integration
XML section name
<integration>
</integration>
This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.
Options
name
This indicates the service to integrate with.
Default value |
n/a |
Allowed values |
slack, pagerduty, virustotal, any string that begins with 'custom-' |
Note
In the case of custom external integration, name must begin with custom-
for example: custom-myintegration
. Read the How to integrate external software using Integrator document for more information.
Optional filters
level
This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Default value |
n/a |
Allowed values |
Any alert level from 0 to 16 |
group
This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.
Default value |
n/a |
Allowed values |
Any rule group or vertical bar-separated rule groups. |
event_location
This filters alerts by where the event originated. Follows the OS_Regex Syntax.
Default value |
n/a |
Allowed values |
Any single log file. |
Configuration example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<alert_format>json</alert_format>
</integration>
<!-- Integration with PagerDuty -->
<integration>
<name>pagerduty</name>
<api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
</integration>
<!-- Integration with VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
<!--Custom external Integration -->
<integration>
<name>custom-integration</name>
<hook_url>WEBHOOK</hook_url>
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<api_key>APIKEY</api_key> <!-- Replace with your external service API key -->
<alert_format>json</alert_format>
</integration>