soc/scripts

Test Event Scripts

SOC Integrator UI (Run Sim Logs) target mapping

/ui -> Systems -> Run Sim Logs now supports multi-select Target values based on selected Script. The UI starts one simulator run per selected target (except all, which runs a single all run).

• fortigate: all, 501E, 80F, 60F, 40F
• endpoint: all, windows, mac, linux
• cisco: all, asa_acl_deny, asa_vpn_auth_fail, ios_login_fail, ios_config_change
• proposal_required: all, a1, a2, a3, a4
• proposal_appendix_b: all, b1, b2, b3
• proposal_appendix_c: all, c1, c2, c3
• wazuh_test: all, ioc_dns, ioc_ips, vpn_outside_th, windows_auth_fail

Send Wazuh test events

Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.

scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Scenarios:

• ioc_dns
• ioc_ips
• vpn_outside_th
• windows_auth_fail
• all

Examples:

scripts/send-wazuh-test-events.sh all
scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2
WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips
scripts/send-wazuh-test-events.sh all 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• WAZUH_TEST_SRC_IP
• WAZUH_TEST_DOMAIN
• WAZUH_TEST_USER

Transport notes:

• Uses nc if available.
• Falls back to Bash UDP redirection (/dev/udp/host/port) when nc is unavailable.

Send Cisco device test events

Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager.

scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Scenarios:

• asa_acl_deny
• asa_vpn_auth_fail
• ios_login_fail
• ios_config_change
• all

Examples:

scripts/send-wazuh-cisco-test-events.sh all
scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2
CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail
scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• CISCO_DEVICE_HOST
• CISCO_SRC_IP
• CISCO_DST_IP
• CISCO_VPN_USER
• CISCO_ADMIN_USER

Send FortiGate firewall test events

Use this to inject FortiGate-style syslog events (models 501E, 80F, 60F, 40F) into Wazuh manager.

scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Models:

• 501E
• 80F
• 60F
• 40F
• all

Examples:

scripts/send-wazuh-fortigate-test-events.sh all
scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2
WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F
scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• FGT_SRC_IP
• FGT_DST_IP
• FGT_DOMAIN
• FGT_USER

Run continuous FortiGate simulation

Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing.

scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds]

Profiles:

• normal (mostly allowed traffic, occasional admin/vpn/webfilter)
• incident (higher IPS/webfilter/vpn anomalies)
• mixed (balanced baseline + anomalies)

Models:

• 501E
• 80F
• 60F
• 40F
• all

Examples:

scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8
scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3
SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• SIM_MAX_EVENTS (default 0, which means run forever)
• SIM_SRC_PREFIX (default 10.10.20)
• SIM_VPN_USER
• SIM_ADMIN_USER

Simulate all required logs from proposal

Use this to generate synthetic logs for all use cases listed in: Security Detection & Threat Intelligence Enhancement Proposal-2.md Appendix A (A1-A4).

scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Selectors:

• all (all Appendix A use cases)
• a1, a2, a3, a4 (by section)
• specific use case id, e.g. A2-01, A3-05, A4-24

Examples:

scripts/send-wazuh-proposal-required-events.sh all 1
scripts/send-wazuh-proposal-required-events.sh a3 3 0.5
scripts/send-wazuh-proposal-required-events.sh A3-05 1
DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1
scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• EVENT_DELAY (default 0.05)
• DRY_RUN (default 0, set 1 to print only)
• FGT_DEVNAME, FGT_DEVID
• WIN_HOST, DNS_HOST
• SIM_VPN_USER

Simulate Appendix B logs (revise proposal)

Use this to generate synthetic logs for Appendix B (B1-B3) in: Security Detection & Threat Intelligence Enhancement Proposal-revise.md.

scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Selectors:

• all (all Appendix B use cases)
• b1, b2, b3 (by section)
• specific use case id, e.g. B1-01, B2-01, B3-06

Examples:

scripts/send-wazuh-proposal-appendix-b-events.sh all 1
scripts/send-wazuh-proposal-appendix-b-events.sh b3 2 0.5
scripts/send-wazuh-proposal-appendix-b-events.sh B3-06 1
DRY_RUN=1 scripts/send-wazuh-proposal-appendix-b-events.sh all 1
scripts/send-wazuh-proposal-appendix-b-events.sh b1 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• EVENT_DELAY (default 0.05)
• DRY_RUN (default 0, set 1 to print only)
• VCENTER_HOST, ESXI_HOST, LOGMON_HOST, WIN_SYSMON_HOST
• SIM_USER

Simulate Appendix C logs (future enhancement MVP)

