soc/scripts/README.md

Test Event Scripts

Send Wazuh test events

Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.

scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds]

Scenarios:

• ioc_dns
• ioc_ips
• vpn_outside_th
• windows_auth_fail
• all

Examples:

scripts/send-wazuh-test-events.sh all
scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2
WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• WAZUH_TEST_SRC_IP
• WAZUH_TEST_DOMAIN
• WAZUH_TEST_USER

Transport notes:

• Uses nc if available.
• Falls back to Bash UDP redirection (/dev/udp/host/port) when nc is unavailable.

Send Cisco device test events

Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager.

scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds]

Scenarios:

• asa_acl_deny
• asa_vpn_auth_fail
• ios_login_fail
• ios_config_change
• all

Examples:

scripts/send-wazuh-cisco-test-events.sh all
scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2
CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail

Environment overrides:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• CISCO_DEVICE_HOST
• CISCO_SRC_IP
• CISCO_DST_IP
• CISCO_VPN_USER
• CISCO_ADMIN_USER

Shuffle sample workflow helpers

Sample playbook design for Shuffle:

• shuffle-workflows/sample-ioc-playbook.md

Sample execution payload:

• scripts/events/shuffle-sample-execution.json

Trigger an existing Shuffle workflow from CLI:

scripts/trigger-shuffle-workflow.sh <workflow_id> [ioc_type] [ioc_value]

Create MVP workflows in Shuffle (from proposal mapping):

SHUFFLE_API_KEY=<your_key> scripts/create-shuffle-mvp-workflows.sh

This creates:

• MVP - IOC Enrichment and Case Routing
• MVP - VPN Geo Anomaly Triage