From f3412a0cfe7e01793135ed44712ba3e72d11ba07 Mon Sep 17 00:00:00 2001 From: Samson <66468924+SamsonIdowu@users.noreply.github.com> Date: Thu, 17 Jul 2025 02:29:45 +0100 Subject: [PATCH 01/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d04e447..60d65fa 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Perform the following steps on your GitHub repository (remote repository) after |-------------|-------------------------------| | USERNAME | | | HOST | | -| SSH_KEY | | +| SSH_KEY | | | PORT | | 3. Ensure that a `dev` branch is created if it does not not already exist. 4. Create a pull request to merge the changes on the `main` branch to the `dev` branch. This will update the `dev` branch with the recent changes from the local Git repository and the `automation.yml` file. From de116dd966222ef1dcbd86a6ba508a415a2bf6d4 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 13:35:53 -0600 Subject: [PATCH 02/12] Update workflow to deploy rulesets to Wazuh Cloud --- .github/workflows/integrate_rulesets.yml | 45 ++++++++++++------------ 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/.github/workflows/integrate_rulesets.yml b/.github/workflows/integrate_rulesets.yml index 6d14502..27c3b29 100644 --- a/.github/workflows/integrate_rulesets.yml +++ b/.github/workflows/integrate_rulesets.yml @@ -1,30 +1,31 @@ -name: Update Rulesets on SIEM +name: Deploy Rulesets to Wazuh Cloud + on: push: - branches: [ "main" ] - paths: ["**.xml"] + branches: ["main"] + paths: ["rules/**.xml", "decoders/**.xml"] workflow_dispatch: jobs: - - DaaC: + deploy: runs-on: ubuntu-latest + steps: - - name: Apply modified or new decoders and rules to SIEM - uses: appleboy/ssh-action@v1.0.0 + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 with: - host: ${{ secrets.HOST }} - username: ${{ secrets.USERNAME }} - key: ${{ secrets.SSH_KEY }} - port: ${{ secrets.PORT }} - script: | - sudo bash -c ' - cd /var/ossec/etc/ - git pull origin main - chown wazuh:wazuh /var/ossec/etc/decoders/* && chmod 660 /var/ossec/etc/decoders/* - chown wazuh:wazuh /var/ossec/etc/rules/* && chmod 660 /var/ossec/etc/rules/* - sudo systemctl restart wazuh-manager \ - && echo "Ruleset apply SUCCESS!!! - Wazuh manager restarted successfully." \ - || echo "Ruleset apply FAILURE!!! - Wazuh manager failed to restart, check ruleset for error..." - sudo systemctl status wazuh-manager -l --no-pager - ' \ No newline at end of file + python-version: "3.10" + + - name: Install dependencies + run: pip install requests + + - name: Deploy rules and decoders to Wazuh Cloud + env: + WAZUH_API_URL: ${{ secrets.WAZUH_API_URL }} + WAZUH_USER: ${{ secrets.WAZUH_API_USER }} + WAZUH_PASSWORD: ${{ secrets.WAZUH_API_PASSWORD }} + run: | + python deploy_to_wazuh.py From 67262e2287d47085af202a421f96520b04184829 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 13:37:01 -0600 Subject: [PATCH 03/12] Add script to deploy rules and decoders to Wazuh --- deploy_to_wazuh.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 deploy_to_wazuh.py diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py new file mode 100644 index 0000000..55ea918 --- /dev/null +++ b/deploy_to_wazuh.py @@ -0,0 +1,58 @@ +import os +import requests +import base64 +from pathlib import Path + +WAZUH_URL = os.environ["WAZUH_API_URL"] +USER = os.environ["WAZUH_USER"] +PASSWORD = os.environ["WAZUH_PASSWORD"] + +# Disable SSL warnings if using self-signed cert (Wazuh Cloud uses valid certs, so this is optional) +requests.packages.urllib3.disable_warnings() + +def get_token(): + response = requests.get( + f"{WAZUH_URL}/security/user/authenticate", + auth=(USER, PASSWORD), + verify=True + ) + response.raise_for_status() + return response.json()["data"]["token"] + +def upload_file(token, endpoint, filename, content): + headers = { + "Authorization": f"Bearer {token}", + "Content-Type": "application/octet-stream" + } + params = {"filename": filename, "overwrite": True} + response = requests.post( + f"{WAZUH_URL}/{endpoint}", + headers=headers, + params=params, + data=content.encode("utf-8"), + verify=True + ) + if response.status_code == 200: + print(f"āœ… Uploaded {filename}") + else: + print(f"āŒ Failed to upload {filename}: {response.status_code} - {response.text}") + raise Exception(f"Upload failed for {filename}") + +def main(): + token = get_token() + print("šŸ” Authenticated with Wazuh API") + + # Upload rules + for rule_file in Path("rules").glob("*.xml"): + content = rule_file.read_text() + upload_file(token, "rules/files", rule_file.name, content) + + # Upload decoders + for decoder_file in Path("decoders").glob("*.xml"): + content = decoder_file.read_text() + upload_file(token, "decoders/files", decoder_file.name, content) + + print("\nšŸŽ‰ All rulesets deployed successfully.") + +if __name__ == "__main__": + main() From 47f2d7904de596d928678bf5bbb899deb26e9178 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 13:39:11 -0600 Subject: [PATCH 04/12] Add script to deploy rules and decoders to Wazuh --- deploy_to_wazuh.