An example of a Jibril event transformation to Wazuh.
// main.go
package main
import (
Rafael David Tinoco rafaeldtinoco
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Fail on error. | |
| set -e | |
| # Check for API key. | |
| if [ -z "$OPENAI_API_KEY" ]; then | |
| echo "❌ Set your OPENAI_API_KEY environment variable first." | |
| exit 1 | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "data": { | |
| "uuid": "873e668e4689a38116fa1695ef9c119e2f298a3e224e5740f5b2b9977b5a3e22", | |
| "timestamp": "2025-06-02T01:18:11Z", | |
| "metadata": { | |
| "name": "adult_domain_access", | |
| "format": "network_peers", | |
| "version": "1.0", | |
| "description": "Access to porn and adult content", | |
| "documentation": "https://garnet.gitbook.io/jibril/detections/network-peers/adult_domain_access", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "data": { | |
| "uuid": "4a3d6adb872be4846a25a48b5d73648c9633595de6b3c97107595ef7d606f096", | |
| "timestamp": "2025-06-02T01:07:40Z", | |
| "metadata": { | |
| "name": "file_example_blergh", | |
| "format": "file_access", | |
| "version": "1.0", | |
| "description": "Detect access magic files as an example", | |
| "documentation": "https://garnet.gitbook.io/jibril/detections/file-access/file_example", |
rafaeldtinoco
/ 2025-05-15-detections.json
Last active
May 15, 2025 12:53
2025-05-15-detections.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "data": { | |
| "body": { | |
| "fullinfo": { | |
| "files": { | |
| "etc": { | |
| "gnutls": { | |
| "config": "open|read|close" | |
| }, | |
| "ld.so.cache": "mmap|open|close", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "os_network_fingerprint_0_5", | |
| "type": "os_network_fingerprint", | |
| "verdict": { | |
| "false_positive": true, | |
| "severity": "low", | |
| "description": "The event involves a CI/CD pipeline runner executing a curl command to access www.zabbix.com. The process ancestry shows legitimate CI/CD processes, and the file access to /etc/hosts is typical for network operations. The network flow indicates a standard HTTPS connection to a known monitoring service, suggesting routine activity. No malicious indicators are present, making this a likely false positive." | |
| } | |
| } | |
| { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "data": { | |
| "body": { | |
| "file": { | |
| "file": "/tmp/blergh", | |
| "dir": "/tmp", | |
| "basename": "blergh", | |
| "actions": "open|read|close", | |
| "fasync": false, | |
| "flock": false, |