08. Wazuh and SOCRadar Integration

Wazuh is a free, open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance. [1]

Alarms and Threat Feed data that is provided by SOCRadar can be retrieved by Wazuh. We have provided sample Python 3.7 code snippets that can be used to integrate SOCRadar and Wazuh seamlessly.

Supported Output Formats

There are 2 different code snippets for every supported API, each producing 2 different output formats:

  • JSON

  • CSV

For the Alarms data, there is an additional code snippet that produces the following format:

  • CEF (Common Event Format)

For the Threat Feed data, there are additional code snippets that produce the following formats:

  • TXT

  • XLSX

Depending on your SOC workflow, you can select one of these output formats for the SOCRadar API output and feed it to Wazuh for correlation and monitoring.

[1] https://wazuh.com/


External Libraries

For this integration, the Python library requests is required. Install it with:

sudo pip install requests

Demonstration: SOCRadar Alarms → Wazuh (CSV)

SOCRadar’s Alarms integration with Wazuh using the Python 3.7 script (CSV output) is demonstrated as follows:

  1. Check script in : hawkteam404/Wazuh: Wazuh Code

  2. The script will:

    • Authenticate with SOCRadar API.

    • Pull the latest Alarms data.

    • Convert it into CSV format.

    • Save or forward the CSV to Wazuh ingestion path (e.g., /var/ossec/logs/alerts/).


Security Considerations

  • API Keys: Store SOCRadar API keys securely, avoid hardcoding in scripts. Use environment variables or .env files.

  • Scheduled Jobs: For continuous monitoring, configure the script to run via cron or systemd.

  • Data Validation: Ensure that data retrieved from SOCRadar is correctly formatted before ingestion to Wazuh to prevent false positives.


Paste it into a .py file, for instance socradar_alarms-wazuh.py.

Set the necessary environment variable:

  • SOCRADAR_ALARMS_INTEGRATION_FOLDER
  1. After you set your environment variables successfully, you can proceed to execute the script that you have copied before.

     python3 socradar_alarms-wazuh.py
    

    This script will continuously collect data from SOCRadar API by sending GET requests in every 60 seconds and will create log files under the SOCRADAR_ALARMS_INTEGRATION_FOLDER until there will be any exceptions/keyboard interruptions. Log files will be created in an interval of 1 day. You can provide this folder to Wazuh and it can track down the log files consist of the SOCRadar alarms in CSV format. The interval of the log files creation and 60 seconds period of SOCRadar API requests can be changed to longer/shorter periods.

    Scripts should run in VM Crontab.

    Crontab_working_frequency cd Path_of_File && path_of_python file_name.py

    E.g.: 5 6 * cd /home/socradar && /usr/bin/python file_name.py For feed

    E.g.: 0 1 * cd /home/socradar && /usr/bin/python file_name.py For Alarm

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.