Add Maltiverse integration documentation and reference

source/user-manual/manager/manual-integration.rst

@@ -8,7 +8,7 @@
 Integration with external APIs
 ==============================
 
-The *Integrator* daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, and Shuffle.
+The *Integrator* daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle and Maltiverse.
 
 Configuration
 -------------
@@ -19,9 +19,9 @@ The integrations are configured on the Wazuh manager ``ossec.conf`` file. You ca
 
   <integration>
     <name> </name>
-    <hook_url> </hook_url> <!-- Required for Slack and Shuffle -->
-    <api_key> </api_key> <!-- Required for PagerDuty and VirusTotal -->
-    <alert_format>json</alert_format> <!-- Required for Slack, VirusTotal and Shuffle -->
+    <hook_url> </hook_url> <!-- Required for Slack, Shuffle and Maltiverse -->
+    <api_key> </api_key> <!-- Required for PagerDuty, VirusTotal and Maltiverse -->
+    <alert_format>json</alert_format> <!-- Required for Slack, VirusTotal, Shuffle and Maltiverse -->
 
     <!-- Optional filters -->
     <rule_id> </rule_id>
@@ -179,6 +179,41 @@ Once the configuration is complete, alerts start showing in the email inbox.
    :align: center
    :width: 80%
 
+Maltiverse
+----------
+
+`Maltiverse <https://whatis.maltiverse.com/>`__ is an open and collaborative platform for indexing and searching Indicators of Compromise (IoCs) which works as a broker for Threat intelligence sources that are aggregated from more than a hundred different Public, Private and Community sources. This integration enriches any alert generated by Wazuh via the Maltiverse API, inserting new fields in case of match and following the threat taxonomy of the ECS standard (Elastic Common Squema).
+
+To set up this integration, do the following.
+
+#. Get your API key from the `Maltiverse <https://www.maltiverse.com>`__ page.
+
+#. Edit ``/var/ossec/etc/ossec.conf`` in the Wazuh server and include a configuration block such as the following. Replace ``MALTIVERSE_AUTH_TOKEN`` with your Maltiverse Authentication Token. The rule level filter is optional. You can remove it or set another level value for the integration.
+
+   .. code-block:: xml
+      :emphasize-lines: 3
+
+      <integration>
+         <name>custom-maltiverse</name>
+         <hook_url>https://api.maltiverse.com</hook_url>
+         <level>3</level>
+         <api_key>MALTIVERSE_AUTH_TOKEN</api_key>
+         <alert_format>json</alert_format>
+      </integration>
+
+#. Restart the Wazuh manager to apply the changes.
+
+   .. include:: /_templates/common/restart_manager.rst
+
+Once the configuration is complete, if any alerts contain fields matching any IoC, these will be enriched and displayed in the Wazuh Dashboard.
+
+.. thumbnail:: /images/manual/integration/maltiverse.png
+   :title: Maltiverse alert
+   :alt: Maltiverse alert
+   :align: center
+   :width: 80%
+
+
 Custom integration
 ------------------
 

source/user-manual/reference/ossec-conf/integration.rst

@@ -15,7 +15,7 @@ integration
     <integration>
     </integration>
 
-This configures the manager to :ref:`connect Wazuh to external APIs <manual_integration>` and alerting tools such as Slack, PagerDuty, VirusTotal and Shuffle.
+This configures the manager to :ref:`connect Wazuh to external APIs <manual_integration>` and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle and Maltiverse.
 
 Options
 -------
@@ -35,36 +35,36 @@ name
 
 This indicates the service to integrate with.
 
-+--------------------+------------------------------------------------------------------------------+
-| **Default value**  | n/a                                                                          |
-+--------------------+------------------------------------------------------------------------------+
-| **Allowed values** | slack, pagerduty, virustotal, shuffle, any string that begins with 'custom-' |
-+--------------------+------------------------------------------------------------------------------+
++--------------------+------------------------------------------------------------------------------------------+
+| **Default value**  | n/a                                                                                      |
++--------------------+------------------------------------------------------------------------------------------+
+| **Allowed values** | slack, pagerduty, virustotal, shuffle, maltiverse, any string that begins with 'custom-' |
++--------------------+------------------------------------------------------------------------------------------+
 
 .. note::
   In the case of custom external integration, name must begin with ``custom-`` for example: ``custom-myintegration``. Read the `How to integrate external software using Integrator <https://wazuh.com/blog/how-to-integrate-external-software-using-integrator//>`_ document for more information.
 
 hook_url
 ^^^^^^^^
 
-This is the URL that is used for communication with the software being integrated. It's mandatory for the `Slack` and `Shuffle` integrations.
+This is the URL that is used for communication with the software being integrated. It's mandatory for the `Slack`, `Shuffle`  and `Maltiverse` integrations.
 
-+--------------------+------------------------+
-| **Default value**  | n/a                    |
-+--------------------+------------------------+
-| **Allowed values** | Slack URL, Shuffle URL |
-+--------------------+------------------------+
++--------------------+----------------------------------------+
+| **Default value**  | n/a                                    |
++--------------------+----------------------------------------+
+| **Allowed values** | Slack URL, Shuffle URL, Maltiverse URL |
++--------------------+----------------------------------------+
 
 api_key
 ^^^^^^^
 
-This is the key that you would have retrieved from the PagerDuty or VirusTotal API. This is **mandatory for PagerDuty and VirusTotal.**
+This is the key that you would have retrieved from the PagerDuty, VirusTotal or Maltiverse API. This is **mandatory for PagerDuty, VirusTotal and Maltiverse.**
 
-+--------------------+------------------------------+
-| **Default value**  | n/a                          |
-+--------------------+------------------------------+
-| **Allowed values** | PagerDuty/VirusTotal Api key |
-+--------------------+------------------------------+
++--------------------+-----------------------------------------+
+| **Default value**  | n/a                                     |
++--------------------+-----------------------------------------+
+| **Allowed values** | PagerDuty/VirusTotal/Maltiverse Api key |
++--------------------+-----------------------------------------+
 
 Optional filters
 ----------------
@@ -116,15 +116,15 @@ This filters alerts by where the event originated.
 alert_format
 ^^^^^^^^^^^^
 
-This writes the alert file in the JSON format. The Integrator makes use this file to fetch fields values.
+This writes the alert file in the JSON format. The Integrator makes use of this file to fetch fields values.
 
 +--------------------+-----------------------------------------------------------+
 | **Default value**  | n/a                                                       |
 +--------------------+-----------------------------------------------------------+
 | **Allowed values** | json                                                      |
 +--------------------+-----------------------------------------------------------+
 
-.. note:: This option must be set to ``json`` for Slack, VirusTotal and Shuffle integrations.
+.. note:: This option must be set to ``json`` for Slack, VirusTotal, Shuffle and Maltiverse integrations.
 
 max_log
 ^^^^^^^
@@ -175,6 +175,14 @@ Configuration example
     <alert_format>json</alert_format>
   </integration>
 
+  <!-- Integration with Maltiverse -->
+  <integration>
+    <name>maltiverse</name>
+    <hook_url>https://api.maltiverse.com</hook_url>
+    <api_key>maltiverse-auth-token</api_key>
+    <alert_format>json</alert_format>
+  </integration>
+
   <!--Custom external Integration -->
   <integration>
     <name>custom-integration</name>