feat: Wazuh→IRIS alert sync with severity filter

- soc-integrator creates IRIS Alerts (not Cases) from Wazuh indexer hits
  via ingest_wazuh_alert_to_iris() in mvp_service.py
- Severity filter: only alerts at/above min_severity reach IRIS
  (default: medium; persisted in policy_config table)
- GET /wazuh/sync-policy — read current threshold
- PUT /wazuh/sync-policy — update threshold at runtime (no restart needed)
- POST /wazuh/sync-to-mvp — new min_severity query param for per-run override
- GET /wazuh/auto-sync/status — now includes min_severity from policy
- Sync result includes skipped_filtered and min_severity_applied counters
- Add scripts/test-wazuh-iris-sync.py: 7-step end-to-end pipeline test
- Update README.md and scripts/README.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -135,14 +135,54 @@ GET  /mvp/health/dependencies
 Protected endpoints require header: `X-Internal-API-Key`
 Key from: `SOC_INTEGRATOR_INTERNAL_KEY` in `soc-integrator/.env`
 
+### Wazuh → IRIS alert sync
+
+The sync pipeline fetches alerts from the Wazuh indexer and creates **IRIS Alerts** (not cases)
+for each one. Dedup prevents re-processing the same alert across runs.
+
+```
+GET  /wazuh/sync-policy           Read current sync filter policy
+PUT  /wazuh/sync-policy           Update sync filter policy  (auth required)
+POST /wazuh/sync-to-mvp           Trigger manual sync
+GET  /wazuh/auto-sync/status      Show worker state and active settings
+```
+
+**Severity filter** — only alerts at or above `min_severity` are forwarded to IRIS:
+
+```bash
+# Read current threshold (default: medium)
+curl http://localhost:8088/wazuh/sync-policy
+
+# Raise threshold — only high + critical reach IRIS
+curl -X PUT http://localhost:8088/wazuh/sync-policy \
+  -H 'X-Internal-API-Key: dev-internal-key' \
+  -H 'Content-Type: application/json' \
+  -d '{"min_severity": "high"}'
+
+# Manual sync — override threshold for this run only
+curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&min_severity=low" \
+  -H 'X-Internal-API-Key: dev-internal-key'
+```
+
+Severity scale: `informational < low < medium < high < critical`
+
+Sync response fields:
+
+| Field | Meaning |
+|---|---|
+| `min_severity_applied` | Threshold used for this run |
+| `processed` | Wazuh alerts examined |
+| `skipped_existing` | Already synced (dedup) |
+| `skipped_filtered` | Below severity threshold |
+| `ingested` | New IRIS Alerts created |
+| `iris_alert_ids` | IDs of created IRIS Alerts |
+
 ### Other endpoints
 
 ```
 GET  /health
 GET  /wazuh/alerts
 GET  /wazuh/agents
-POST /wazuh/sync-to-mvp
-GET  /wazuh/auto-sync/status
 POST /ingest/wazuh-alert
 GET  /ioc/enrich
 POST /ioc/evaluate
@@ -205,7 +245,7 @@ python3 scripts/test-firewall-syslog.py --scenario rdp --via-docker
 The `--via-docker` flag sends from inside the container to preserve the firewall source IP
 through Docker NAT. Source IP must be in the `allowed-ips` list in `wazuh_manager.conf`.
 
-### Sync Wazuh alerts into MVP pipeline
+### Sync Wazuh alerts into IRIS
 
 ```bash
 curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*" \
@@ -214,10 +254,21 @@ curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*"
 
 Notes:
 
-- Reads from `wazuh-alerts-*` in Wazuh indexer.
-- Re-running is safe — dedupe applied by `source + event_id`.
+- Reads from `wazuh-alerts-*` in Wazuh indexer and creates IRIS Alerts.
+- Re-running is safe — dedup applied by `source + event_id`.
+- Only alerts at or above `min_severity` (policy default: `medium`) are forwarded.
 - Wazuh must fire rules before alerts appear (check `archives.log` first).
 