Use this to generate synthetic logs for Appendix C (C1-C3) in: Security Detection & Threat Intelligence Enhancement Proposal-revise.md.

scripts/send-wazuh-proposal-appendix-c-events.sh [selector] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Selectors:

• all (all Appendix C use cases)
• c1, c2, c3 (by section)
• specific use case id, e.g. C1-01, C2-03, C3-04

Examples:

scripts/send-wazuh-proposal-appendix-c-events.sh all 1
scripts/send-wazuh-proposal-appendix-c-events.sh c1 1 0.5
scripts/send-wazuh-proposal-appendix-c-events.sh C3-04 1
DRY_RUN=1 scripts/send-wazuh-proposal-appendix-c-events.sh all 1
scripts/send-wazuh-proposal-appendix-c-events.sh c2 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• EVENT_DELAY (default 0.05)
• DRY_RUN (default 0, set 1 to print only)
• VPN_HOST, WIN_HOST
• SIM_USER, SIM_SERVICE_USER, SIM_SRC_IP

Simulate endpoint client-agent logs (Windows / macOS / Linux)

Use this to inject realistic endpoint telemetry for client agents into Wazuh.

scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds]

Optional flag:

• --forever (ignore count and run continuously until Ctrl+C)

Platforms:

• windows
• mac
• linux
• all

Scenarios:

• auth
• process
• persistence
• privilege
• malware
• all

Examples:

scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2
scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1
DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0
scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• DRY_RUN (default 0)
• WIN_HOST, MAC_HOST, LINUX_HOST
• SIM_USER

Shuffle sample workflow helpers

Sample playbook design for Shuffle:

• shuffle-workflows/sample-ioc-playbook.md

Sample execution payload:

• scripts/events/shuffle-sample-execution.json

Trigger an existing Shuffle workflow from CLI:

scripts/trigger-shuffle-workflow.sh <workflow_id> [ioc_type] [ioc_value]

Create MVP workflows in Shuffle (from proposal mapping):

SHUFFLE_API_KEY=<your_key> scripts/create-shuffle-mvp-workflows.sh

This creates:

• MVP - IOC Enrichment and Case Routing
• MVP - VPN Geo Anomaly Triage

Import Wazuh Dashboard (FortiGate Simulation)

Prebuilt saved objects file:

• scripts/events/wazuh-fortigate-sim-dashboard.ndjson

Import helper:

scripts/import-wazuh-dashboard.sh

Optional overrides:

WAZUH_DASHBOARD_URL=https://localhost \
WAZUH_DASHBOARD_USER=admin \
WAZUH_DASHBOARD_PASS=SecretPassword \
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson

After import, open dashboard:

• SOC FortiGate Simulation Overview

Wazuh dashboard files (detailed)

Dashboard saved objects are stored in scripts/events/*.ndjson.

• scripts/events/wazuh-fortigate-sim-dashboard.ndjson

  • Title: SOC FortiGate Simulation Overview
  • Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity).
  • Typical data source: scripts/send-wazuh-fortigate-test-events.sh

• scripts/events/wazuh-client-agents-dashboard.ndjson

  • Title: SOC Client Agent Simulation Overview
  • Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs.
  • Typical data source: scripts/send-wazuh-endpoint-agent-test-events.sh

• scripts/events/wazuh-proposal-required-dashboard.ndjson

  • Title: SOC Proposal Required Logs Overview
  • Purpose: Appendix A required-scope logs (A1-A4).
  • Typical data source: scripts/send-wazuh-proposal-required-events.sh

• scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson

  • Title: SOC Proposal Appendix A+B Overview
  • Purpose: Combined Appendix A and B overview, including use-case table.
  • Typical data sources:
  • scripts/send-wazuh-proposal-required-events.sh
  • scripts/send-wazuh-proposal-appendix-b-events.sh

• scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson

  • Title: SOC Proposal Appendix C Overview
  • Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage).
  • Typical data source: scripts/send-wazuh-proposal-appendix-c-events.sh

• scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson

  • Title: SOC Proposal Custom Rules Overview
  • Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions.
  • Typical data source: Any simulation script that triggers proposal custom rules.

Import any dashboard file

scripts/import-wazuh-dashboard.sh scripts/events/<dashboard-file>.ndjson

Examples:

scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson

Optional overrides:

WAZUH_DASHBOARD_URL=https://localhost \
WAZUH_DASHBOARD_USER=admin \
WAZUH_DASHBOARD_PASS=SecretPassword \
OVERWRITE=true \
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson

Quick troubleshooting

• Verify index pattern has data in Discover: wazuh-alerts-*.
• Set time range wide enough (for example Last 24 hours).
• If charts are empty but raw logs exist, re-import the latest NDJSON and refresh index fields.