integration
This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.
Options
name
This indicates the service to integrate with.
Default value |
n/a |
Allowed values |
slack, pagerduty, virustotal |
hook_url
This is the URL provided by Slack when integration is enabled on the Slack side. This is mandatory for Slack.
Default value |
n/a |
Allowed values |
Slack URL |
api_key
This is the key that you would have retrieved from the PagerDuty or VirusTotal API. This is mandatory for PagerDuty and VirusTotal.
Note
You must restart Wazuh after changing this option.
Default value |
n/a |
Allowed values |
PagerDuty/VirusTotal Api key |
Optional filters
level
This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Default value |
n/a |
Allowed values |
Any alert level from 0 to 16 |
rule_id
This filters alerts by rule ID.
Default value |
n/a |
Allowed values |
Comma-separated rule IDs |
group
This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.
Default value |
n/a |
Allowed values |
Any rule group or vertical bar-separated rule groups. |
event_location
This filters alerts by where the event originated. Follows the OS_Regex Syntax.
Default value |
n/a |
Allowed values |
Any single agent name, hostname, ip address, or log file. |
alert_format
This writes the alert file in the JSON format. The Integrator makes use this file to fetch fields values.
Default value |
n/a |
Allowed values |
json |
Configuration example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url>
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<alert_format>json</alert_format>
</integration>
<!-- Integration with VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>VirusTotal_API_Key</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>