+### End-to-end pipeline test
+
+```bash
+python3 scripts/test-wazuh-iris-sync.py                        # full: send → wait → sync → verify
+python3 scripts/test-wazuh-iris-sync.py --no-send --minutes 60 # sync only
+python3 scripts/test-wazuh-iris-sync.py --min-severity critical # test filter
+```
+
+See `scripts/README.md` for full argument reference.
+
 ### Enable automatic sync worker
 
 ```bash

scripts/README.md

@@ -93,6 +93,40 @@ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.n
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson
 ```
 
+## Wazuh → soc-integrator → IRIS end-to-end test
+
+End-to-end pipeline test: sends a test event to Wazuh, waits for indexing, triggers the sync,
+and verifies that an IRIS Alert was created with `source=wazuh`.
+
+```bash
+python3 scripts/test-wazuh-iris-sync.py
+python3 scripts/test-wazuh-iris-sync.py --no-send --minutes 60   # sync only, no new events
+python3 scripts/test-wazuh-iris-sync.py --min-severity critical  # test filter behaviour
+python3 scripts/test-wazuh-iris-sync.py --scenario ips_critical  # use a specific scenario
+```
+
+Arguments:
+
+- `--no-send` — skip sending test events (useful to verify an already-running pipeline)
+- `--scenario` — firewall scenario to send (default `rdp`); same options as `test-firewall-syslog.py`
+- `--wait` — seconds to wait for Wazuh indexer (default `20`)
+- `--minutes` — sync lookback window in minutes (default `5`)
+- `--limit` — max alerts to sync per run (default `20`)
+- `--min-severity` — override `min_severity` for this run without changing the policy
+
+Steps run:
+
+| Step | Check |
+|---|---|
+| 0 | soc-integrator health |
+| 1 | Read current sync policy (`min_severity`) |
+| 2 | Send test syslog event to Wazuh |
+| 3 | Wait for Wazuh indexer |
+| 4 | Snapshot latest IRIS alert ID |
+| 5 | Run sync, show all counters |
+| 6 | Verify new IRIS Alerts with `source=wazuh` |
+| 7 | Show auto-sync worker state |
+
 ## KPI test data seeder
 
 Create IRIS alerts and cases covering every KPI state for UI testing.

