Merge pull request #6257 from wazuh/6216-add-maltiverse-section

Add Maltiverse integration section

source/user-manual/manager/manual-integration.rst

@@ -8,7 +8,7 @@
 Integration with external APIs
 ==============================
 
-The *Integrator* daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, and Shuffle.
+The *Integrator* daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle, and Maltiverse.
 
 Configuration
 -------------
@@ -19,9 +19,9 @@ The integrations are configured on the Wazuh manager ``ossec.conf`` file. You ca
 
   <integration>
     <name> </name>
-    <hook_url> </hook_url> <!-- Required for Slack and Shuffle -->
-    <api_key> </api_key> <!-- Required for PagerDuty and VirusTotal -->
-    <alert_format>json</alert_format> <!-- Required for Slack, VirusTotal and Shuffle -->
+    <hook_url> </hook_url> <!-- Required for Slack, Shuffle, and Maltiverse -->
+    <api_key> </api_key> <!-- Required for PagerDuty, VirusTotal, and Maltiverse -->
+    <alert_format>json</alert_format> <!-- Required for Slack, VirusTotal, Shuffle, and Maltiverse -->
 
     <!-- Optional filters -->
     <rule_id> </rule_id>
@@ -179,6 +179,43 @@ Once the configuration is complete, alerts start showing in the email inbox.
    :align: center
    :width: 80%
 
+Maltiverse
+----------
+
+`Maltiverse <https://whatis.maltiverse.com/>`__ is an open and collaborative platform for indexing and searching Indicators of Compromise (IoCs). It works as a broker for Threat intelligence sources. Maltiverse aggregates information from more than a hundred different public, private and community sources.
+
+This integration identifies IoCs in Wazuh alerts via the Maltiverse API. It generates new alerts enriched with Maltiverse data. The Maltiverse data fields are based on the threat taxonomy of the ECS standard (Elastic Common Schema).
+
+To set up this integration, do the following.
+
+#. Get your API key from the `Maltiverse <https://www.maltiverse.com>`__ page.
+
+#. Edit ``/var/ossec/etc/ossec.conf`` in the Wazuh server and include a configuration block such as the following. Replace ``API_KEY`` with your Maltiverse API key. The rule level filter is optional. You can remove it or set another level value for the integration.
+
+   .. code-block:: xml
+      :emphasize-lines: 5
+
+      <integration>
+         <name>custom-maltiverse</name>
+         <hook_url>https://api.maltiverse.com</hook_url>
+         <level>3</level>
+         <api_key>API_KEY</api_key> <!-- Replace with your Maltiverse API key --> 
+         <alert_format>json</alert_format>
+      </integration>
+
+#. Restart the Wazuh manager to apply the changes.
+
+   .. include:: /_templates/common/restart_manager.rst
+
+Once the configuration is complete, enriched alerts start showing in the Wazuh Dashboard if applicable.
+
+.. thumbnail:: /images/manual/integration/maltiverse.png
+   :title: Maltiverse alert
+   :alt: Maltiverse alert
+   :align: center
+   :width: 80%
+
+
 Custom integration
 ------------------
 

source/user-manual/reference/ossec-conf/integration.rst

@@ -15,7 +15,7 @@ integration
     <integration>
     </integration>
 
-This configures the manager to :ref:`connect Wazuh to external APIs <manual_integration>` and alerting tools such as Slack, PagerDuty, VirusTotal and Shuffle.
+This configures the manager to :ref:`connect Wazuh to external APIs <manual_integration>` and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle, and Maltiverse.
 
 Options
 -------
@@ -35,36 +35,36 @@ name
 
 This indicates the service to integrate with.
 
-+--------------------+------------------------------------------------------------------------------+
-| **Default value**  | n/a                                                                          |
-+--------------------+------------------------------------------------------------------------------+
-| **Allowed values** | slack, pagerduty, virustotal, shuffle, any string that begins with 'custom-' |
-+--------------------+------------------------------------------------------------------------------+
++--------------------+------------------------------------------------------------------------------------------+
+| **Default value**  | n/a                                                                                      |
++--------------------+------------------------------------------------------------------------------------------+
+| **Allowed values** | slack, pagerduty, virustotal, shuffle, maltiverse, any string that begins with 'custom-' |
++--------------------+------------------------------------------------------------------------------------------+
 
 .. note::
   In the case of custom external integration, name must begin with ``custom-`` for example: ``custom-myintegration``. Read the `How to integrate external software using Integrator <https://wazuh.com/blog/how-to-integrate-external-software-using-integrator//>`_ document for more information.
 
 hook_url
 ^^^^^^^^
 
-This is the URL that is used for communication with the software being integrated. It's mandatory for the `Slack` and `Shuffle` integrations.
+This is the URL that is used for communication with the software being integrated. It's mandatory for the `Slack`, `Shuffle`,  and `Maltiverse` integrations.
 
-+--------------------+------------------------+
-| **Default value**  | n/a                    |
-+--------------------+------------------------+
-| **Allowed values** | Slack URL, Shuffle URL |
-+--------------------+------------------------+
++--------------------+----------------------------------------+
+| **Default value**  | n/a                                    |
++--------------------+----------------------------------------+
+| **Allowed values** | Slack URL, Shuffle URL, Maltiverse URL |
++--------------------+----------------------------------------+
 
 api_key
 ^^^^^^^
 
-This is the key that you would have retrieved from the PagerDuty or VirusTotal API. This is **mandatory for PagerDuty and VirusTotal.**
+This is the key that you would have retrieved from the PagerDuty, VirusTotal, or Maltiverse API. This is **mandatory for PagerDuty, VirusTotal, and Maltiverse.**
 
-+--------------------+------------------------------+
-| **Default value**  | n/a                          |
-+--------------------+------------------------------+
-| **Allowed values** | PagerDuty/VirusTotal Api key |
-+--------------------+------------------------------+
++--------------------+-----------------------------------------+
+| **Default value**  | n/a                                     |
++--------------------+-----------------------------------------+
+| **Allowed values** | PagerDuty/VirusTotal/Maltiverse Api key |
++--------------------+-----------------------------------------+
 
 Optional filters
 ----------------
@@ -116,15 +116,15 @@ This filters alerts by where the event originated.
 alert_format
 ^^^^^^^^^^^^
 
-This writes the alert file in the JSON format. The Integrator makes use this file to fetch fields values.
+This writes the alert file in the JSON format. The Integrator makes use of this file to fetch fields values.
 
 +--------------------+-----------------------------------------------------------+
 | **Default value**  | n/a                                                       |
 +--------------------+-----------------------------------------------------------+
 | **Allowed values** | json                                                      |
 +--------------------+-----------------------------------------------------------+
 
-.. note:: This option must be set to ``json`` for Slack, VirusTotal and Shuffle integrations.
+.. note:: This option must be set to ``json`` for Slack, VirusTotal, Shuffle, and Maltiverse integrations.
 
 max_log
 ^^^^^^^
@@ -175,6 +175,14 @@ Configuration example
     <alert_format>json</alert_format>
   </integration>
 
+  <!-- Integration with Maltiverse -->
+  <integration>
+    <name>maltiverse</name>
+    <hook_url>https://api.maltiverse.com</hook_url>
+    <api_key>API_KEY</api_key> <!-- Replace with your Maltiverse API key -->
+    <alert_format>json</alert_format>
+  </integration>
+
   <!--Custom external Integration -->
   <integration>
     <name>custom-integration</name>