An example of a Jibril event transformation to Wazuh.
// main.go
package main
import (
#!/usr/bin/env bash | |
# Fail on error. | |
set -e | |
# Check for API key. | |
if [ -z "$OPENAI_API_KEY" ]; then | |
echo "❌ Set your OPENAI_API_KEY environment variable first." | |
exit 1 | |
fi |
{ | |
"data": { | |
"uuid": "873e668e4689a38116fa1695ef9c119e2f298a3e224e5740f5b2b9977b5a3e22", | |
"timestamp": "2025-06-02T01:18:11Z", | |
"metadata": { | |
"name": "adult_domain_access", | |
"format": "network_peers", | |
"version": "1.0", | |
"description": "Access to porn and adult content", | |
"documentation": "https://garnet.gitbook.io/jibril/detections/network-peers/adult_domain_access", |
{ | |
"data": { | |
"uuid": "4a3d6adb872be4846a25a48b5d73648c9633595de6b3c97107595ef7d606f096", | |
"timestamp": "2025-06-02T01:07:40Z", | |
"metadata": { | |
"name": "file_example_blergh", | |
"format": "file_access", | |
"version": "1.0", | |
"description": "Detect access magic files as an example", | |
"documentation": "https://garnet.gitbook.io/jibril/detections/file-access/file_example", |
{ | |
"data": { | |
"body": { | |
"fullinfo": { | |
"files": { | |
"etc": { | |
"gnutls": { | |
"config": "open|read|close" | |
}, | |
"ld.so.cache": "mmap|open|close", |
{ | |
"name": "os_network_fingerprint_0_5", | |
"type": "os_network_fingerprint", | |
"verdict": { | |
"false_positive": true, | |
"severity": "low", | |
"description": "The event involves a CI/CD pipeline runner executing a curl command to access www.zabbix.com. The process ancestry shows legitimate CI/CD processes, and the file access to /etc/hosts is typical for network operations. The network flow indicates a standard HTTPS connection to a known monitoring service, suggesting routine activity. No malicious indicators are present, making this a likely false positive." | |
} | |
} | |
{ |
{ | |
"data": { | |
"body": { | |
"file": { | |
"file": "/tmp/blergh", | |
"dir": "/tmp", | |
"basename": "blergh", | |
"actions": "open|read|close", | |
"fasync": false, | |
"flock": false, |