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 deploy_to_wazuh.py diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py new file mode 100644 index 0000000..55ea918 --- /dev/null +++ b/deploy_to_wazuh.py @@ -0,0 +1,58 @@ +import os +import requests +import base64 +from pathlib import Path + +WAZUH_URL = os.environ["WAZUH_API_URL"] +USER = os.environ["WAZUH_USER"] +PASSWORD = os.environ["WAZUH_PASSWORD"] + +# Disable SSL warnings if using self-signed cert (Wazuh Cloud uses valid certs, so this is optional) +requests.packages.urllib3.disable_warnings() + +def get_token(): + response = requests.get( + f"{WAZUH_URL}/security/user/authenticate", + auth=(USER, PASSWORD), + verify=True + ) + response.raise_for_status() + return response.json()["data"]["token"] + +def upload_file(token, endpoint, filename, content): + headers = { + "Authorization": f"Bearer {token}", + "Content-Type": "application/octet-stream" + } + params = {"filename": filename, "overwrite": True} + response = requests.post( + f"{WAZUH_URL}/{endpoint}", + headers=headers, + params=params, + data=content.encode("utf-8"), + verify=True + ) + if response.status_code == 200: + print(f"āœ… Uploaded {filename}") + else: + print(f"āŒ Failed to upload {filename}: {response.status_code} - {response.text}") + raise Exception(f"Upload failed for {filename}") + +def main(): + token = get_token() + print("šŸ” Authenticated with Wazuh API") + + # Upload rules + for rule_file in Path("rules").glob("*.xml"): + content = rule_file.read_text() + upload_file(token, "rules/files", rule_file.name, content) + + # Upload decoders + for decoder_file in Path("decoders").glob("*.xml"): + content = decoder_file.read_text() + upload_file(token, "decoders/files", decoder_file.name, content) + + print("\nšŸŽ‰ All rulesets deployed successfully.") + +if __name__ == "__main__": + main() From 1161a515898fd27d6f399904f4384efec5cf4985 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 13:49:01 -0600 Subject: [PATCH 05/12] Add RaC test rule --- rules/test_rule.xml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 rules/test_rule.xml diff --git a/rules/test_rule.xml b/rules/test_rule.xml new file mode 100644 index 0000000..0a06fc6 --- /dev/null +++ b/rules/test_rule.xml @@ -0,0 +1,6 @@ + + + RaC test rule - safe to delete + no_full_log + + \ No newline at end of file From a72ef42a706c67a21186cb7339812e147ef432ab Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:04:41 -0600 Subject: [PATCH 06/12] Fix SSL verification for self-signed cert --- deploy_to_wazuh.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index 55ea918..d5b7af0 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -1,20 +1,20 @@ import os import requests -import base64 +import urllib3 from pathlib import Path +# Suppress self-signed certificate warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + WAZUH_URL = os.environ["WAZUH_API_URL"] USER = os.environ["WAZUH_USER"] PASSWORD = os.environ["WAZUH_PASSWORD"] -# Disable SSL warnings if using self-signed cert (Wazuh Cloud uses valid certs, so this is optional) -requests.packages.urllib3.disable_warnings() - def get_token(): response = requests.get( f"{WAZUH_URL}/security/user/authenticate", auth=(USER, PASSWORD), - verify=True + verify=False ) response.raise_for_status() return response.json()["data"]["token"] @@ -30,7 +30,7 @@ def upload_file(token, endpoint, filename, content): headers=headers, params=params, data=content.encode("utf-8"), - verify=True + verify=False ) if response.status_code == 200: print(f"āœ… Uploaded {filename}") @@ -55,4 +55,4 @@ def main(): print("\nšŸŽ‰ All rulesets deployed successfully.") if __name__ == "__main__": - main() + main() \ No newline at end of file From 1a1b5d8a38b4b2c763be7e30bdae030314dbeba0 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:19:57 -0600 Subject: [PATCH 07/12] Debug --- deploy_to_wazuh.