Integration with external APIs

Integrator is a new daemon that allows the connection of Wazuh to external APIs and alerting tools such as Slack and PagerDuty.

New in version 3.0.0.

For Wazuh 3.0 it has been developed a new integration that allows to inspect malicious files using the VirusTotal database.

The complete documentation about this new feature can be found at the VirusTotal integration section.

Configuration

Integrator is not enabled by default. Integrator is enabled using the following command:

# /var/ossec/bin/ossec-control enable integrator
# /var/ossec/bin/ossec-control restart

Integrations are configured in the file etc/ossec.conf, which is located inside your Wazuh installation directory. Add the following inside <ossec_config> </ossec_config> to configure this integration:

<integration>
     <name> </name>
     <hook_url> </hook_url>
     <api_key> </api_key>

  <!-- Optional filters -->

     <rule_id> </rule_id>
     <level> </level>
     <group> </group>
     <event_location> </event_location>
</integration>

Integration with Slack

<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url>
</integration>

Integration with PagerDuty

<integration>
  <name>pagerduty</name>
  <api_key>MYKEY</api_key>
</integration>

Integration with VirusTotal

<integration>
  <name>virustotal</name>
  <api_key>VirusTotal_API_Key</api_key>
  <group>syscheck,</group>
</integration>