soc/scripts

Scripts

Combined Wazuh simulator

Use one script for all Appendix A/B/C simulation log replay.

scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run]

Examples:

scripts/send-wazuh-sim-logs.sh all 1 0.2
scripts/send-wazuh-sim-logs.sh a2 1 0
scripts/send-wazuh-sim-logs.sh B3-06 1 0
scripts/send-wazuh-sim-logs.sh c1 1 2 --forever
scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run

Environment variables:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• DRY_RUN=1 (alternative to --dry-run)

Selector support:

• Global: all
• Appendix: a, b, c, appendix-a, appendix-b, appendix-c
• Section: a1, a2, a3, a4, b1, b2, b3, c1, c2, c3
• Use-case ID: A1-01 ... C3-04

Sample sources:

• samples/appendix-a-production-samples.log
• samples/appendix-b-production-samples.log
• samples/appendix-c-production-samples.log

Dashboard import

Import Wazuh dashboards (NDJSON):

scripts/import-wazuh-dashboard.sh <path-to-ndjson>

Examples:

scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson

Other helpers

• seed-iris-demo-data.sh: seed IRIS demo cases/tasks via API.
• create-shuffle-mvp-workflows.sh: create Shuffle MVP workflows from templates.
• trigger-shuffle-workflow.sh: trigger a Shuffle workflow by ID.
• update-shuffle-workflow-from-template.sh: update existing Shuffle workflow JSON from template.

Notes

• Legacy send-wazuh-* simulator scripts were removed and replaced by send-wazuh-sim-logs.sh.
• If you add new sample events, keep comments tagged with use-case IDs (for example # A2-01 ...) so selector filtering keeps working.