# Plan: 002-wazuh-integration

## API
- Refactor `_process_ingress(source, body, secret)`
- `POST /api/v1/webhooks/ingress/wazuh` — parse alert JSON nativo
- Manter `/webhooks/onboard` (compat VM112)
- `GET /api/v1/webhooks/events?source=wazuh`
- Env: `WAZUH_WEBHOOK_SECRET`, `WAZUH_MIN_TICKET_LEVEL=10`

## Wazuh VM104
- Script `ligbox-ops.py` em `/var/ossec/integrations/`
- Bloco `<integration>` em `ossec.conf` level 10
- Restart manager

## UI
- Filtro origem em Eventos
- Badge severidade Wazuh em tickets/eventos
- Card Wazuh no dashboard (count eventos wazuh)

## Deploy
- VM122 rebuild api + frontend
- VM104 ossec.conf + script