scripts/test-wazuh-iris-sync.py

@@ -0,0 +1,306 @@
+#!/usr/bin/env python3
+"""
+test-wazuh-iris-sync.py — End-to-end test: Wazuh → soc-integrator → IRIS alert sync.
+
+Steps:
+  1. Send test syslog events to Wazuh (optional, skip with --no-send)
+  2. Wait for Wazuh indexer to index them
+  3. Call POST /wazuh/sync-to-mvp
+  4. Verify IRIS alerts were created with source="wazuh"
+  5. Print a pass/fail summary
+
+Usage:
+  python3 scripts/test-wazuh-iris-sync.py
+  python3 scripts/test-wazuh-iris-sync.py --no-send          # skip sending, just sync
+  python3 scripts/test-wazuh-iris-sync.py --min-severity high
+  python3 scripts/test-wazuh-iris-sync.py --minutes 60       # widen search window
+
+Env vars (override defaults):
+  INTEGRATOR_URL        default: http://localhost:8088
+  INTEGRATOR_API_KEY    default: dev-internal-key
+  IRIS_URL              default: https://localhost:8443
+  IRIS_API_KEY          required for IRIS verification (or set in soc-integrator/.env)
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import ssl
+import subprocess
+import sys
+import time
+import urllib.request
+from pathlib import Path
+
+
+# ---------------------------------------------------------------------------
+# Config
+# ---------------------------------------------------------------------------
+
+INTEGRATOR_URL = os.environ.get("INTEGRATOR_URL", "http://localhost:8088")
+INTEGRATOR_KEY = os.environ.get("INTEGRATOR_API_KEY", "dev-internal-key")
+IRIS_URL = os.environ.get("IRIS_URL", "https://localhost:8443")
+
+# Try to read IRIS_API_KEY from env, then from soc-integrator/.env
+def _read_iris_key() -> str:
+    if k := os.environ.get("IRIS_API_KEY"):
+        return k
+    env_file = Path(__file__).parent.parent / "soc-integrator" / ".env"
+    if env_file.exists():
+        for line in env_file.read_text().splitlines():
+            if line.startswith("IRIS_API_KEY="):
+                return line.split("=", 1)[1].strip()
+    return ""
+
+IRIS_KEY = _read_iris_key()
+
+SSL_CTX = ssl.create_default_context()
+SSL_CTX.check_hostname = False
+SSL_CTX.verify_mode = ssl.CERT_NONE
+
+PASS = "\033[32m✓\033[0m"
+FAIL = "\033[31m✗\033[0m"
+INFO = "\033[36m·\033[0m"
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+def _get(url: str, headers: dict | None = None) -> dict:
+    req = urllib.request.Request(url, headers=headers or {})
+    with urllib.request.urlopen(req, context=SSL_CTX, timeout=15) as r:
+        return json.loads(r.read())
+
+
+def _post(url: str, data: dict | None = None, headers: dict | None = None) -> dict:
+    body = json.dumps(data or {}).encode() if data else b""
+    h = {"Content-Type": "application/json", **(headers or {})}
+    req = urllib.request.Request(url, data=body, headers=h, method="POST")
+    with urllib.request.urlopen(req, context=SSL_CTX, timeout=30) as r:
+        return json.loads(r.read())
+
+
+def _put(url: str, data: dict, headers: dict | None = None) -> dict:
+    body = json.dumps(data).encode()
+    h = {"Content-Type": "application/json", **(headers or {})}
+    req = urllib.request.Request(url, data=body, headers=h, method="PUT")
+    with urllib.request.urlopen(req, context=SSL_CTX, timeout=15) as r:
+        return json.loads(r.read())
+
+
+def _integrator(path: str, method: str = "GET", data: dict | None = None, params: str = "") -> dict:
+    url = f"{INTEGRATOR_URL}{path}"
+    if params:
+        url += ("&" if "?" in url else "?") + params
+    headers = {"X-Internal-API-Key": INTEGRATOR_KEY}
+    if method == "POST":
+        return _post(url, data, headers)
+    if method == "PUT":
+        return _put(url, data or {}, headers)
+    return _get(url, headers)
+
+
+def _iris_alerts(page: int = 1, per_page: int = 20) -> list[dict]:
+    url = f"{INTEGRATOR_URL}/iris/alerts?page={page}&per_page={per_page}&sort_by=alert_id&sort_dir=desc"
+    data = _get(url)
+    return (data.get("data") or {}).get("alerts", {}).get("data", [])
+
+
+def step(n: int, label: str) -> None:
+    print(f"\n\033[1mStep {n}: {label}\033[0m")
+
+
+def ok(msg: str) -> None:
+    print(f"  {PASS}  {msg}")
+
+
+def fail(msg: str) -> None:
+    print(f"  {FAIL}  {msg}")
+
+
+def info(msg: str) -> None:
+    print(f"  {INFO}  {msg}")
+
+
+# ---------------------------------------------------------------------------
+# Main test
+# ---------------------------------------------------------------------------
+
+def run(args: argparse.Namespace) -> int:
+    errors = 0
+
+    # ------------------------------------------------------------------
+    # Step 0: Health check
+    # ------------------------------------------------------------------
+    step(0, "Health check")
+    try:
+        h = _get(f"{INTEGRATOR_URL}/health")
+        if h.get("ok"):
+            ok(f"soc-integrator reachable at {INTEGRATOR_URL}")
+        else:
+            fail(f"soc-integrator unhealthy: {h}")
+            errors += 1
+    except Exception as exc:
+        fail(f"Cannot reach soc-integrator: {exc}")
+        return 1
+
+    # ------------------------------------------------------------------
+    # Step 1: Read current sync policy
+    # ------------------------------------------------------------------
+    step(1, "Read sync policy")
+    try:
+        policy_resp = _integrator("/wazuh/sync-policy")
+        current_min = policy_resp["data"]["sync"]["min_severity"]
+        ok(f"Current min_severity = {current_min!r}")
+    except Exception as exc:
+        fail(f"Could not read sync policy: {exc}")
+        errors += 1
+        current_min = "medium"
+
+    # ------------------------------------------------------------------
+    # Step 2: Optionally send test events to Wazuh
+    # ------------------------------------------------------------------
+    step(2, "Send test events to Wazuh")
+    if args.no_send:
+        info("Skipped (--no-send)")
+    else:
+        script = Path(__file__).parent / "test-firewall-syslog.py"
+        if not script.exists():
+            info("test-firewall-syslog.py not found — skipping send")
+        else:
+            try:
+                result = subprocess.run(
