Integration with external APIs
Integrator is a new daemon that allows the connection of Wazuh to external APIs and alerting tools such as Slack and PagerDuty.
New in version 3.0.0.
For Wazuh 3.0 it has been developed a new integration that allows to inspect malicious files using the VirusTotal database.
The complete documentation about this new feature can be found at the VirusTotal integration section.
Configuration
Integrator is not enabled by default. Integrator is enabled using the following command:
# /var/ossec/bin/ossec-control enable integrator
# /var/ossec/bin/ossec-control restart
Integrations are configured in the file etc/ossec.conf
, which is located inside your Wazuh installation directory. Add the following inside <ossec_config> </ossec_config> to configure this integration:
<integration>
<name> </name>
<hook_url> </hook_url>
<api_key> </api_key>
<!-- Optional filters -->
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
</integration>
Integration with Slack
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url>
</integration>
Integration with PagerDuty
<integration>
<name>pagerduty</name>
<api_key>MYKEY</api_key>
</integration>
Integration with VirusTotal
<integration>
<name>virustotal</name>
<api_key>VirusTotal_API_Key</api_key>
<group>syscheck,</group>
</integration>