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index d5b7af0..c346918 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -11,11 +11,18 @@ PASSWORD = os.environ["WAZUH_PASSWORD"] def get_token(): + url = f"{WAZUH_URL}/security/user/authenticate" + print(f"šŸ” Connecting to: {url}") + print(f"šŸ” Using user: {USER}") + print(f"šŸ” Password length: {len(PASSWORD)}") response = requests.get( - f"{WAZUH_URL}/security/user/authenticate", + url, auth=(USER, PASSWORD), - verify=False + verify=False, + params={"raw": "true"} ) + print(f"šŸ” Response status: {response.status_code}") + print(f"šŸ” Response body: {response.text}") response.raise_for_status() return response.json()["data"]["token"] From 9fd38ca601fc50d123d73b355fbfde78c67da1bd Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:26:10 -0600 Subject: [PATCH 08/12] Fix indentation for Wazuh API credentials --- .github/workflows/integrate_rulesets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integrate_rulesets.yml b/.github/workflows/integrate_rulesets.yml index 27c3b29..66856bd 100644 --- a/.github/workflows/integrate_rulesets.yml +++ b/.github/workflows/integrate_rulesets.yml @@ -25,7 +25,7 @@ jobs: - name: Deploy rules and decoders to Wazuh Cloud env: WAZUH_API_URL: ${{ secrets.WAZUH_API_URL }} - WAZUH_USER: ${{ secrets.WAZUH_API_USER }} - WAZUH_PASSWORD: ${{ secrets.WAZUH_API_PASSWORD }} + WAZUH_API_USER: ${{ secrets.WAZUH_API_USER }} + WAZUH_API_PASSWORD: ${{ secrets.WAZUH_API_PASSWORD }} run: | python deploy_to_wazuh.py From 4e438a88429c77c905a6f7644f4fbe5776832ecb Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:26:46 -0600 Subject: [PATCH 09/12] Update Wazuh API user and password environment variables --- deploy_to_wazuh.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index c346918..f39a96d 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -7,8 +7,8 @@ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) WAZUH_URL = os.environ["WAZUH_API_URL"] -USER = os.environ["WAZUH_USER"] -PASSWORD = os.environ["WAZUH_PASSWORD"] +USER = os.environ["WAZUH_API_USER"] +PASSWORD = os.environ["WAZUH_API_PASSWORD"] def get_token(): url = f"{WAZUH_URL}/security/user/authenticate" @@ -62,4 +62,4 @@ def main(): print("\nšŸŽ‰ All rulesets deployed successfully.") if __name__ == "__main__": - main() \ No newline at end of file + main() From fc42c08038a14ac6594f7f09b5039eed787cdd7d Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:29:47 -0600 Subject: [PATCH 10/12] Modify response handling in deploy_to_wazuh.py Change return value to response text instead of JSON. --- deploy_to_wazuh.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index f39a96d..c33fd8d 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -22,9 +22,8 @@ def get_token(): params={"raw": "true"} ) print(f"šŸ” Response status: {response.status_code}") - print(f"šŸ” Response body: {response.text}") response.raise_for_status() - return response.json()["data"]["token"] + return response.text.strip() def upload_file(token, endpoint, filename, content): headers = { From 03f7e8bac8ed5ca3fe6af9594ff886805c434983 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 14:32:29 -0600 Subject: [PATCH 11/12] Change HTTP method to PUT for file upload --- deploy_to_wazuh.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index c33fd8d..3033998 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -30,8 +30,8 @@ def upload_file(token, endpoint, filename, content): "Authorization": f"Bearer {token}", "Content-Type": "application/octet-stream" } - params = {"filename": filename, "overwrite": True} - response = requests.post( + params = {"filename": filename, "overwrite": "true"} + response = requests.put( f"{WAZUH_URL}/{endpoint}", headers=headers, params=params, @@ -43,7 +43,7 @@ def upload_file(token, endpoint, filename, content): else: print(f"āŒ Failed to upload {filename}: {response.status_code} - {response.text}") raise Exception(f"Upload failed for {filename}") - + def main(): token = get_token() print("šŸ” Authenticated with Wazuh API") From 8f333b0280f56b147879031a1e55a0917865e485 Mon Sep 17 00:00:00 2001 From: Carlos Romero <98657335+carom93@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:30:47 -0600 Subject: [PATCH 12/12] Fix upload parameters for Wazuh API --- deploy_to_wazuh.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy_to_wazuh.py b/deploy_to_wazuh.py index 3033998..2b94969 100644 --- a/deploy_to_wazuh.py +++ b/deploy_to_wazuh.py @@ -30,9 +30,9 @@ def upload_file(token, endpoint, filename, content): "Authorization": f"Bearer {token}", "Content-Type": "application/octet-stream" } - params = {"filename": filename, "overwrite": "true"} + params = {"overwrite": "true"} response = requests.put( - f"{WAZUH_URL}/{endpoint}", + f"{WAZUH_URL}/{endpoint}/{filename}", headers=headers, params=params, data=content.encode("utf-8"), @@ -43,7 +43,7 @@ def upload_file(token, endpoint, filename, content): else: print(f"āŒ Failed to upload {filename}: {response.status_code} - {response.text}") raise Exception(f"Upload failed for {filename}") - + def main(): token = get_token() print("šŸ” Authenticated with Wazuh API")