+                    [sys.executable, str(script), "--via-docker", "--scenario", args.scenario],
+                    capture_output=True, text=True, timeout=30,
+                )
+                sent = result.stdout.count("✓")
+                if sent:
+                    ok(f"Sent {sent} test event(s) (scenario={args.scenario})")
+                else:
+                    fail(f"No events sent\n{result.stdout}\n{result.stderr}")
+                    errors += 1
+            except Exception as exc:
+                fail(f"Failed to send test events: {exc}")
+                errors += 1
+
+    # ------------------------------------------------------------------
+    # Step 3: Wait for Wazuh indexer
+    # ------------------------------------------------------------------
+    step(3, f"Wait {args.wait}s for Wazuh indexer")
+    if args.no_send:
+        info("Skipped (--no-send)")
+    else:
+        for i in range(args.wait, 0, -5):
+            print(f"  {INFO}  {i}s remaining...", end="\r", flush=True)
+            time.sleep(min(5, i))
+        print()
+        ok("Done")
+
+    # ------------------------------------------------------------------
+    # Step 4: Snapshot IRIS alert count before sync
+    # ------------------------------------------------------------------
+    step(4, "Snapshot IRIS alert count before sync")
+    try:
+        alerts_before = _iris_alerts(per_page=5)
+        max_id_before = max((a["alert_id"] for a in alerts_before), default=0)
+        ok(f"Latest IRIS alert_id before sync: {max_id_before}")
+    except Exception as exc:
+        info(f"Could not read IRIS alerts (verification will be skipped): {exc}")
+        max_id_before = 0
+
+    # ------------------------------------------------------------------
+    # Step 5: Run sync
+    # ------------------------------------------------------------------
+    step(5, "Run sync")
+    min_sev = args.min_severity or current_min
+    params = f"limit={args.limit}&minutes={args.minutes}&q=*&min_severity={min_sev}"
+    try:
+        resp = _integrator("/wazuh/sync-to-mvp", method="POST", params=params)
+        s = resp["data"]["sync"]
+        info(f"min_severity_applied : {s['min_severity_applied']}")
+        info(f"processed            : {s['processed']}")
+        info(f"skipped_existing     : {s['skipped_existing']}")
+        info(f"skipped_filtered     : {s.get('skipped_filtered', 0)}")
+        info(f"ingested             : {s['ingested']}")
+        info(f"iris_alert_ids       : {s['iris_alert_ids']}")
+        if s.get("errors"):
+            fail(f"Sync errors: {s['errors']}")
+            errors += 1
+        else:
+            ok("Sync completed without errors")
+    except Exception as exc:
+        fail(f"Sync request failed: {exc}")
+        return errors + 1
+
+    # ------------------------------------------------------------------
+    # Step 6: Verify new IRIS alerts
+    # ------------------------------------------------------------------
+    step(6, "Verify IRIS alerts")
+    if not s["iris_alert_ids"]:
+        if s["ingested"] == 0 and s["skipped_existing"] == s["processed"]:
+            ok("All alerts already synced (no duplicates created) — dedup working")
+        elif s["skipped_filtered"] > 0 and s["ingested"] == 0:
+            ok(f"All new alerts filtered by min_severity={min_sev} — filter working")
+        else:
+            info("No new IRIS alerts created this run")
+    else:
+        try:
+            alerts_after = _iris_alerts(per_page=10)
+            new_alerts = [a for a in alerts_after if a["alert_id"] > max_id_before and a.get("alert_source") == "wazuh"]
+            if new_alerts:
+                ok(f"Found {len(new_alerts)} new IRIS alert(s) with source=wazuh:")
+                for a in new_alerts:
+                    print(f"       alert_id={a['alert_id']}  ref={a.get('alert_source_ref','')}  title={a.get('alert_title','')[:55]}")
+            else:
+                fail(f"iris_alert_ids={s['iris_alert_ids']} but no matching IRIS alerts found")
+                errors += 1
+        except Exception as exc:
+            fail(f"Could not verify IRIS alerts: {exc}")
+            errors += 1
+
+    # ------------------------------------------------------------------
+    # Step 7: Auto-sync status
+    # ------------------------------------------------------------------
+    step(7, "Auto-sync worker status")
+    try:
+        st = _integrator("/wazuh/auto-sync/status")["data"]
+        info(f"enabled      : {st['enabled']}")
+        info(f"task_running : {st['task_running']}")
+        info(f"min_severity : {st['settings']['min_severity']}")
+        if st.get("state", {}).get("last_status"):
+            info(f"last_status  : {st['state']['last_status']}")
+        ok("Auto-sync status retrieved")
+    except Exception as exc:
+        fail(f"Could not read auto-sync status: {exc}")
+        errors += 1
+
+    # ------------------------------------------------------------------
+    # Summary
+    # ------------------------------------------------------------------
+    print()
+    print("─" * 60)
+    if errors == 0:
+        print(f"  {PASS}  All checks passed")
+    else:
+        print(f"  {FAIL}  {errors} check(s) failed")
+    print("─" * 60)
+    return errors
+
+
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="End-to-end test: Wazuh → soc-integrator → IRIS")
+    parser.add_argument("--no-send", action="store_true", help="Skip sending test events to Wazuh")
+    parser.add_argument("--scenario", default="rdp", help="Firewall scenario to send (default: rdp)")
+    parser.add_argument("--wait", type=int, default=20, help="Seconds to wait for indexer (default: 20)")
+    parser.add_argument("--minutes", type=int, default=5, help="Sync lookback window in minutes (default: 5)")
+    parser.add_argument("--limit", type=int, default=20, help="Max alerts to sync (default: 20)")
+    parser.add_argument("--min-severity", default=None,
+                        help="Override min_severity for this run (default: use policy)")
+    args = parser.parse_args()
+    sys.exit(run(args))

