Dev

.github/workflows/integrate_rulesets.yml

@@ -1,30 +1,31 @@
-name: Update Rulesets on SIEM
+name: Deploy Rulesets to Wazuh Cloud
+
 on:
   push:
-    branches: [ "main" ]
-    paths: ["**.xml"]
+    branches: ["main"]
+    paths: ["rules/**.xml", "decoders/**.xml"]
   workflow_dispatch:
 
 jobs:
-
-  DaaC:
+  deploy:
     runs-on: ubuntu-latest
+
     steps:
-      - name: Apply modified or new decoders and rules to SIEM
-        uses: appleboy/ssh-action@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
         with:
-          host: ${{ secrets.HOST }}
-          username: ${{ secrets.USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.PORT }}
-          script: |
-            sudo bash -c '
-            cd /var/ossec/etc/
-            git pull origin main
-            chown wazuh:wazuh /var/ossec/etc/decoders/* && chmod 660 /var/ossec/etc/decoders/*
-            chown wazuh:wazuh /var/ossec/etc/rules/* && chmod 660 /var/ossec/etc/rules/*
-            sudo systemctl restart wazuh-manager \
-            && echo "Ruleset apply SUCCESS!!! - Wazuh manager restarted successfully." \
-            || echo "Ruleset apply FAILURE!!! - Wazuh manager failed to restart, check ruleset for error..."
-            sudo systemctl status wazuh-manager -l --no-pager
-            '
+          python-version: "3.10"
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Deploy rules and decoders to Wazuh Cloud
+        env:
+          WAZUH_API_URL: ${{ secrets.WAZUH_API_URL }}
+          WAZUH_API_USER: ${{ secrets.WAZUH_API_USER }}
+          WAZUH_API_PASSWORD: ${{ secrets.WAZUH_API_PASSWORD }}
+        run: |
+          python deploy_to_wazuh.py

README.md

@@ -69,7 +69,7 @@ Perform the following steps on your GitHub repository (remote repository) after
 |-------------|-------------------------------|
 | USERNAME    | <USERNAME_OF_SIEM_HOST>       |
 | HOST        | <PUBLIC_IP_OF_SIEM_HOST>      |
-| SSH_KEY     | <PUBLIC_KEY_OF_SIEM_HOST>     |
+| SSH_KEY     | <PRIVATE_KEY_OF_SIEM_HOST>     |
 | PORT        | <SSH_PORT_OF_SIEM_HOST>       |
 3. Ensure that a `dev` branch is created if it does not not already exist.
 4. Create a pull request to merge the changes on the `main` branch to the `dev` branch. This will update the `dev` branch with the recent changes from the local Git repository and the `automation.yml` file.

deploy_to_wazuh.py

@@ -0,0 +1,64 @@
+import os
+import requests
+import urllib3
+from pathlib import Path
+
+# Suppress self-signed certificate warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+WAZUH_URL = os.environ["WAZUH_API_URL"]
+USER = os.environ["WAZUH_API_USER"]
+PASSWORD = os.environ["WAZUH_API_PASSWORD"]
+
+def get_token():
+    url = f"{WAZUH_URL}/security/user/authenticate"
+    print(f"🔍 Connecting to: {url}")
+    print(f"🔍 Using user: {USER}")
+    print(f"🔍 Password length: {len(PASSWORD)}")
+    response = requests.get(
+        url,
+        auth=(USER, PASSWORD),
+        verify=False,
+        params={"raw": "true"}
+    )
+    print(f"🔍 Response status: {response.status_code}")
+    response.raise_for_status()
+    return response.text.strip()
+
+def upload_file(token, endpoint, filename, content):
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/octet-stream"
+    }
+    params = {"overwrite": "true"}
+    response = requests.put(
+        f"{WAZUH_URL}/{endpoint}/{filename}",
+        headers=headers,
+        params=params,
+        data=content.encode("utf-8"),
+        verify=False
+    )
+    if response.status_code == 200:
+        print(f"✅ Uploaded {filename}")
+    else:
+        print(f"❌ Failed to upload {filename}: {response.status_code} - {response.text}")
+        raise Exception(f"Upload failed for {filename}")
+
+def main():
+    token = get_token()
+    print("🔐 Authenticated with Wazuh API")
+
+    # Upload rules
+    for rule_file in Path("rules").glob("*.xml"):
+        content = rule_file.read_text()
+        upload_file(token, "rules/files", rule_file.name, content)
+
+    # Upload decoders
+    for decoder_file in Path("decoders").glob("*.xml"):
+        content = decoder_file.read_text()
+        upload_file(token, "decoders/files", decoder_file.name, content)
+
+    print("\n🎉 All rulesets deployed successfully.")
+
+if __name__ == "__main__":
+    main()

rules/test_rule.xml

@@ -0,0 +1,6 @@
+<group name="test_rac,">
+  <rule id="100500" level="3">
+    <description>RaC test rule - safe to delete</description>
+    <options>no_full_log</options>
+  </rule>
+</group>