Connector docker-compose example
The following is an extract from a docker-compose.yml with only the connector service. See the OpenCTI docker-compose example for a more complete example.
Note
You cannot run any of the docker-compose examples ase they are without replacing URLs, usernames and passwords. See required settings.
Warning
opencti-wazuh-connector is in an early alpha stage. Although the connector does not make any changes to Wazuh, it may produce a lot of data in OpenCTI. Do not use the connector yet in production.
1services:
2 connector-wazuh:
3 image: ghcr.io/misje/opencti-wazuh-connector:0.3.0
4 restart: always
5 environment:
6 # A timezone is needed for datetime tools to work as expected:
7 - TZ=UTC
8 - USE_TZ=true
9 - OPENCTI_URL=https://mycti.example.org
10 - OPENCTI_TOKEN=84387577-27ac-4751-b268-6893045aa73c # Replace with a token from the user you created
11 - CONNECTOR_ID=81f9d582-2b4e-45f1-98b6-f33492d66b6e # Replace this with a unique ID
12 - CONNECTOR_NAME=Wazuh
13 - CONNECTOR_SCOPE=Artifact,Directory,Domain-Name,Email-Addr,Hostname,IPv4-Addr,IPv6-Addr,Mac-Addr,Network-Traffic,Process,StixFile,Url,User-Account,User-Agent,Windows-Registry-Key,Windows-Registry-Value-Type,Vulnerability,Indicator
14 - CONNECTOR_AUTO=true
15 - CONNECTOR_LOG_LEVEL=warning
16 - CONNECTOR_EXPOSE_METRICS=true
17 - WAZUH_APP_URL=https://mywazuh.example.org
18 - "WAZUH_OPENSEARCH_PASSWORD=SecretPassword" # Remember double-$ if password contains $:
19 - WAZUH_OPENSEARCH_URL=https://mywazuh.example.org:9200
20 - WAZUH_OPENSEARCH_USERNAME=cti_connector
21 - WAZUH_OPENSEARCH_VERIFY_TLS=true
22 - WAZUH_TLPS=TLP:AMBER+STRICT
23 volumes:
24 - /var/cache/wazuh
25 links:
26 - opencti:opencti
27 # Set a limit on logs:
28 logging:
29 options:
30 max-size: 50m
The following expands on the example above, with most or all available settings with their default values:
1services:
2 connector-wazuh:
3 image: ghcr.io/misje/opencti-wazuh-connector:0.3.0
4 restart: always
5 environment:
6 # A timezone is needed for datetime tools to work as expected:
7 - TZ=UTC
8 - USE_TZ=true
9 - OPENCTI_URL=https://mycti.example.org
10 - OPENCTI_TOKEN=84387577-27ac-4751-b268-6893045aa73c
11 - CONNECTOR_ID=81f9d582-2b4e-45f1-98b6-f33492d66b6e
12 - CONNECTOR_NAME=Wazuh
13 - CONNECTOR_SCOPE=Artifact,Directory,Domain-Name,Email-Addr,Hostname,IPv4-Addr,IPv6-Addr,Mac-Addr,Network-Traffic,Process,StixFile,Url,User-Account,User-Agent,Windows-Registry-Key,Windows-Registry-Value-Type,Vulnerability,Indicator # You may also just use "all" if you want to search available entities
14 - CONNECTOR_AUTO=true
15 - CONNECTOR_LOG_LEVEL=warning
16 - CONNECTOR_EXPOSE_METRICS=true
17 - AGENTS_AS_SYSTEMS=true
18 - WAZUH_APP_URL=https://mywazuh.example.org
19 - WAZUH_AUTHOR_NAME=Wazuh
20 - WAZUH_BUNDLE_ABORT_LIMIT=500
21 - WAZUH_CREATE_AGENT_HOSTNAME_OBSERVABLE=true
22 - WAZUH_CREATE_AGENT_IP_OBSERVABLE=true
23 - WAZUH_CREATE_INCIDENT=per-sighting # per-query, per-sighting, per-alert-rule, per-alert, never