soc-integrator/app/main.py

@@ -38,6 +38,7 @@ from app.models import (
     SimLogRunRequest,
     ShuffleLoginRequest,
     ShuffleProxyRequest,
+    SyncPolicyRequest,
     TriggerShuffleRequest,
     WazuhIngestRequest,
 )
@@ -1600,15 +1601,18 @@ async def wazuh_manager_logs(
     response_model=ApiResponse,
     dependencies=[Depends(require_internal_api_key)],
     summary="Sync Wazuh to MVP",
-    description="Fetch Wazuh alerts from indexer and pass them through MVP ingest/evaluation logic.",
+    description="Fetch Wazuh alerts from indexer and create IRIS Alerts for each. Returns iris_alert_ids of created alerts.",
 )
 async def wazuh_sync_to_mvp(
     limit: int = 50,
     minutes: int = 120,
     q: str = "soc_mvp_test=true OR event_type:*",
+    min_severity: str | None = None,
 ) -> ApiResponse:
     try:
-        result = await mvp_service.sync_wazuh_alerts(query=q, limit=limit, minutes=minutes)
+        result = await mvp_service.sync_wazuh_alerts(
+            query=q, limit=limit, minutes=minutes, min_severity=min_severity
+        )
     except Exception as exc:
         raise HTTPException(status_code=502, detail=f"Wazuh sync failed: {exc}") from exc
     return ApiResponse(data={"sync": result})
@@ -1618,11 +1622,12 @@ async def wazuh_sync_to_mvp(
     "/wazuh/auto-sync/status",
     response_model=ApiResponse,
     summary="Wazuh auto-sync status",
-    description="Show auto-sync enablement, settings, task runtime state, and last sync result.",
+    description="Show auto-sync enablement, settings, task runtime state, and last sync result (iris_alert_ids of created IRIS Alerts).",
 )
 async def wazuh_auto_sync_status() -> ApiResponse:
     state = getattr(app.state, "wazuh_auto_sync_state", {})
     task = getattr(app.state, "wazuh_auto_sync_task", None)
+    policy = mvp_service.repo.get_policy()
     return ApiResponse(
         data={
             "enabled": settings.wazuh_auto_sync_enabled,
@@ -1632,6 +1637,7 @@ async def wazuh_auto_sync_status() -> ApiResponse:
                 "limit": settings.wazuh_auto_sync_limit,
                 "minutes": settings.wazuh_auto_sync_minutes,
                 "query": settings.wazuh_auto_sync_query,
+                "min_severity": policy.get("sync", {}).get("min_severity", "medium"),
             },
             "state": state,
         }
@@ -1639,6 +1645,31 @@ async def wazuh_auto_sync_status() -> ApiResponse:
 
