance(object_name, str) or not object_name.strip():
|
||||
return None
|
||||
|
||||
# NTFS alternate data streams appear after the first ":" following the drive letter.
|
||||
normalized = object_name.strip()
|
||||
stream_pos = normalized.find(":", 2)
|
||||
if stream_pos != -1:
|
||||
normalized = normalized[:stream_pos]
|
||||
|
||||
filename = ntpath.basename(normalized)
|
||||
return filename or normalized
|
||||
|
||||
def _get_nested(self, data, path, default=None):
|
||||
"""Safely read a nested value in a dict."""
|
||||
cur = data
|
||||
|
|
@ -210,15 +191,12 @@ class Integration:
|
|||
"""Windows-specific fields (eventdata)."""
|
||||
facts = []
|
||||
win = self._get_nested(alert, ("data", "win", "eventdata"), default={}) or {}
|
||||
object_name = win.get("objectName")
|
||||
|
||||
self._add_fact(facts, "Utilisateur", win.get("subjectUserName"))
|
||||
self._add_fact(facts, "Utilisateur cible", win.get("targetUserName"))
|
||||
self._add_fact(facts, "Utilisateur ajoute", win.get("memberName"))
|
||||
self._add_fact(facts, "Utilisateur", win.get("targetUserName"))
|
||||
self._add_fact(facts, "Ordinateur", win.get("workstationName"))
|
||||
self._add_fact(facts, "Event ID", self._get_nested(alert, ("data", "win", "system", "eventID")))
|
||||
self._add_fact(facts, "Process", win.get("processName"))
|
||||
self._add_fact(facts, "Nom du fichier", self._extract_filename(object_name))
|
||||
self._add_fact(facts, "Source IP", win.get("ipAddress"))
|
||||
return facts
|
||||
|
||||
def _specific_facts_suricata(self, alert):
|
||||
|
|
|
|||
Loading…
Reference in New Issue