24 - WAZUH_CREATE_INCIDENT_RESPONSE=true
25 - WAZUH_CREATE_INCIDENT_SUMMARY=true
26 - WAZUH_CREATE_INCIDENT_SUMMARY=true
27 - WAZUH_VULNERABILITY_INCIDENT_CVSS3_SCORE_THRESHOLD= # CVSS3 score (0–10, or empty)
28 - WAZUH_VULNERABILITY_INCIDENT_ACTIVE_ONLY=true
29 - WAZUH_CREATE_INCIDENT_THRESHOLD=1
30 - WAZUH_RULE_EXCLUDE_LIST=
31 - WAZUH_INCIDENT_RULE_EXCLUDE_LIST=
32 - WAZUH_CREATE_OBS_SIGHTINGS=true
33 - WAZUH_CREATE_SIGHTING_SUMMARY=true
34 - WAZUH_ENRICH_FILENAME_BEHAVIOUR=create-dir,remove-path
35 - WAZUH_ENRICH_URLS_WITHOUT_HOST=false
36 - WAZUH_ENRICH_TYPES=all
37 - WAZUH_ENRICH_LABELS=wazuh_ignore
38 - WAZUH_HITS_ABORT_LIMIT=1000
39 - WAZUH_IGNORE_OWN_ENTITIES=false
40 - WAZUH_IGNORE_REVOKED_INDICATORS=true
41 - WAZUH_INDICATOR_SCORE_THRESHOLD=
42 - WAZUH_LABEL_IGNORE_LIST=hygiene,wazuh_ignore
43 - WAZUH_MAX_EXTREFS=10
44 - WAZUH_MAX_EXTREFS_PER_ALERT_RULE=2
45 - WAZUH_MAX_NOTES=10
46 - WAZUH_MAX_NOTES_PER_ALERT_RULE=2
47 - WAZUH_MAX_TLP=TLP:RED
48 - WAZUH_OPENSEARCH_EXCLUDE_MATCH=data.integration:opencti
49 - WAZUH_OPENSEARCH_FILTER=
50 - "WAZUH_OPENSEARCH_TIMEOUT=20 seconds"
51 - WAZUH_OPENSEARCH_INCLUDE_MATCH=
52 - WAZUH_OPENSEARCH_INDEX=wazuh-alerts-*
53 - WAZUH_OPENSEARCH_LIMIT=50
54 - WAZUH_OPENSEARCH_ORDER_BY=timestamp:desc
55 - "WAZUH_OPENSEARCH_PASSWORD=SecretPassword" # Remember double-$ if password contains $:
56 - "WAZUH_OPENSEARCH_SEARCH_AFTER=7 months ago" # No limit can cause search errors, especially with regexp queries (possibly mitigated by increasing indices.query.bool.max_clause_count)
57 - WAZUH_OPENSEARCH_URL=https://mywazuh.example.org:9200
58 - WAZUH_OPENSEARCH_USERNAME=cti_connector
59 - WAZUH_OPENSEARCH_VERIFY_TLS=true
60 - WAZUH_REQUIRE_INDICATOR_DETECTION=false
61 - WAZUH_REQUIRE_INDICATOR_FOR_INCIDENTS=true
62 - WAZUH_SEARCH_DIRSEARCH_OPTIONS=allow-regexp,case-insensitive,ignore-trailing-slash,match-subdirs,search-filenames
63 - WAZUH_SEARCH_FILESEARCH_OPTIONS=allow-regexp,case-insensitive,include-parent-dir-ref,include-reg-values,search-additional-filenames,search-filename-only,search-size
64 - WAZUH_SEARCH_IGNORE_PRIVATE_ADDRS=true
65 - WAZUH_SEARCH_LOOKUP_AGENT_IP=false
66 - WAZUH_SEARCH_LOOKUP_AGENT_NAME=false
67 - WAZUH_SEARCH_LOOKUP_HOSTNAMES_IN_CMD_LINE=false
68 - WAZUH_SEARCH_LOOKUP_MAC_VARIANTS=true
69 - WAZUH_SEARCH_LOOKUP_URL_INGORE_TRAILING_SLASH=false
70 - WAZUH_SEARCH_LOOKUP_URL_WITHOUT_HOST=false
71 - WAZUH_SEARCH_PROCSEARCH_OPTIONS=case-insensitive
72 - WAZUH_SYSTEM_NAME="Wazuh SIEM"
73 - WAZUH_TLPS=TLP:AMBER+STRICT
74 links:
75 - opencti:opencti
76 # Set a limit on logs:
77 logging:
78 options:
79 max-size: 50m
See configuration for configuration details and a full reference.
Warning
The docker-compose example is just that, an example. You must understand at least the most important settings before using the connector.
Note
This example is not necessarily a complete reference of all possible settings.