 
 @app.get(
+    "/wazuh/sync-policy",
+    response_model=ApiResponse,
+    summary="Get Wazuh sync policy",
+    description="Return the current sync policy (min_severity threshold for IRIS alert creation).",
+)
+async def get_sync_policy() -> ApiResponse:
+    policy = mvp_service.repo.get_policy()
+    return ApiResponse(data={"sync": policy.get("sync", {"min_severity": "medium"})})
+
+
+@app.put(
+    "/wazuh/sync-policy",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="Update Wazuh sync policy",
+    description="Set the minimum severity level for forwarding Wazuh alerts to IRIS. Persists immediately; auto-sync picks it up on the next cycle.",
+)
+async def put_sync_policy(body: SyncPolicyRequest) -> ApiResponse:
+    policy = mvp_service.repo.get_policy()
+    policy.setdefault("sync", {})["min_severity"] = body.min_severity
+    mvp_service.repo.update_policy(policy)
+    return ApiResponse(data={"sync": policy["sync"]})
+
+
+@app.get(
     "/monitor/db/tables",
     response_model=ApiResponse,
     dependencies=[Depends(require_internal_api_key)],

soc-integrator/app/models.py

@@ -381,6 +381,13 @@ class IrisAlertCreateRequest(BaseModel):
     payload: dict[str, Any] = Field(default_factory=dict, description="Additional IRIS alert fields merged into the request.")
 
 
+class SyncPolicyRequest(BaseModel):
+    min_severity: Literal["informational", "low", "medium", "high", "critical"] = Field(
+        description='Minimum severity to forward to IRIS. Alerts below this level are skipped.',
+        examples=["high"],
+    )
+
+
 class ApiResponse(BaseModel):
     ok: bool = True
     message: str = "ok"

soc-integrator/app/repositories/mvp_repo.py

@@ -14,6 +14,9 @@ def utc_now() -> datetime:
 
 DEFAULT_POLICY: dict[str, Any] = {
     "escalate_severities": ["high", "critical"],
+    "sync": {
+        "min_severity": "medium",  # "informational" | "low" | "medium" | "high" | "critical"
+    },
     "vpn": {
         "allowed_country": "TH",
         "exception_users": [],

soc-integrator/app/services/mvp_service.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import hashlib
+import json
 import logging
 import re
 import time
@@ -18,6 +19,22 @@ from app.repositories.mvp_repo import MvpRepository
 
 logger = logging.getLogger(__name__)
 
+_IRIS_SEVERITY_ID: dict[str, int] = {
+    "critical": 5,
+    "high": 4,
+    "medium": 3,
+    "low": 2,
+    "informational": 1,
+}
+
+_SEVERITY_ORDER: dict[str, int] = {
+    "informational": 0,
+    "low": 1,
+    "medium": 2,
+    "high": 3,
+    "critical": 4,
+}
+
 
 class MvpService:
     def __init__(
@@ -546,18 +563,68 @@ class MvpService:
             "escalation_stub_sent": ingest_result.get("escalation_stub_sent", False),
         }
 
