integration¶
XML section name
<integration>
</integration>
This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.
Options¶
name¶
This indicates the service to integrate with.
Default value |
n/a |
Allowed values |
slack, pagerduty, virustotal, any string that begins with ‘custom-‘ |
Note
In the case of custom external integration, name must begin with custom-
for example: custom-myintegration
. Read the How to integrate external software using Integrator document for more information.
hook_url¶
This is the URL provided by Slack when integration is enabled on the Slack side. This is mandatory for Slack.
Default value |
n/a |
Allowed values |
Slack URL |
api_key¶
This is the key that you would have retrieved from the PagerDuty or VirusTotal API. This is mandatory for PagerDuty and VirusTotal.
Default value |
n/a |
Allowed values |
PagerDuty/VirusTotal Api key |
Optional filters¶
level¶
This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Default value |
n/a |
Allowed values |
Any alert level from 0 to 16 |
group¶
This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.
Default value |
n/a |
Allowed values |
Any rule group or vertical bar-separated rule groups. |
event_location¶
This filters alerts by where the event originated. Follows the OS_Regex Syntax.
Default value |
n/a |
Allowed values |
Any single log file. |
alert_format¶
This writes the alert file in the JSON format. The Integrator makes use this file to fetch fields values.
Default value |
n/a |
Allowed values |
json |
max_log¶
The maximum length of an alert snippet that will be sent to the Integrator. Longer strings will be truncated with ...
Default value |
165 |
Allowed values |
Any integer from 165 to 1024 inclusive. |
Configuration example¶
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<alert_format>json</alert_format>
</integration>
<!-- Integration with PagerDuty -->
<integration>
<name>pagerduty</name>
<api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
</integration>
<!-- Integration with VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
<!--Custom external Integration -->
<integration>
<name>custom-integration</name>
<hook_url>WEBHOOK</hook_url>
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<api_key>APIKEY</api_key> <!-- Replace with your external service API key -->
<alert_format>json</alert_format>
</integration>