Integration guide

Wazuh + Cyber Defence TI

Enrich Wazuh alerts with Cyber Defence TI verdicts, confidence scores and categories. This guide walks through a lightweight enrichment workflow that works with Detect, Defend and Disrupt subscriptions that include indicator lookup permissions.

Back to integrations Skip to script

Designed for

Detect, Defend & Disrupt

API access for indicator lookups is required.

Outcome

Context-rich alerts

Adds verdicts, severity and categories to Wazuh events.

Effort

~15 minutes

Drop in a Python helper, add a log input and optional rules.

Step 1

Python enrichment script

Runs on the Wazuh manager

The script below accepts an indicator, queries the Cyber Defence TI API, normalises the response and writes a single JSON line into a log file monitored by Wazuh. Save it as /var/ossec/integrations/cyber-defence-ti-enrich.py. 


#!/usr/bin/env python3
import sys
import json
import logging
from datetime import datetime

import requests

API_KEY = "YOUR_TI_API_KEY_HERE"
API_URL = "https://ti.cyber-defence.io/api/v1/lookup"
LOG_PATH = "/var/ossec/logs/cyber-defence-ti.log"
TIMEOUT_SECONDS = 5

def query_ti(indicator: str, indicator_type: str = "ip") -> dict:
    headers = {
        "X-API-Key": API_KEY,
        "Accept": "application/json",
        "User-Agent": "Wazuh-CyberDefenceTI-Integration/1.0",
    }
    params = {"type": indicator_type, "value": indicator}
    resp = requests.get(API_URL, headers=headers, params=params, timeout=TIMEOUT_SECONDS)
    resp.raise_for_status()
    return resp.json()

def derive_severity(confidence: int) -> str:
    if confidence >= 80:
        return "high"
    if confidence >= 50:
        return "medium"
    if confidence >= 20:
        return "low"
    return "info"

def build_log_record(indicator, indicator_type, wazuh_alert_id, ti_data):
    verdict = ti_data.get("verdict", "unknown")
    confidence = int(ti_data.get("confidence", 0))
    categories = ti_data.get("categories", []) or ti_data.get("threat_categories", [])

    return {
        "integration": "cyber-defence-ti",
        "timestamp": datetime.utcnow().isoformat(timespec="seconds") + "Z",
        "indicator": indicator,
        "indicator_type": indicator_type,
        "ti_verdict": verdict,
        "ti_confidence": confidence,
        "ti_severity": derive_severity(confidence),
        "ti_categories": categories,
        "ti_source": "Cyber Defence TI",
        "wazuh_alert_id": wazuh_alert_id,
    }

def append_log(record):
    with open(LOG_PATH, "a", encoding="utf-8") as fh:
        fh.write(json.dumps(record, separators=(",", ":")) + "\n")

def main(argv):
    if len(argv) < 2:
        print("Usage: cyber-defence-ti-enrich.py  [indicator_type] [wazuh_alert_id]")
        return 1

    indicator = argv[1]
    indicator_type = argv[2] if len(argv) >= 3 else "ip"
    wazuh_alert_id = argv[3] if len(argv) >= 4 else None

    try:
        ti_data = query_ti(indicator, indicator_type)
    except Exception as e:
        logging.exception("Cyber Defence TI lookup failed: %s", e)
        return 1

    record = build_log_record(indicator, indicator_type, wazuh_alert_id, ti_data)
    append_log(record)
    return 0

if __name__ == "__main__":
    sys.exit(main(sys.argv))

Step 2

Configure Wazuh to ingest enrichment logs

Add to ossec.conf

Wazuh must ingest the JSON log generated by the enrichment script. Add the following to the <ossec_config> block of /var/ossec/etc/ossec.conf. 



    json
    /var/ossec/logs/cyber-defence-ti.log

Wazuh will automatically parse each JSON line into individual rule-addressable fields such as indicator, ti_verdict, ti_confidence and ti_severity.

Step 3 (optional)

Decoder and alert rules

A decoder tags Cyber Defence TI events, and the accompanying rules raise alerts when malicious or suspicious verdicts are seen. Save the decoder as /var/ossec/etc/decoders/cyber-defence-ti_decoders.xml. 



    
        json
        "integration":"cyber-defence-ti"
        JSON_Decoder

Create /var/ossec/etc/rules/cyber-defence-ti_rules.xml with the following rules to drive alerting. 




    
        json
        cyber-defence-ti
        Cyber Defence TI: Enrichment event
        cyber-defence,ti,enrichment,
    

    
        100500
        malicious
        high
        Cyber Defence TI: High-confidence malicious indicator detected
        cyber-defence,ti,malicious,high_severity,
    

    
        100500
        malicious
        medium
        Cyber Defence TI: Malicious indicator detected (medium confidence)
        cyber-defence,ti,malicious,
    

    
        100500
        suspicious
        Cyber Defence TI: Suspicious indicator observed
        cyber-defence,ti,suspicious,
    

    
        100500
        clean
        Cyber Defence TI: Indicator assessed as clean
        cyber-defence,ti,info,

Step 4 (optional)

Shell wrapper for active response

Useful for playbooks

Many deployments call the Python script from Wazuh’s active response mechanism. Create /var/ossec/integrations/cyber-defence-ti-wrapper.sh with the following contents: 


#!/bin/bash
INDICATOR="$1"
TYPE="${2:-ip}"
ALERT_ID="$3"

/var/ossec/integrations/cyber-defence-ti-enrich.py "$INDICATOR" "$TYPE" "$ALERT_ID"
exit $?

This integration pattern provides a reliable foundation for enriching Wazuh alerts with Cyber Defence TI intelligence. Detect-tier customers can use this approach for low-volume enrichment, while Defend and Disrupt subscribers may extend it into high-throughput, multi-tenant or automated correlation pipelines. For assistance or tuning guidance, Defend and Disrupt subscribers may contact the Cyber Defence support team via the portal.