+    async def ingest_wazuh_alert_to_iris(self, event: dict[str, Any]) -> dict[str, Any]:
+        """Create an IRIS Alert from a normalised Wazuh event and record it for dedup."""
+        event_id = str(event.get("event_id", "")).strip()
+        severity_str = (event.get("severity") or "medium").lower()
+        severity_id = _IRIS_SEVERITY_ID.get(severity_str, 3)
+
+        payload: dict[str, Any] = {
+            "alert_title": event.get("title") or f"Wazuh alert {event_id}",
+            "alert_description": event.get("description") or "",
+            "alert_severity_id": severity_id,
+            "alert_status_id": 1,  # Unassigned
+            "alert_source": "wazuh",
+            "alert_source_ref": event_id,
+            "alert_source_event_time": event.get("timestamp") or datetime.now(timezone.utc).isoformat(),
+            "alert_customer_id": settings.iris_default_customer_id or 1,
+            "alert_note": json.dumps({
+                "asset": event.get("asset", {}),
+                "network": event.get("network", {}),
+                "tags": event.get("tags", []),
+            }),
+        }
+        result = await self.iris_adapter.create_alert(payload)
+        iris_alert_id = (result.get("data") or {}).get("alert_id")
+
+        if event_id:
+            synthetic_key = f"wazuh_alert_{event_id}"
+            self.repo.upsert_incident(
+                incident_key=synthetic_key,
+                severity=event.get("severity") or "medium",
+                status="open",
+                iris_case_id=str(iris_alert_id) if iris_alert_id else None,
+            )
+            self.repo.add_event(
+                incident_key=synthetic_key,
+                event_id=event_id,
+                source="wazuh",
+                event_type=event.get("event_type") or "wazuh",
+                raw_payload=event,
+                decision_trace={"iris_alert_id": iris_alert_id, "action": "created_iris_alert"},
+            )
+
+        return {"iris_alert_id": iris_alert_id, "event_id": event_id}
+
     async def sync_wazuh_alerts(
         self,
         query: str = "soc_mvp_test=true OR event_type:*",
         limit: int = 50,
         minutes: int = 120,
+        min_severity: str | None = None,
     ) -> dict[str, Any]:
         raw = await self.wazuh_adapter.search_alerts(query=query, limit=limit, minutes=minutes)
         hits = (raw.get("hits", {}) or {}).get("hits", []) if isinstance(raw, dict) else []
 
+        # Resolve minimum severity: param > policy > default "medium"
+        policy = self.repo.get_policy()
+        effective_min = (min_severity or policy.get("sync", {}).get("min_severity", "medium")).lower()
+        min_order = _SEVERITY_ORDER.get(effective_min, 2)
+
         processed = 0
         ingested = 0
         skipped_existing = 0
+        skipped_filtered = 0
         failed = 0
         errors: list[str] = []
         created_incidents: list[str] = []
@@ -572,6 +639,11 @@ class MvpService:
             if event_id and self.repo.has_event("wazuh", event_id):
                 skipped_existing += 1
                 continue
+            # Severity filter — skip alerts below minimum threshold
+            event_order = _SEVERITY_ORDER.get((event.get("severity") or "low").lower(), 1)
+            if event_order < min_order:
+                skipped_filtered += 1
+                continue
             try:
                 if event.get("event_type") in {"ioc_dns", "ioc_ips"}:
                     ioc_evaluated += 1
@@ -598,11 +670,11 @@ class MvpService:
                     else:
                         ioc_rejected += 1
                 else:
-                    result = await self.ingest_incident(event)
+                    result = await self.ingest_wazuh_alert_to_iris(event)
                     ingested += 1
-                    incident_key = str(result.get("incident_key", ""))
-                    if incident_key:
-                        created_incidents.append(incident_key)
+                    iris_alert_id = result.get("iris_alert_id")
+                    if iris_alert_id:
+                        created_incidents.append(str(iris_alert_id))
             except Exception as exc:
                 failed += 1
                 errors.append(f"{event_id or 'unknown_event'}: {exc}")
@@ -611,14 +683,16 @@ class MvpService:
             "query": query,
             "window_minutes": minutes,
             "limit": limit,
+            "min_severity_applied": effective_min,
             "processed": processed,
             "ingested": ingested,
             "skipped_existing": skipped_existing,
+            "skipped_filtered": skipped_filtered,
             "failed": failed,
             "ioc_evaluated": ioc_evaluated,
             "ioc_matched": ioc_matched,
             "ioc_rejected": ioc_rejected,
-            "incident_keys": created_incidents,
+            "iris_alert_ids": created_incidents,
             "errors": errors[:10],
             "total_hits": (raw.get("hits", {}).get("total", {}) if isinstance(raw, dict) else {}),
         }