# Test Event Scripts ## Send Wazuh test events Use this to inject synthetic SOC events via syslog UDP into Wazuh manager. ```bash scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds] ``` Scenarios: - `ioc_dns` - `ioc_ips` - `vpn_outside_th` - `windows_auth_fail` - `all` Examples: ```bash scripts/send-wazuh-test-events.sh all scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `WAZUH_TEST_SRC_IP` - `WAZUH_TEST_DOMAIN` - `WAZUH_TEST_USER` Transport notes: - Uses `nc` if available. - Falls back to Bash UDP redirection (`/dev/udp/host/port`) when `nc` is unavailable. ## Send Cisco device test events Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager. ```bash scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] ``` Scenarios: - `asa_acl_deny` - `asa_vpn_auth_fail` - `ios_login_fail` - `ios_config_change` - `all` Examples: ```bash scripts/send-wazuh-cisco-test-events.sh all scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2 CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `CISCO_DEVICE_HOST` - `CISCO_SRC_IP` - `CISCO_DST_IP` - `CISCO_VPN_USER` - `CISCO_ADMIN_USER` ## Shuffle sample workflow helpers Sample playbook design for Shuffle: - `shuffle-workflows/sample-ioc-playbook.md` Sample execution payload: - `scripts/events/shuffle-sample-execution.json` Trigger an existing Shuffle workflow from CLI: ```bash scripts/trigger-shuffle-workflow.sh [ioc_type] [ioc_value] ``` Create MVP workflows in Shuffle (from proposal mapping): ```bash SHUFFLE_API_KEY= scripts/create-shuffle-mvp-workflows.sh ``` This creates: - `MVP - IOC Enrichment and Case Routing` - `MVP - VPN Geo Anomaly Triage`