PolySwarm Integration

[JavierBotella]

Contribution
PolySwarm Integration

Description

This PR allows Wazuh and PolySwarm to integrate each other for threat intel enrichment.

More information about PolySwarm: https://polyswarm.io/

Configuration options

Add integration settings to /var/ossec/etc/ossec.conf file inside
block <ossec_config>..</ossec_config>

<integration>
  <name>custom-polyswarm</name>
  <api_key>YOUR_API_KEY</api_key> <- Add PolySwarm API Key here
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Logs/Alerts example

Thu Jun 04 17:47:24 UTC 2020 DEBUG: event: 1:[001] (Win4) 192.168.1.52->custom-polyswarm:{"integration": "custom-polyswarm", "polyswarm": {"found": 1, "malicious": 1, "positives": 5, "total": 11, "polyscore": 0.9414534940126512, "microengine.NanoAV.verdict": "maliciuos", "microengine.NanoAV.malware_family": "Trojan.Script.Downloader.gtowqh", "microengine.Jiangmin.verdict": "maliciuos", "microengine.Jiangmin.malware_family": "Trojan.BAT.Small.a", "microengine.URLHaus.verdict": "maliciuos", "microengine.Alibaba.verdict": "maliciuos", "microengine.Alibaba.malware_family": "TrojanDownloader:VBA/Obfuscation.A", "microengine.Ikarus.verdict": "maliciuos", "microengine.Ikarus.malware_family": "Trojan-Downloader.VBA.Emotet", "sha1": "7f3194a1d2a66a177380fce3a2b0b580e2d56ee1", "sha256": "c1cab8e632a4cf554ec0a4d36e228aae0333fbf9f2bbf06bd23dfe0197bf885c", "md5": "7d6bd37088e6c10d040742e137102241", "mimetype": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "extended_type": "Microsoft Word 2007+", "permalink": "https://polyswarm.network/scan/results/file/c1cab8e632a4cf554ec0a4d36e228aae0333fbf9f2bbf06bd23dfe0197bf885c", "source.alert_id": "1580137141.224771", "source.file": "C:\\Users\\dev\\Desktop\\Wazuh\\fsdfadfsafsafa.txt", "source.md5": "7d6bd37088e6c10d040742e137102241", "source.sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}}

Tests

• Compilation without warnings in every supported platform
  • Linux
  • Windows
  • MAC OS X
• Source installation
• Package installation
• Source upgrade
• Package upgrade
• Review logs syntax and correct language
• QA templates contemplate the added capabilities

• Memory tests for Linux
  • Scan-build report
  • Coverity
  • Valgrind (memcheck and descriptor leaks check)
  • Dr. Memory
  • AddressSanitizer
• Memory tests for Windows
  • Scan-build report
  • Coverity
  • Dr. Memory
• Memory tests for macOS
  • Scan-build report
  • Leaks
  • AddressSanitizer

• Retrocompatibility with older Wazuh versions

• Tested in 3.10.2 and 3.11.1

• Working on cluster environments
• Configuration on demand reports new parameters
• The data flow works as expected (agent-manager-api-app)
• Added unit tests (for new features)
• Stress test for affected components

[vikman90]

@JavierBotella thank you for your contribution!

The code looks good, but let me ping @wazuh/framework for them to check it as they are the Python experts.

Hope to merge it soon.
Thank you again.

[JavierBotella]

ack. thanks you @vikman90 !

[JavierBotella]

@JavierBotella thank you for your contribution!

The code looks good, but let me ping @wazuh/framework for them to check it as they are the Python experts.

Hope to merge it soon.
Thank you again.

Hey guys, checking on this, did you got any time for a look on it? thanks you!

[davidjiglesias]

Hello @JavierBotella,

Sorry but we have not got the chance yet. We have it in mind but as of right now we are fully engaged in Wazuh version 4.0.0 which is being released soon.

Regards,

David J. Iglesias

[JavierBotella]

Sounds good @davidjiglesias. Whatever needed for version 4.0.0 in our side please let me know.

Thanks you.

[JavierBotella]

hello @davidjiglesias, any news about this? Thanks!

[davidjiglesias]

Hello @JavierBotella,

First of all sorry for the late response. We are aware of this integration but we have not yet been able to prioritize it over some other improvements and bugfixes we have been working on lately. I will keep you updated if anything changes.

Regards