-
Notifications
You must be signed in to change notification settings - Fork 0
/
custom-discord
103 lines (85 loc) · 2.7 KB
/
custom-discord
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#/usr/bin/env python3
import sys
import requests
import json
from requests.auth import HTTPBasicAuth
from datetime import datetime, date
alert_file = sys.argv[1]
user = sys.argv[2].split(":")[0]
hook_url = sys.argv[3]
# read alert # Læser alert filen og omskriver den
with open(alert_file) as f:
alert_json = json.loads(f.read())
alert_level = alert_json["rule"]["level"]
alert_description = alert_json["rule"]["description"]
agent_details = alert_json.get("agent", {}).get("name", "agentless")
rule_id = alert_json["rule"]["id"]
# Get current date and time
current_time = datetime.now().strftime("%H:%M:%S")
today = date.today()
day = today.strftime("%d/%m/%Y")
# Get IP address based on whether it's a machine alert or agent alert
agent_info = alert_json.get("agent", {})
if "ip" in agent_info:
ip_address = agent_info["ip"]
else:
ip_address = "10.3.0.10 (Wazuh)"
syscheck = alert_json.get("syscheck", {})
eventdata = alert_json.get("eventdata", {})
if "path" in syscheck:
location = syscheck["path"]
else:
location = "no path found"
uname = "no user found"
win_perm_after = syscheck.get("win_perm_after", [])
if len(win_perm_after) >= 3:
uname = win_perm_after[2].get("name", "no user found")
if alert_level < 5:
# Green
color = "5763719"
elif 5 <= alert_level <= 7:
# Yellow
color = "16705372"
else:
# Red
color = "15548997"
# Design for the Discord alert
rule_level_design = {"name": "Rule Level", "value": str(alert_level), "inline": True}
agent_design = {"name": "Agent", "value": agent_details, "inline": True}
ip_address_design = {"name": "IP Address", "value": ip_address, "inline": True}
date_design = {"name": "Date", "value": day, "inline": True}
time_design = {"name": "Time", "value": current_time, "inline": False}
if "path" in syscheck:
location_design = {"name": "Location/Path", "value": location, "inline": False}
else:
location_design = None
if uname != "no user found":
who_did_it_design = {"name": "Who did it?", "value": uname, "inline": True}
else:
who_did_it_design = None
payload_fields = [
rule_level_design,
agent_design,
ip_address_design,
date_design,
time_design
]
if location_design is not None:
payload_fields.append(location_design)
if who_did_it_design is not None:
payload_fields.append(who_did_it_design)
# Creating the JSON to upload
payload = json.dumps({
"content": "",
"embeds": [
{
"title": f"Wazuh Alert - Rule {rule_id}",
"color": color,
"description": alert_description,
"fields": payload_fields
}
]
})
# Posting to Discord
r = requests.post(hook_url, data=payload, headers={"content-type": "application/json"})
sys.exit(0)